From 008d36163dbbac813d6ebdd4f0c72537315d911c Mon Sep 17 00:00:00 2001 From: Jonathan Date: Thu, 18 Sep 2025 20:00:21 -0300 Subject: [PATCH 1/4] Add security workflow new --- .github/workflows/security-optimized.yml | 282 +++++++++++++++++++++++ 1 file changed, 282 insertions(+) create mode 100644 .github/workflows/security-optimized.yml diff --git a/.github/workflows/security-optimized.yml b/.github/workflows/security-optimized.yml new file mode 100644 index 0000000..cf5f800 --- /dev/null +++ b/.github/workflows/security-optimized.yml @@ -0,0 +1,282 @@ +name: Security Scan - Optimized + +on: + pull_request: + types: [opened, synchronize, reopened] + push: + branches: [main] + +env: + # Configurações globais + FAIL_ON_SEVERITY: "CRITICAL,HIGH" + SARIF_RESULTS_DIR: "security-results" + +jobs: + # Job de preparação - cria diretório para resultados + setup: + runs-on: ubuntu-latest + outputs: + sarif-dir: ${{ env.SARIF_RESULTS_DIR }} + steps: + - name: Create results directory + run: mkdir -p ${{ env.SARIF_RESULTS_DIR }} + + # SAST - Static Application Security Testing + sast: + runs-on: ubuntu-latest + needs: setup + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Semgrep + uses: returntocorp/semgrep-action@v1 + with: + config: >- + p/security-audit + p/secrets + p/owasp-top-ten + generateSarif: "1" + + - name: Upload SAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sast-results + path: semgrep.sarif + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: semgrep.sarif + category: sast + + # SCA - Software Composition Analysis (Multi-language) + sca: + runs-on: ubuntu-latest + needs: setup + strategy: + matrix: + scanner: [trivy, dependency-check] + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Scanner Trivy - Melhor para Python, Node.js, Go, etc. + - name: Run Trivy SCA scan + if: matrix.scanner == 'trivy' + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-sca.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: false + + # Scanner Dependency Check - Melhor para Java, .NET + - name: Run Dependency Check + if: matrix.scanner == 'dependency-check' + uses: dependency-check/Dependency-Check_Action@main + with: + project: 'devsecops-project' + path: '.' + format: 'SARIF' + out: 'dependency-check.sarif' + args: > + --failOnCVSS 7 + --enableRetired + --enableExperimental + + - name: Upload SCA results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sca-results-${{ matrix.scanner }} + path: "*.sarif" + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "*.sarif" + category: sca-${{ matrix.scanner }} + + # Secrets Scanning + secrets: + runs-on: ubuntu-latest + needs: setup + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_COMMENTS: false + + - name: Run TruffleHog + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: main + head: HEAD + extra_args: --debug --only-verified + + # IaC - Infrastructure as Code Security + iac: + runs-on: ubuntu-latest + needs: setup + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy IaC scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-iac.sarif' + severity: 'CRITICAL,HIGH' + + - name: Run Checkov + uses: bridgecrewio/checkov-action@master + with: + directory: . + framework: dockerfile,kubernetes,terraform + output_format: sarif + output_file_path: checkov.sarif + + - name: Upload IaC results + uses: actions/upload-artifact@v4 + if: always() + with: + name: iac-results + path: "*.sarif" + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "*.sarif" + category: iac + + # DAST - Dynamic Application Security Testing + dast: + runs-on: ubuntu-latest + needs: setup + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and start application + run: | + docker build -t app-under-test . + docker run -d --name test-app -p 5000:5000 app-under-test + sleep 30 # Wait for app to start + + - name: Run OWASP ZAP Full Scan + uses: zaproxy/action-full-scan@v0.10.0 + with: + target: 'http://localhost:5000' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a -j -m 5 -T 60' + + - name: Upload DAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: dast-results + path: report_html.html + retention-days: 30 + + # Consolidação de resultados para IA + consolidate-results: + runs-on: ubuntu-latest + needs: [sast, sca, secrets, iac] + if: always() + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: all-results/ + + - name: Consolidate SARIF files + run: | + mkdir -p consolidated-sarif + find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \; + ls -la consolidated-sarif/ + + - name: Upload consolidated results + uses: actions/upload-artifact@v4 + with: + name: consolidated-security-results + path: consolidated-sarif/ + retention-days: 30 + + - name: Create summary comment (prepare for AI integration) + if: github.event_name == 'pull_request' + run: | + echo "# 🔒 Security Scan Results" > security-summary.md + echo "" >> security-summary.md + echo "| Scanner | Status | Files Scanned |" >> security-summary.md + echo "|---------|---------|---------------|" >> security-summary.md + + # Count SARIF files to show scan status + SAST_FILES=$(find consolidated-sarif/ -name "*semgrep*" | wc -l) + SCA_FILES=$(find consolidated-sarif/ -name "*trivy*" -o -name "*dependency*" | wc -l) + IAC_FILES=$(find consolidated-sarif/ -name "*iac*" -o -name "*checkov*" | wc -l) + + echo "| SAST (Semgrep) | ✅ | $SAST_FILES |" >> security-summary.md + echo "| SCA (Trivy/DepCheck) | ✅ | $SCA_FILES |" >> security-summary.md + echo "| IaC (Trivy/Checkov) | ✅ | $IAC_FILES |" >> security-summary.md + echo "| Secrets (Gitleaks) | ✅ | N/A |" >> security-summary.md + echo "" >> security-summary.md + echo "**Next Step**: AI agent will analyze findings and suggest fixes 🤖" >> security-summary.md + + - name: Upload summary + uses: actions/upload-artifact@v4 + if: github.event_name == 'pull_request' + with: + name: security-summary + path: security-summary.md + retention-days: 7 + + # Preparação para trigger de IA (placeholder) + trigger-ai-analysis: + runs-on: ubuntu-latest + needs: consolidate-results + if: always() && github.event_name == 'pull_request' + steps: + - name: Trigger AI analysis workflow + run: | + echo "🤖 Triggering AI analysis for PR ${{ github.event.number }}" + echo "This step will trigger the AI agent workflow in the future" + echo "AI will analyze consolidated SARIF files and create fix suggestions" + + # Placeholder para repository dispatch que vai trigger a IA + - name: Repository Dispatch to AI Workflow + uses: peter-evans/repository-dispatch@v3 + with: + token: ${{ secrets.GITHUB_TOKEN }} + event-type: security-scan-completed + client-payload: | + { + "pr_number": "${{ github.event.number }}", + "sha": "${{ github.sha }}", + "artifacts": ["consolidated-security-results", "security-summary"] + } \ No newline at end of file From 84a95de65396d331ec9e757207558c33bd2d9b65 Mon Sep 17 00:00:00 2001 From: Jonathan Date: Thu, 18 Sep 2025 20:05:41 -0300 Subject: [PATCH 2/4] Remove old security --- .github/workflows/security-optimized.yml | 282 --------------------- .github/workflows/security.yml | 307 ++++++++++++++++++----- 2 files changed, 244 insertions(+), 345 deletions(-) delete mode 100644 .github/workflows/security-optimized.yml diff --git a/.github/workflows/security-optimized.yml b/.github/workflows/security-optimized.yml deleted file mode 100644 index cf5f800..0000000 --- a/.github/workflows/security-optimized.yml +++ /dev/null @@ -1,282 +0,0 @@ -name: Security Scan - Optimized - -on: - pull_request: - types: [opened, synchronize, reopened] - push: - branches: [main] - -env: - # Configurações globais - FAIL_ON_SEVERITY: "CRITICAL,HIGH" - SARIF_RESULTS_DIR: "security-results" - -jobs: - # Job de preparação - cria diretório para resultados - setup: - runs-on: ubuntu-latest - outputs: - sarif-dir: ${{ env.SARIF_RESULTS_DIR }} - steps: - - name: Create results directory - run: mkdir -p ${{ env.SARIF_RESULTS_DIR }} - - # SAST - Static Application Security Testing - sast: - runs-on: ubuntu-latest - needs: setup - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Semgrep - uses: returntocorp/semgrep-action@v1 - with: - config: >- - p/security-audit - p/secrets - p/owasp-top-ten - generateSarif: "1" - - - name: Upload SAST results - uses: actions/upload-artifact@v4 - if: always() - with: - name: sast-results - path: semgrep.sarif - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: semgrep.sarif - category: sast - - # SCA - Software Composition Analysis (Multi-language) - sca: - runs-on: ubuntu-latest - needs: setup - strategy: - matrix: - scanner: [trivy, dependency-check] - steps: - - name: Checkout code - uses: actions/checkout@v4 - - # Scanner Trivy - Melhor para Python, Node.js, Go, etc. - - name: Run Trivy SCA scan - if: matrix.scanner == 'trivy' - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-sca.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - ignore-unfixed: false - - # Scanner Dependency Check - Melhor para Java, .NET - - name: Run Dependency Check - if: matrix.scanner == 'dependency-check' - uses: dependency-check/Dependency-Check_Action@main - with: - project: 'devsecops-project' - path: '.' - format: 'SARIF' - out: 'dependency-check.sarif' - args: > - --failOnCVSS 7 - --enableRetired - --enableExperimental - - - name: Upload SCA results - uses: actions/upload-artifact@v4 - if: always() - with: - name: sca-results-${{ matrix.scanner }} - path: "*.sarif" - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: "*.sarif" - category: sca-${{ matrix.scanner }} - - # Secrets Scanning - secrets: - runs-on: ubuntu-latest - needs: setup - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_ENABLE_COMMENTS: false - - - name: Run TruffleHog - uses: trufflesecurity/trufflehog@main - with: - path: ./ - base: main - head: HEAD - extra_args: --debug --only-verified - - # IaC - Infrastructure as Code Security - iac: - runs-on: ubuntu-latest - needs: setup - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy IaC scan - uses: aquasecurity/trivy-action@master - with: - scan-type: 'config' - scan-ref: '.' - format: 'sarif' - output: 'trivy-iac.sarif' - severity: 'CRITICAL,HIGH' - - - name: Run Checkov - uses: bridgecrewio/checkov-action@master - with: - directory: . - framework: dockerfile,kubernetes,terraform - output_format: sarif - output_file_path: checkov.sarif - - - name: Upload IaC results - uses: actions/upload-artifact@v4 - if: always() - with: - name: iac-results - path: "*.sarif" - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: "*.sarif" - category: iac - - # DAST - Dynamic Application Security Testing - dast: - runs-on: ubuntu-latest - needs: setup - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and start application - run: | - docker build -t app-under-test . - docker run -d --name test-app -p 5000:5000 app-under-test - sleep 30 # Wait for app to start - - - name: Run OWASP ZAP Full Scan - uses: zaproxy/action-full-scan@v0.10.0 - with: - target: 'http://localhost:5000' - rules_file_name: '.zap/rules.tsv' - cmd_options: '-a -j -m 5 -T 60' - - - name: Upload DAST results - uses: actions/upload-artifact@v4 - if: always() - with: - name: dast-results - path: report_html.html - retention-days: 30 - - # Consolidação de resultados para IA - consolidate-results: - runs-on: ubuntu-latest - needs: [sast, sca, secrets, iac] - if: always() - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: all-results/ - - - name: Consolidate SARIF files - run: | - mkdir -p consolidated-sarif - find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \; - ls -la consolidated-sarif/ - - - name: Upload consolidated results - uses: actions/upload-artifact@v4 - with: - name: consolidated-security-results - path: consolidated-sarif/ - retention-days: 30 - - - name: Create summary comment (prepare for AI integration) - if: github.event_name == 'pull_request' - run: | - echo "# 🔒 Security Scan Results" > security-summary.md - echo "" >> security-summary.md - echo "| Scanner | Status | Files Scanned |" >> security-summary.md - echo "|---------|---------|---------------|" >> security-summary.md - - # Count SARIF files to show scan status - SAST_FILES=$(find consolidated-sarif/ -name "*semgrep*" | wc -l) - SCA_FILES=$(find consolidated-sarif/ -name "*trivy*" -o -name "*dependency*" | wc -l) - IAC_FILES=$(find consolidated-sarif/ -name "*iac*" -o -name "*checkov*" | wc -l) - - echo "| SAST (Semgrep) | ✅ | $SAST_FILES |" >> security-summary.md - echo "| SCA (Trivy/DepCheck) | ✅ | $SCA_FILES |" >> security-summary.md - echo "| IaC (Trivy/Checkov) | ✅ | $IAC_FILES |" >> security-summary.md - echo "| Secrets (Gitleaks) | ✅ | N/A |" >> security-summary.md - echo "" >> security-summary.md - echo "**Next Step**: AI agent will analyze findings and suggest fixes 🤖" >> security-summary.md - - - name: Upload summary - uses: actions/upload-artifact@v4 - if: github.event_name == 'pull_request' - with: - name: security-summary - path: security-summary.md - retention-days: 7 - - # Preparação para trigger de IA (placeholder) - trigger-ai-analysis: - runs-on: ubuntu-latest - needs: consolidate-results - if: always() && github.event_name == 'pull_request' - steps: - - name: Trigger AI analysis workflow - run: | - echo "🤖 Triggering AI analysis for PR ${{ github.event.number }}" - echo "This step will trigger the AI agent workflow in the future" - echo "AI will analyze consolidated SARIF files and create fix suggestions" - - # Placeholder para repository dispatch que vai trigger a IA - - name: Repository Dispatch to AI Workflow - uses: peter-evans/repository-dispatch@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: security-scan-completed - client-payload: | - { - "pr_number": "${{ github.event.number }}", - "sha": "${{ github.sha }}", - "artifacts": ["consolidated-security-results", "security-summary"] - } \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 084860c..cf5f800 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,101 +1,282 @@ -name: Security Scan +name: Security Scan - Optimized on: - push + pull_request: + types: [opened, synchronize, reopened] + push: + branches: [main] + +env: + # Configurações globais + FAIL_ON_SEVERITY: "CRITICAL,HIGH" + SARIF_RESULTS_DIR: "security-results" + jobs: - run_sast: + # Job de preparação - cria diretório para resultados + setup: runs-on: ubuntu-latest - container: - image: returntocorp/semgrep - + outputs: + sarif-dir: ${{ env.SARIF_RESULTS_DIR }} steps: - - name: clone application source code - uses: actions/checkout@v3 + - name: Create results directory + run: mkdir -p ${{ env.SARIF_RESULTS_DIR }} - - name: run semgrep - run: | - semgrep \ - --sarif --output semgrep.sarif \ - --metrics=off \ - --config="p/default" + # SAST - Static Application Security Testing + sast: + runs-on: ubuntu-latest + needs: setup + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: save report as pipeline artifact - uses: actions/upload-artifact@v3 + - name: Run Semgrep + uses: returntocorp/semgrep-action@v1 with: - name: semgrep.sarif - path: semgrep.sarif + config: >- + p/security-audit + p/secrets + p/owasp-top-ten + generateSarif: "1" - - name: Download report - uses: actions/download-artifact@v2 - with: - name: semgrep.sarif + - name: Upload SAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sast-results + path: semgrep.sarif + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: semgrep.sarif + category: sast - run_sca: + # SCA - Software Composition Analysis (Multi-language) + sca: runs-on: ubuntu-latest + needs: setup + strategy: + matrix: + scanner: [trivy, dependency-check] steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Build project with Maven - run: mvn clean install - - name: Depcheck + - name: Checkout code + uses: actions/checkout@v4 + + # Scanner Trivy - Melhor para Python, Node.js, Go, etc. + - name: Run Trivy SCA scan + if: matrix.scanner == 'trivy' + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-sca.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: false + + # Scanner Dependency Check - Melhor para Java, .NET + - name: Run Dependency Check + if: matrix.scanner == 'dependency-check' uses: dependency-check/Dependency-Check_Action@main - id: Depcheck with: - project: 'case-devsecops' + project: 'devsecops-project' path: '.' - format: 'JSON' - out: 'depcheck' + format: 'SARIF' + out: 'dependency-check.sarif' args: > --failOnCVSS 7 --enableRetired - - name: Upload Test results - uses: actions/upload-artifact@master - with: - name: Depcheck report - path: ${{github.workspace}}/depcheck + --enableExperimental - run_dast: - runs-on: ubuntu-latest - - steps: - - name: Config docker - uses: docker/setup-buildx-action@v1 + - name: Upload SCA results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sca-results-${{ matrix.scanner }} + path: "*.sarif" + retention-days: 30 - - name: Run api server - run: docker run -d --publish 5000:5000 frolvlad/flask-restplus-server-example - - - name: Run owasp zap (dast) - uses: zaproxy/action-full-scan@v0.8.0 + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() with: - target: 'http://127.0.0.1:5000' + sarif_file: "*.sarif" + category: sca-${{ matrix.scanner }} - run_secrets_scan: + # Secrets Scanning + secrets: runs-on: ubuntu-latest + needs: setup steps: - - uses: actions/checkout@v3 + - name: Checkout code + uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: gitleaks/gitleaks-action@v2 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_COMMENTS: false + + - name: Run TruffleHog + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: main + head: HEAD + extra_args: --debug --only-verified - run_iac_scan: - runs-on: ubuntu-20.04 + # IaC - Infrastructure as Code Security + iac: + runs-on: ubuntu-latest + needs: setup steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner in IaC mode + - name: Run Trivy IaC scan uses: aquasecurity/trivy-action@master with: - scan-type: 'fs' - ignore-unfixed: true + scan-type: 'config' + scan-ref: '.' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-iac.sarif' severity: 'CRITICAL,HIGH' - - name: Upload artifact - uses: actions/upload-artifact@v2 + - name: Run Checkov + uses: bridgecrewio/checkov-action@master + with: + directory: . + framework: dockerfile,kubernetes,terraform + output_format: sarif + output_file_path: checkov.sarif + + - name: Upload IaC results + uses: actions/upload-artifact@v4 + if: always() + with: + name: iac-results + path: "*.sarif" + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: "*.sarif" + category: iac + + # DAST - Dynamic Application Security Testing + dast: + runs-on: ubuntu-latest + needs: setup + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and start application + run: | + docker build -t app-under-test . + docker run -d --name test-app -p 5000:5000 app-under-test + sleep 30 # Wait for app to start + + - name: Run OWASP ZAP Full Scan + uses: zaproxy/action-full-scan@v0.10.0 + with: + target: 'http://localhost:5000' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a -j -m 5 -T 60' + + - name: Upload DAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: dast-results + path: report_html.html + retention-days: 30 + + # Consolidação de resultados para IA + consolidate-results: + runs-on: ubuntu-latest + needs: [sast, sca, secrets, iac] + if: always() + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: all-results/ + + - name: Consolidate SARIF files + run: | + mkdir -p consolidated-sarif + find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \; + ls -la consolidated-sarif/ + + - name: Upload consolidated results + uses: