From cbd5b645f1a79cf3496950ff6d0b66ddf0b71542 Mon Sep 17 00:00:00 2001 From: Ashwin Sangem Date: Fri, 8 Oct 2021 17:31:42 +0530 Subject: [PATCH] Merge pull request #1110 from manuelbcd/main (#1155) * Added Cloudrail according to instructions and existing examples * Adding Cloudrail according to documentation and examples * Oops * Add original Fortify on Demand workflow * Update Fortify on Demand workflow * Update Fortify on Demand supported languages * Add 3rd-party GitHub Actions disclaimer * Sysdig Secure Inline Scan with SARIF report to starter workflows * Added some extra comments, Github Actions V2 and changed env vars * Reviews from PR #1110 * Adding 'Dockerfile' to category list * Update according to PR review comments * File renames as requested in PR comments * Revert "Azure Data Factory CI starter workflow (#1111)" (#1146) This reverts commit 7f30309ccedb0e3dee186e0ee58c232752a78e24. * use env variables for user-set values (#1117) Co-authored-by: Josh Gross * Apply suggestions from nickfyson's code review Co-authored-by: Nick Fyson * removing "deployment" templates from sync-ghes (#1127) * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Update code-scanning/properties/sysdig-scan.properties.json Co-authored-by: Nick Fyson * Changed svg logo * Rename sysdig.svg to sysdig-scan.svg * Switched svg logo (again) for a better fit * Rename fortify.json to fortify.properties.json Co-authored-by: Yoni Leitersdorf Co-authored-by: Ruud Senden Co-authored-by: Ruud Senden <8635138+rsenden@users.noreply.github.com> Co-authored-by: Manuel Boira Cuevas Co-authored-by: manuelbcd Co-authored-by: Nick Fyson Co-authored-by: Sarah Edwards Co-authored-by: Josh Gross Co-authored-by: Aparna Ravindra <82894348+aparna-ravindra@users.noreply.github.com> Co-authored-by: manuelbcd --- ci/azure-data-factory.yml | 47 --------- .../azure-data-factory.properties.json | 7 -- code-scanning/cloudrail.yml | 58 +++++++++++ code-scanning/fortify.yml | 97 +++++++++++++++++++ .../properties/cloudrail.properties.json | 7 ++ .../properties/fortify.properties.json | 7 ++ .../properties/sysdig-scan.properties.json | 7 ++ code-scanning/sysdig-scan.yml | 54 +++++++++++ deployments/aws.yml | 34 ++++--- icons/azure-data-factory.svg | 1 - icons/cloudrail.svg | 53 ++++++++++ icons/fortify.svg | 1 + icons/sysdig-scan.svg | 1 + script/sync-ghes/settings.json | 1 - 14 files changed, 307 insertions(+), 68 deletions(-) delete mode 100644 ci/azure-data-factory.yml delete mode 100644 ci/properties/azure-data-factory.properties.json create mode 100644 code-scanning/cloudrail.yml create mode 100644 code-scanning/fortify.yml create mode 100644 code-scanning/properties/cloudrail.properties.json create mode 100644 code-scanning/properties/fortify.properties.json create mode 100644 code-scanning/properties/sysdig-scan.properties.json create mode 100644 code-scanning/sysdig-scan.yml delete mode 100644 icons/azure-data-factory.svg create mode 100644 icons/cloudrail.svg create mode 100644 icons/fortify.svg create mode 100644 icons/sysdig-scan.svg diff --git a/ci/azure-data-factory.yml b/ci/azure-data-factory.yml deleted file mode 100644 index 776e250..0000000 --- a/ci/azure-data-factory.yml +++ /dev/null @@ -1,47 +0,0 @@ -# Sample workflow to validate Azure Data Factory resources and export its ARM template as an artifact -# Note: Ensure you have the following package.json in the same directory of your ADF resources - -# { -# "scripts":{ -# "build":"node node_modules/@microsoft/azure-data-factory-utilities/lib/index" -# }, -# "dependencies":{ -# "@microsoft/azure-data-factory-utilities":"^0.1.5" -# } -# } - -name: Data Factory CI - -on: - pull_request: - branches: [ $default-branch, $protected-branches ] - - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Code checkout - uses: actions/checkout@v2 - - - name: Validate - uses: Azure/data-factory-validate-action@v1.1.3 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - # Generate the ARM template into the destination folder, which is the same as selecting "Publish" from the UX. - # The ARM template generated isn't published to the live version of the factory. - - name: Export ARM Template - id: export - uses: Azure/data-factory-export-action@v1.1.0 - # with: - # path: # replace by the folder that contains the Data Factory resources and the package.json - - - name: Publish artifact - uses: actions/upload-artifact@v2 - with: - name: Data Factory package - path: ${{ steps.export.outputs.arm-template-directory }} - if-no-files-found: error diff --git a/ci/properties/azure-data-factory.properties.json b/ci/properties/azure-data-factory.properties.json deleted file mode 100644 index f1e7f5b..0000000 --- a/ci/properties/azure-data-factory.properties.