From 69184c7484fdc04189ae93557415ca14959cd5a7 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:02 -0700 Subject: [PATCH 1/4] Added Cloudrail according to instructions and existing examples --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index cb9305a..f4db277 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "GitHub", + "creator": "Indeni", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From 188b52b51c31ac79b948c3b4a656b097920e9fe6 Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:29:29 -0700 Subject: [PATCH 2/4] Adding Cloudrail according to documentation and examples --- code-scanning/cloudrail.yml | 58 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 +++ icons/cloudrail.svg | 53 +++++++++++++++++ 3 files changed, 118 insertions(+) create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 icons/cloudrail.svg diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..474b97a --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@v1.3 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..36181c2 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + From 98bde3b31e53b969eeabcb5a94e5461d3fa0664c Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Tue, 17 Aug 2021 07:32:50 -0700 Subject: [PATCH 3/4] Oops --- code-scanning/properties/codeql.properties.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/properties/codeql.properties.json b/code-scanning/properties/codeql.properties.json index f4db277..cb9305a 100644 --- a/code-scanning/properties/codeql.properties.json +++ b/code-scanning/properties/codeql.properties.json @@ -1,6 +1,6 @@ { "name": "CodeQL Analysis", - "creator": "Indeni", + "creator": "GitHub", "description": "Security analysis from GitHub for C, C++, C#, Java, JavaScript, TypeScript, Python, and Go developers.", "iconName": "octicon mark-github", "categories": ["Code Scanning", "C", "C#", "C++", "Go", "Java", "JavaScript", "TypeScript", "Python"] From c705225b8f52e676371b168efc00b6f60347c22d Mon Sep 17 00:00:00 2001 From: Yoni Leitersdorf Date: Mon, 4 Oct 2021 09:48:47 -0700 Subject: [PATCH 4/4] Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson --- code-scanning/cloudrail.yml | 2 +- code-scanning/properties/cloudrail.properties.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml index 474b97a..9f95c5c 100644 --- a/code-scanning/cloudrail.yml +++ b/code-scanning/cloudrail.yml @@ -43,7 +43,7 @@ jobs: - run: stat plan.out - name: Run Cloudrail - uses: indeni/cloudrail-run-ga@v1.3 + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 with: tf-plan-file: plan.out # This was created in a "terraform plan" step cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json index 36181c2..830d966 100644 --- a/code-scanning/properties/cloudrail.properties.json +++ b/code-scanning/properties/cloudrail.properties.json @@ -1,7 +1,7 @@ { "name": "cloudrail", "creator": "Indeni Cloudrail", - "description": "Cloudrail, by Indeni, can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues. Cloudrail's output uses the SARIF format, which will surface the scan's results directly inside your pull request.", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", "iconName": "cloudrail", "categories": ["Code Scanning", "HCL"] }