actions/upload-artifact@v4 + with: + name: consolidated-security-results + path: consolidated-sarif/ + retention-days: 30 + + - name: Create summary comment (prepare for AI integration) + if: github.event_name == 'pull_request' + run: | + echo "# 🔒 Security Scan Results" > security-summary.md + echo "" >> security-summary.md + echo "| Scanner | Status | Files Scanned |" >> security-summary.md + echo "|---------|---------|---------------|" >> security-summary.md + + # Count SARIF files to show scan status + SAST_FILES=$(find consolidated-sarif/ -name "*semgrep*" | wc -l) + SCA_FILES=$(find consolidated-sarif/ -name "*trivy*" -o -name "*dependency*" | wc -l) + IAC_FILES=$(find consolidated-sarif/ -name "*iac*" -o -name "*checkov*" | wc -l) + + echo "| SAST (Semgrep) | ✅ | $SAST_FILES |" >> security-summary.md + echo "| SCA (Trivy/DepCheck) | ✅ | $SCA_FILES |" >> security-summary.md + echo "| IaC (Trivy/Checkov) | ✅ | $IAC_FILES |" >> security-summary.md + echo "| Secrets (Gitleaks) | ✅ | N/A |" >> security-summary.md + echo "" >> security-summary.md + echo "**Next Step**: AI agent will analyze findings and suggest fixes 🤖" >> security-summary.md + + - name: Upload summary + uses: actions/upload-artifact@v4 + if: github.event_name == 'pull_request' + with: + name: security-summary + path: security-summary.md + retention-days: 7 + + # Preparação para trigger de IA (placeholder) + trigger-ai-analysis: + runs-on: ubuntu-latest + needs: consolidate-results + if: always() && github.event_name == 'pull_request' + steps: + - name: Trigger AI analysis workflow + run: | + echo "🤖 Triggering AI analysis for PR ${{ github.event.number }}" + echo "This step will trigger the AI agent workflow in the future" + echo "AI will analyze consolidated SARIF files and create fix suggestions" + + # Placeholder para repository dispatch que vai trigger a IA + - name: Repository Dispatch to AI Workflow + uses: peter-evans/repository-dispatch@v3 with: - name: trivy-report - path: 'trivy-results.sarif' \ No newline at end of file + token: ${{ secrets.GITHUB_TOKEN }} + event-type: security-scan-completed + client-payload: | + { + "pr_number": "${{ github.event.number }}", + "sha": "${{ github.sha }}", + "artifacts": ["consolidated-security-results", "security-summary"] + } \ No newline at end of file From 599068ff426539f71de3a8d4202d3312da9002cd Mon Sep 17 00:00:00 2001 From: Jonathan Date: Thu, 18 Sep 2025 20:11:46 -0300 Subject: [PATCH 3/4] update workflows --- .github/workflows/security-fixed.yml | 335 +++++++++++++++++++++++++++ .github/workflows/security.yml | 2 +- dependency-check-suppressions.xml | 8 + 3 files changed, 344 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/security-fixed.yml create mode 100644 dependency-check-suppressions.xml diff --git a/.github/workflows/security-fixed.yml b/.github/workflows/security-fixed.yml new file mode 100644 index 0000000..c9e70c1 --- /dev/null +++ b/.github/workflows/security-fixed.yml @@ -0,0 +1,335 @@ +name: Security Scan - Fixed + +on: + pull_request: + types: [opened, synchronize, reopened] + push: + branches: [main] + +env: + FAIL_ON_SEVERITY: "CRITICAL,HIGH" + +jobs: + # SAST - Static Application Security Testing + sast: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Semgrep + uses: returntocorp/semgrep-action@v1 + with: + config: >- + p/security-audit + p/secrets + p/owasp-top-ten + + - name: Upload SAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sast-results + path: semgrep.sarif + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: semgrep.sarif + category: sast + + # SCA - Software Composition Analysis (Simplified) + sca-trivy: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + format: 'sarif' + output: 'trivy-sca.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + ignore-unfixed: false + + - name: Upload SCA Trivy results + uses: actions/upload-artifact@v4 + if: always() + with: + name: sca-trivy-results + path: trivy-sca.sarif + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-sca.sarif + category: sca-trivy + + # SCA - Dependency Check (Java/Maven only) + sca-dependency-check: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Check for Maven project + id: check-maven + run: | + if [ -f "pom.xml" ]; then + echo "maven_exists=true" >> $GITHUB_OUTPUT + else + echo "maven_exists=false" >> $GITHUB_OUTPUT + fi + + - name: Set up JDK + if: steps.check-maven.outputs.maven_exists == 'true' + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'temurin' + + - name: Cache Maven dependencies + if: steps.check-maven.outputs.maven_exists == 'true' + uses: actions/cache@v4 + with: + path: ~/.m2 + key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} + restore-keys: ${{ runner.os }}-m2 + + - name: Run OWASP Dependency Check + if: steps.check-maven.outputs.maven_exists == 'true' + uses: dependency-check/Dependency-Check_Action@main + with: + project: 'devsecops-project' + path: '.' + format: 'JSON,SARIF' + out: 'dependency-check-report' + args: > + --failOnCVSS 7 + --enableRetired + --suppression dependency-check-suppressions.xml + + - name: Upload Dependency Check results + uses: actions/upload-artifact@v4 + if: always() && steps.check-maven.outputs.maven_exists == 'true' + with: + name: dependency-check-results + path: dependency-check-report/ + retention-days: 30 + + # Secrets Scanning + secrets: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_COMMENTS: false + + # Backup secret scanner + - name: Run TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --only-verified --no-update + + # IaC - Infrastructure as Code Security (Simplified) + iac: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy IaC scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-iac.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload IaC results + uses: actions/upload-artifact@v4 + if: always() + with: + name: iac-results + path: trivy-iac.sarif + retention-days: 30 + + - name: Upload to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-iac.sarif + category: iac + + # Alternative IaC scanner usando tfsec (mais leve) + - name: Check for Terraform files + id: check-terraform + run: | + if find . -name "*.tf" -type f | head -1 | grep -q .; then + echo "terraform_exists=true" >> $GITHUB_OUTPUT + else + echo "terraform_exists=false" >> $GITHUB_OUTPUT + fi + + - name: Run tfsec + uses: aquasecurity/tfsec-action@v1.0.3 + if: steps.check-terraform.outputs.terraform_exists == 'true' + with: + soft_fail: true + + # DAST - Dynamic Application Security Testing (Only on main branch) + dast: + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and start application + run: | + if [ -f "Dockerfile" ]; then + docker build -t app-under-test . + docker run -d --name test-app -p 5000:5000 app-under-test + sleep 30 + echo "Application started on port 5000" + else + echo "No Dockerfile found, skipping DAST" + exit 0 + fi + + - name: Run OWASP ZAP Baseline Scan + uses: zaproxy/action-baseline@v0.10.0 + with: + target: 'http://localhost:5000' + rules_file_name: '.zap/rules.tsv' + cmd_options: '-a' + + - name: Upload DAST results + uses: actions/upload-artifact@v4 + if: always() + with: + name: dast-results + path: report_html.html + retention-days: 30 + + # Consolidação de resultados + consolidate-results: + runs-on: ubuntu-latest + needs: [sast, sca-trivy, secrets, iac] + if: always() + steps: + - name: Download all artifacts + uses: actions/download-artifact@v4 + with: + path: all-results/ + + - name: Consolidate SARIF files + run: | + mkdir -p consolidated-sarif + # Find and copy all SARIF files + find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \; 2>/dev/null || true + # List what we found + echo "Found SARIF files:" + ls -la consolidated-sarif/ || echo "No SARIF files found" + + - name: Upload consolidated results + uses: actions/upload-artifact@v4 + if: always() + with: + name: consolidated-security-results + path: consolidated-sarif/ + retention-days: 30 + + - name: Create security summary + if: github.event_name == 'pull_request' + run: | + echo "# 🔒 Security Scan Results Summary" > security-summary.md + echo "" >> security-summary.md + echo "**Scan completed for PR #${{ github.event.number }}**" >> security-summary.md + echo "" >> security-summary.md + echo "| Scanner | Status | Notes |" >> security-summary.md + echo "|---------|---------|-------|" >> security-summary.md + + # Check if each job completed + if [ "${{ needs.sast.result }}" = "success" ]; then + echo "| 🔍 SAST (Semgrep) | ✅ Passed | Code analysis completed |" >> security-summary.md + else + echo "| 🔍 SAST (Semgrep) | ❌ Failed | Check logs for details |" >> security-summary.md + fi + + if [ "${{ needs.sca-trivy.result }}" = "success" ]; then + echo "| 📦 SCA (Trivy) | ✅ Passed | Dependency scan completed |" >> security-summary.md + else + echo "| 📦 SCA (Trivy) | ❌ Failed | Check logs for details |" >> security-summary.md + fi + + if [ "${{ needs.secrets.result }}" = "success" ]; then + echo "| 🔑 Secrets (Gitleaks) | ✅ Passed | No secrets detected |" >> security-summary.md + else + echo "| 🔑 Secrets (Gitleaks) | ❌ Failed | Potential secrets found |" >> security-summary.md + fi + + if [ "${{ needs.iac.result }}" = "success" ]; then + echo "| 🏗️ IaC (Trivy) | ✅ Passed | Infrastructure scan completed |" >> security-summary.md + else + echo "| 🏗️ IaC (Trivy) | ❌ Failed | Check logs for details |" >> security-summary.md + fi + + echo "" >> security-summary.md + echo "**Next Step**: Review any failed scans and consider implementing AI-powered auto-fixes 🤖" >> security-summary.md + + cat security-summary.md + + - name: Upload summary + uses: actions/upload-artifact@v4 + if: github.event_name == 'pull_request' + with: + name: security-summary + path: security-summary.md + retention-days: 