From 9db23a2437ff17f6ad52e8b92dfc8197ed8314dd Mon Sep 17 00:00:00 2001 From: ginilpg Date: Tue, 10 Sep 2024 20:11:53 +0530 Subject: [PATCH 1/8] Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml --- code-scanning/appknox.yml | 56 +++++++++++++++++++ .../properties/appknox.properties.json | 23 ++++++++ icons/appknox.svg | 10 ++++ 3 files changed, 89 insertions(+) create mode 100644 code-scanning/appknox.yml create mode 100644 code-scanning/properties/appknox.properties.json create mode 100644 icons/appknox.svg diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml new file mode 100644 index 0000000..0282b6c --- /dev/null +++ b/code-scanning/appknox.yml @@ -0,0 +1,56 @@ +# This workflow uses actions that are not certified by GitHub. They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support documentation. +# +# Appknox: Leader in Mobile Application Security Testing Solutions +# +# To use this workflow, you must be an existing Appknox customer with GitHub Advanced Security (GHAS) enabled for your +# repository. +# +# If you *are not* an existing customer, click here to contact us for licensing and pricing details: +# . +# +# Instructions: +# +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# and create a token labeled GitHub +# +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# action executes, check the 'Security' tab for results + +name: Appknox + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] +jobs: + appknox: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up JDK 1.8 + uses: actions/setup-java@v1 + with: + java-version: 1.8 + - name: Grant execute permission for gradlew + run: chmod +x gradlew + + - name: Build the app + run: ./gradlew build # Update this to build your Android or iOS application + + - name: Appknox GitHub action + uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 + with: + appknox_access_token: ${{ secrets.APPKNOX_ACCESS_TOKEN }} + file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here + risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] + sarif: Enable + + - name: Upload SARIF to GHAS + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: report.sarif diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json new file mode 100644 index 0000000..4164291 --- /dev/null +++ b/code-scanning/properties/appknox.properties.json @@ -0,0 +1,23 @@ +{ + "name": "Appknox", + "creator": "Appknox", + "description": "Use Appknox action for faster and precise security assessments of your iOS and Android apps developed using any programming language", + "iconName": "appknox", + "categories": [ + "Code Scanning", + "Java", + "Kotlin", + "Scala", + "Swift", + "Objective C", + "C", + "C++", + "C#", + "Rust", + "JavaScript", + "TypeScript", + "Node" + ], + "labels": ["preview"] + +} diff --git a/icons/appknox.svg b/icons/appknox.svg new file mode 100644 index 0000000..36148e7 --- /dev/null +++ b/icons/appknox.svg @@ -0,0 +1,10 @@ + + + + + + + + + + From 53980cb868e646a5e8c7881a33599f3287729eb7 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:10:00 -0700 Subject: [PATCH 2/8] Update eslint.yml Ensure suppressed warnings don't make it into the SARIF. --- code-scanning/eslint.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 7304e83..4c34d46 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -36,6 +36,8 @@ jobs: npm install @microsoft/eslint-formatter-sarif@2.1.7 - name: Run ESLint + env: + SARIF_ESLINT_IGNORE_SUPPRESSED: "true" run: npx eslint . --config .eslintrc.js --ext .js,.jsx,.ts,.tsx @@ -47,4 +49,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: eslint-results.sarif - wait-for-processing: true \ No newline at end of file + wait-for-processing: true From ddb47be88806996b76adbe1a1cb77d51be4925d8 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:46:17 -0700 Subject: [PATCH 3/8] Update appknox.yml Fix linting errors (remove whitespace). --- code-scanning/appknox.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 0282b6c..7c4b506 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -11,12 +11,12 @@ # # Instructions: # -# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the -# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token -# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings +# 1. In your repository settings, navigate to 'Secrets' and click on 'New repository secret.' Name the +# secret APPKNOX_ACCESS_TOKEN and paste your appknox user token into the value field. If you don't have a appknox token +# or need to generate a new one for GitHub, visit the Appknox Platform, go to Account Settings->Developer Settings # and create a token labeled GitHub # -# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the +# 2. Refer to the detailed workflow below, make any required adjustments, and then save it to your repository. After the # action executes, check the 'Security' tab for results name: Appknox @@ -37,10 +37,10 @@ jobs: java-version: 1.8 - name: Grant execute permission for gradlew run: chmod +x gradlew - + - name: Build the app run: ./gradlew build # Update this to build your Android or iOS application - + - name: Appknox GitHub action uses: appknox/appknox-github-action@b7d2bfb2321d5544e97bffcba48557234ab953a4 with: @@ -48,7 +48,7 @@ jobs: file_path: app/build/outputs/apk/debug/app-debug.apk # Specify the path to your .ipa or .apk here risk_threshold: MEDIUM # Update this to desired risk threshold [LOW, MEDIUM, HIGH, CRITICAL] sarif: Enable - + - name: Upload SARIF to GHAS if: always() uses: github/codeql-action/upload-sarif@v3 From 9d2ae7c02812c6bcf7c52ea07edbd40ac70515a5 Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Tue, 10 Sep 2024 11:50:28 -0700 Subject: [PATCH 4/8] Update appknox.yml Fix more whitespace issues. --- code-scanning/appknox.