feat: Add initial Dockerfile, Pipfile.lock, and Terraform example for…

[CalinL]

… infrastructure setup

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ❌ 7 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 0e88b50.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

devsecops-demo/Pipfile.lock

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
		Werkzeug safe_join() allows Windows special device names with compound extensions	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

devsecops-demo/Pipfile.lock

Package	Version	License	Issue Type
flask	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
werkzeug	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
jinja2	3.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
click	8.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
itsdangerous	2.0.1	BSD-2-Clause	Incompatible License
markupsafe	2.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
python-dotenv	0.19.0	BSD-2-Clause AND BSD-3-Clause	Incompatible License

Allowed Licenses:

MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/flask	2.0.2	Unknown	Unknown
pip/werkzeug	2.0.2	Unknown	Unknown
pip/jinja2	3.0.2	Unknown	Unknown
pip/click	8.0.1	Unknown	Unknown
pip/itsdangerous	2.0.1	Unknown	Unknown
pip/markupsafe	2.0.1	Unknown	Unknown
pip/python-dotenv	0.19.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• devsecops-demo/Pipfile.lock

[github-actions]

Dependency Review

The following issues were found:

• ❌ 3 vulnerable package(s)
• ❌ 7 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 0e88b50.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

devsecops-demo/Pipfile.lock

Name	Version	Vulnerability	Severity
flask	2.0.2	Flask vulnerable to possible disclosure of permanent session cookie due to missing Vary: Cookie header	high
werkzeug	2.0.2	High resource usage when parsing multipart form data with many fields	high
		Werkzeug debugger vulnerable to remote execution when interacting with attacker controlled domain	high
		Werkzeug DoS: High resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning	moderate
		Werkzeug safe_join not safe on Windows	moderate
		Werkzeug possible resource exhaustion when parsing file data in forms	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
		Werkzeug safe_join() allows Windows special device names with compound extensions	moderate
		Werkzeug safe_join() allows Windows special device names	moderate
jinja2	3.0.2	Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter	moderate
		Jinja has a sandbox breakout through indirect reference to format method	moderate
		Jinja has a sandbox breakout through malicious filenames	moderate
		Jinja2 vulnerable to sandbox breakout through attr filter selecting format method	moderate

Only included vulnerabilities with severity moderate or higher.

License Issues

devsecops-demo/Pipfile.lock

Package	Version	License	Issue Type
flask	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
werkzeug	2.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
jinja2	3.0.2	BSD-2-Clause AND BSD-3-Clause	Incompatible License
click	8.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
itsdangerous	2.0.1	BSD-2-Clause	Incompatible License
markupsafe	2.0.1	BSD-2-Clause AND BSD-3-Clause	Incompatible License
python-dotenv	0.19.0	BSD-2-Clause AND BSD-3-Clause	Incompatible License

Allowed Licenses:

MIT, Apache-2.0, GPL-3.0

OpenSSF Scorecard

Package	Version	Score	Details
pip/flask	2.0.2	Unknown	Unknown
pip/werkzeug	2.0.2	Unknown	Unknown
pip/jinja2	3.0.2	Unknown	Unknown
pip/click	8.0.1	Unknown	Unknown
pip/itsdangerous	2.0.1	Unknown	Unknown
pip/markupsafe	2.0.1	Unknown	Unknown
pip/python-dotenv	0.19.0	🟢 5.2	Details Check Score Reason Maintained 🟢 10 21 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 4 Found 12/29 approved changesets -- score normalized to 4 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• devsecops-demo/Pipfile.lock

[github-advanced-security]

templateanalyzer found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

[github-advanced-security]

checkov found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.