7 + + # Trigger para futuro workflow de IA + prepare-ai-analysis: + runs-on: ubuntu-latest + needs: consolidate-results + if: always() && github.event_name == 'pull_request' + steps: + - name: Prepare AI analysis payload + run: | + echo "🤖 Preparing data for AI analysis..." + echo "PR Number: ${{ github.event.number }}" + echo "SHA: ${{ github.sha }}" + echo "Repository: ${{ github.repository }}" + echo "" + echo "Available artifacts for AI analysis:" + echo "- consolidated-security-results" + echo "- security-summary" + echo "" + echo "This data will be used by the AI agent to:" + echo "1. Analyze security vulnerabilities" + echo "2. Generate fix suggestions" + echo "3. Create automated pull requests with fixes" + echo "4. Comment on this PR with recommendations" \ No newline at end of file diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index cf5f800..51fdd5e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,4 +1,4 @@ -name: Security Scan - Optimized +name: Security Scan on: pull_request: diff --git a/dependency-check-suppressions.xml b/dependency-check-suppressions.xml new file mode 100644 index 0000000..4ddb7b4 --- /dev/null +++ b/dependency-check-suppressions.xml @@ -0,0 +1,8 @@ + + + + \ No newline at end of file From 6be5f63664f348f7c3f351db0ff3ff4ae2b3b729 Mon Sep 17 00:00:00 2001 From: Jonathan Date: Thu, 18 Sep 2025 20:14:44 -0300 Subject: [PATCH 4/4] Update workflow --- .github/workflows/security-fixed.yml | 335 --------------------------- 1 file changed, 335 deletions(-) delete mode 100644 .github/workflows/security-fixed.yml diff --git a/.github/workflows/security-fixed.yml b/.github/workflows/security-fixed.yml deleted file mode 100644 index c9e70c1..0000000 --- a/.github/workflows/security-fixed.yml +++ /dev/null @@ -1,335 +0,0 @@ -name: Security Scan - Fixed - -on: - pull_request: - types: [opened, synchronize, reopened] - push: - branches: [main] - -env: - FAIL_ON_SEVERITY: "CRITICAL,HIGH" - -jobs: - # SAST - Static Application Security Testing - sast: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Semgrep - uses: returntocorp/semgrep-action@v1 - with: - config: >- - p/security-audit - p/secrets - p/owasp-top-ten - - - name: Upload SAST results - uses: actions/upload-artifact@v4 - if: always() - with: - name: sast-results - path: semgrep.sarif - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: semgrep.sarif - category: sast - - # SCA - Software Composition Analysis (Simplified) - sca-trivy: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: '.' - format: 'sarif' - output: 'trivy-sca.sarif' - severity: 'CRITICAL,HIGH,MEDIUM' - ignore-unfixed: false - - - name: Upload SCA Trivy results - uses: actions/upload-artifact@v4 - if: always() - with: - name: sca-trivy-results - path: trivy-sca.sarif - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: trivy-sca.sarif - category: sca-trivy - - # SCA - Dependency Check (Java/Maven only) - sca-dependency-check: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Check for Maven project - id: check-maven - run: | - if [ -f "pom.xml" ]; then - echo "maven_exists=true" >> $GITHUB_OUTPUT - else - echo "maven_exists=false" >> $GITHUB_OUTPUT - fi - - - name: Set up JDK - if: steps.check-maven.outputs.maven_exists == 'true' - uses: actions/setup-java@v4 - with: - java-version: '11' - distribution: 'temurin' - - - name: Cache Maven dependencies - if: steps.check-maven.outputs.maven_exists == 'true' - uses: actions/cache@v4 - with: - path: ~/.m2 - key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} - restore-keys: ${{ runner.os }}-m2 - - - name: Run OWASP Dependency Check - if: steps.check-maven.outputs.maven_exists == 'true' - uses: dependency-check/Dependency-Check_Action@main - with: - project: 'devsecops-project' - path: '.' - format: 'JSON,SARIF' - out: 'dependency-check-report' - args: > - --failOnCVSS 7 - --enableRetired - --suppression dependency-check-suppressions.xml - - - name: Upload Dependency Check results - uses: actions/upload-artifact@v4 - if: always() && steps.check-maven.outputs.maven_exists == 'true' - with: - name: dependency-check-results - path: dependency-check-report/ - retention-days: 30 - - # Secrets Scanning - secrets: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - - name: Run Gitleaks - uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_ENABLE_COMMENTS: false - - # Backup secret scanner - - name: Run TruffleHog OSS - uses: trufflesecurity/trufflehog@main - with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD - extra_args: --only-verified --no-update - - # IaC - Infrastructure as Code Security (Simplified) - iac: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Run Trivy IaC scan - uses: aquasecurity/trivy-action@master - with: - scan-type: 'config' - scan-ref: '.' - format: 'sarif' - output: 'trivy-iac.