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 7c4b506..15d51e0 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -25,7 +25,7 @@ on: push: branches: [ $default-branch, $protected-branches ] pull_request: - branches: [ $default-branch ] + branches: [ $default-branch ] jobs: appknox: runs-on: ubuntu-latest From dea60ba593828d8920e6169345ef3c469b80798d Mon Sep 17 00:00:00 2001 From: Andrew Eisenberg Date: Wed, 11 Sep 2024 11:12:06 -0700 Subject: [PATCH 5/8] Update code-scanning/eslint.yml --- code-scanning/eslint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-scanning/eslint.yml b/code-scanning/eslint.yml index 4c34d46..b0aaeb3 100644 --- a/code-scanning/eslint.yml +++ b/code-scanning/eslint.yml @@ -33,7 +33,7 @@ jobs: - name: Install ESLint run: | npm install eslint@8.10.0 - npm install @microsoft/eslint-formatter-sarif@2.1.7 + npm install @microsoft/eslint-formatter-sarif@3.1.0 - name: Run ESLint env: From 666350e29b10d665a82d5c6d1501a29e50d63c29 Mon Sep 17 00:00:00 2001 From: ginilpg Date: Wed, 18 Sep 2024 00:20:21 +0530 Subject: [PATCH 6/8] Added appknox.yml for code scanning (#2498) Create appknox.json Create appknox.svg Update appknox.json Update appknox.svg Rename appknox.json to appknox.properties.json Update appknox.yml Update appknox.yml Update appknox.properties.json Formatting yml Removed preview mode from appknox scanner Removed preview mode from appknox scanner Add Appknox starter workflow (#2447) * Added appknox.yml for code scanning * Create appknox.json * Create appknox.svg * Update appknox.json * Update appknox.svg * Rename appknox.json to appknox.properties.json * Update appknox.yml * Update appknox.yml * Update appknox.properties.json * Formatting yml removed preview mode removed preview mode precommit lint --- code-scanning/appknox.yml | 8 +++----- code-scanning/properties/appknox.properties.json | 4 +--- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/code-scanning/appknox.yml b/code-scanning/appknox.yml index 15d51e0..68e4672 100644 --- a/code-scanning/appknox.yml +++ b/code-scanning/appknox.yml @@ -30,11 +30,9 @@ jobs: appknox: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Set up JDK 1.8 - uses: actions/setup-java@v1 - with: - java-version: 1.8 + - name: Checkout Code + uses: actions/checkout@v2 + - name: Grant execute permission for gradlew run: chmod +x gradlew diff --git a/code-scanning/properties/appknox.properties.json b/code-scanning/properties/appknox.properties.json index 4164291..8e8b1f2 100644 --- a/code-scanning/properties/appknox.properties.json +++ b/code-scanning/properties/appknox.properties.json @@ -17,7 +17,5 @@ "JavaScript", "TypeScript", "Node" - ], - "labels": ["preview"] - + ] } From 09fa3b9723362634eb5877b2dd60fb884cb1f341 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Mon, 21 Oct 2024 23:01:52 +0300 Subject: [PATCH 7/8] add jfrog-sast flow --- code-scanning/jfrog-sast.yml | 54 +++++++++++++++++++ .../properties/jfrog-sast.properties.json | 15 ++++++ 2 files changed, 69 insertions(+) create mode 100644 code-scanning/jfrog-sast.yml create mode 100644 code-scanning/properties/jfrog-sast.properties.json diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml new file mode 100644 index 0000000..aba617d --- /dev/null +++ b/code-scanning/jfrog-sast.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. +# JFrog SAST performs 1st party source code security analysis +# For more information, see +# https://docs.jfrog-applications.jfrog.io/jfrog-security-features/sast + +name: "JFrog SAST Scan" + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch, $protected-branches ] + schedule: + - cron: $cron-weekly + +env: + # [Mandatory] + # JFrog platform URL and access token for + # a JFrog platform instance with active + # JFrog Advanced Security subscription + JF_URL: ${{ secrets.JF_URL }} + JF_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Node.js + uses: actions/setup-node@v4 + + - name: Install and configure JFrog CLI + run: | + npm install -g jfrog-cli-v2-jf + jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + + - name: Run JFrog SAST + run: | + jf audit --sast --format=sarif > jfrog_sast.sarif + + + - name: Upload output to generate autofix + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: jfrog_sast.sarif \ No newline at end of file diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json new file mode 100644 index 0000000..093d9c2 --- /dev/null +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -0,0 +1,15 @@ +{ + "name": "JFrog SAST", + "description": "Scan for security vulnerabilities in source code using JFrog SAST", + "iconName": "frogbot", + "categories": + [ + "Code Scanning", + "python", + "java", + "javascript", + "typescript", + "go" + ], + "creator": "JFrog" +} \ No newline at end of file From 7f50c702183846c848e2eb13df950a942ffd2374 Mon Sep 17 00:00:00 2001 From: Ilya Khivrich Date: Tue, 22 Oct 2024 11:53:35 +0300 Subject: [PATCH 8/8] pass token over stdin, add security to properties --- code-scanning/jfrog-sast.yml | 2 +- code-scanning/properties/jfrog-sast.properties.json | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/code-scanning/jfrog-sast.yml b/code-scanning/jfrog-sast.yml index aba617d..4ff7ef7 100644 --- a/code-scanning/jfrog-sast.yml +++ b/code-scanning/jfrog-sast.yml @@ -41,7 +41,7 @@ jobs: - name: Install and configure JFrog CLI run: | npm install -g jfrog-cli-v2-jf - jf c add --interactive=false --url=$JF_URL --access-token=$JF_TOKEN + echo $JF_TOKEN | jf c add --interactive=false --url=$JF_URL --access-token-stdin - name: Run JFrog SAST run: | diff --git a/code-scanning/properties/jfrog-sast.properties.json b/code-scanning/properties/jfrog-sast.properties.json index 093d9c2..7ffa897 100644 --- a/code-scanning/properties/jfrog-sast.properties.json +++ b/code-scanning/properties/jfrog-sast.properties.json @@ -5,6 +5,7 @@ "categories": [ "Code Scanning", + "security", "python", "java", "javascript",