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload IaC results - uses: actions/upload-artifact@v4 - if: always() - with: - name: iac-results - path: trivy-iac.sarif - retention-days: 30 - - - name: Upload to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: trivy-iac.sarif - category: iac - - # Alternative IaC scanner usando tfsec (mais leve) - - name: Check for Terraform files - id: check-terraform - run: | - if find . -name "*.tf" -type f | head -1 | grep -q .; then - echo "terraform_exists=true" >> $GITHUB_OUTPUT - else - echo "terraform_exists=false" >> $GITHUB_OUTPUT - fi - - - name: Run tfsec - uses: aquasecurity/tfsec-action@v1.0.3 - if: steps.check-terraform.outputs.terraform_exists == 'true' - with: - soft_fail: true - - # DAST - Dynamic Application Security Testing (Only on main branch) - dast: - runs-on: ubuntu-latest - if: github.event_name == 'push' && github.ref == 'refs/heads/main' - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and start application - run: | - if [ -f "Dockerfile" ]; then - docker build -t app-under-test . - docker run -d --name test-app -p 5000:5000 app-under-test - sleep 30 - echo "Application started on port 5000" - else - echo "No Dockerfile found, skipping DAST" - exit 0 - fi - - - name: Run OWASP ZAP Baseline Scan - uses: zaproxy/action-baseline@v0.10.0 - with: - target: 'http://localhost:5000' - rules_file_name: '.zap/rules.tsv' - cmd_options: '-a' - - - name: Upload DAST results - uses: actions/upload-artifact@v4 - if: always() - with: - name: dast-results - path: report_html.html - retention-days: 30 - - # Consolidação de resultados - consolidate-results: - runs-on: ubuntu-latest - needs: [sast, sca-trivy, secrets, iac] - if: always() - steps: - - name: Download all artifacts - uses: actions/download-artifact@v4 - with: - path: all-results/ - - - name: Consolidate SARIF files - run: | - mkdir -p consolidated-sarif - # Find and copy all SARIF files - find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \; 2>/dev/null || true - # List what we found - echo "Found SARIF files:" - ls -la consolidated-sarif/ || echo "No SARIF files found" - - - name: Upload consolidated results - uses: actions/upload-artifact@v4 - if: always() - with: - name: consolidated-security-results - path: consolidated-sarif/ - retention-days: 30 - - - name: Create security summary - if: github.event_name == 'pull_request' - run: | - echo "# 🔒 Security Scan Results Summary" > security-summary.md - echo "" >> security-summary.md - echo "**Scan completed for PR #${{ github.event.number }}**" >> security-summary.md - echo "" >> security-summary.md - echo "| Scanner | Status | Notes |" >> security-summary.md - echo "|---------|---------|-------|" >> security-summary.md - - # Check if each job completed - if [ "${{ needs.sast.result }}" = "success" ]; then - echo "| 🔍 SAST (Semgrep) | ✅ Passed | Code analysis completed |" >> security-summary.md - else - echo "| 🔍 SAST (Semgrep) | ❌ Failed | Check logs for details |" >> security-summary.md - fi - - if [ "${{ needs.sca-trivy.result }}" = "success" ]; then - echo "| 📦 SCA (Trivy) | ✅ Passed | Dependency scan completed |" >> security-summary.md - else - echo "| 📦 SCA (Trivy) | ❌ Failed | Check logs for details |" >> security-summary.md - fi - - if [ "${{ needs.secrets.result }}" = "success" ]; then - echo "| 🔑 Secrets (Gitleaks) | ✅ Passed | No secrets detected |" >> security-summary.md - else - echo "| 🔑 Secrets (Gitleaks) | ❌ Failed | Potential secrets found |" >> security-summary.md - fi - - if [ "${{ needs.iac.result }}" = "success" ]; then - echo "| 🏗️ IaC (Trivy) | ✅ Passed | Infrastructure scan completed |" >> security-summary.md - else - echo "| 🏗️ IaC (Trivy) | ❌ Failed | Check logs for details |" >> security-summary.md - fi - - echo "" >> security-summary.md - echo "**Next Step**: Review any failed scans and consider implementing AI-powered auto-fixes 🤖" >> security-summary.md - - cat security-summary.md - - - name: Upload summary - uses: actions/upload-artifact@v4 - if: github.event_name == 'pull_request' - with: - name: security-summary - path: security-summary.md - retention-days: 7 - - # Trigger para futuro workflow de IA - prepare-ai-analysis: - runs-on: ubuntu-latest - needs: consolidate-results - if: always() && github.event_name == 'pull_request' - steps: - - name: Prepare AI analysis payload - run: | - echo "🤖 Preparing data for AI analysis..." - echo "PR Number: ${{ github.event.number }}" - echo "SHA: ${{ github.sha }}" - echo "Repository: ${{ github.repository }}" - echo "" - echo "Available artifacts for AI analysis:" - echo "- consolidated-security-results" - echo "- security-summary" - echo "" - echo "This data will be used by the AI agent to:" - echo "1. Analyze security vulnerabilities" - echo "2. Generate fix suggestions" - echo "3. Create automated pull requests with fixes" - echo "4. Comment on this PR with recommendations" \ No newline at end of file