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "name": "Azure Data Factory", - "creator": "Microsoft Azure", - "description": "Build and validate Azure Data Factory resources", - "iconName": "azure-data-factory", - "categories": ["Continuous integration", "Azure Data Factory"] -} diff --git a/code-scanning/cloudrail.yml b/code-scanning/cloudrail.yml new file mode 100644 index 0000000..9f95c5c --- /dev/null +++ b/code-scanning/cloudrail.yml @@ -0,0 +1,58 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: cloudrail + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + cloudrail: + name: Run Indeni Cloudrail on Terraform code with SARIF output + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v2 + + # For Terraform, Cloudrail requires the plan as input. So we generate it using + # the Terraform core binary. + - uses: hashicorp/setup-terraform@v1 + with: + terraform_version: v0.13.2 + + - run: terraform init + + - run: terraform plan -out=plan.out + env: + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + # Confirm we have the plan file + - run: stat plan.out + + - name: Run Cloudrail + uses: indeni/cloudrail-run-ga@b56ed2d30913c975b36df231adc2eabf05523622 + with: + tf-plan-file: plan.out # This was created in a "terraform plan" step + cloudrail-api-key: ${{ secrets.CLOUDRAIL_API_KEY }} # This requires registration to Indeni Cloudrail's SaaS at https://web.cloudrail.app + cloud-account-id: # Leave this empty for Static Analaysis, or provide an account ID for Dynamic Analysis, see instructions in Cloudrail SaaS + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v1 + # Remember that if issues are found, Cloudrail return non-zero exit code, so the if: always() + # is needed to ensure the SARIF file is uploaded + if: always() + with: + sarif_file: cloudrail_results.sarif diff --git a/code-scanning/fortify.yml b/code-scanning/fortify.yml new file mode 100644 index 0000000..d67d194 --- /dev/null +++ b/code-scanning/fortify.yml @@ -0,0 +1,97 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +################################################################################################################################################ +# Fortify lets you build secure software fast with an appsec platform that automates testing throughout the DevSecOps pipeline. Fortify static,# +# dynamic, interactive, and runtime security testing is available on premises or as a service. To learn more about Fortify, start a free trial # +# or contact our sales team, visit microfocus.com/appsecurity. # +# # +# Use this workflow template as a basis for integrating Fortify on Demand Static Application Security Testing(SAST) into your GitHub workflows.# +# This template demonstrates the steps to prepare the code+dependencies, initiate a scan, download results once complete and import into # +# GitHub Security Code Scanning Alerts. Existing customers should review inputs and environment variables below to configure scanning against # +# an existing application in your Fortify on Demand tenant. Additional information is available in the comments throughout the workflow, the # +# documentation for the Fortify actions used, and the Fortify on Demand / ScanCentral Client product documentation. If you need additional # +# assistance with configuration, feel free to create a help ticket in the Fortify on Demand portal. # +################################################################################################################################################ + +name: Fortify on Demand Scan + +# TODO: Customize trigger events based on your DevSecOps processes and typical FoD SAST scan time +on: + workflow_dispatch: + push: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + FoD-SAST-Scan: + # Use the appropriate runner for building your source code. + # TODO: Use a Windows runner for .NET projects that use msbuild. Additional changes to RUN commands will be required to switch to Windows syntax. + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + # Check out source code + - name: Check Out Source Code + uses: actions/checkout@v2 + + # Java is required to run the various Fortify utilities. + # When scanning a Java application, please use the appropriate Java version for building your application. + - name: Setup Java + uses: actions/setup-java@v1 + with: + java-version: 1.8 + + # Prepare source+dependencies for upload. The default example is for a Maven project that uses pom.xml. + # TODO: Update PACKAGE_OPTS based on the ScanCentral Client documentation for your project's included tech stack(s). Helpful hints: + # ScanCentral Client will download dependencies for maven (-bt mvn) and gradle (-bt gradle). + # ScanCentral Client can download dependencies for msbuild projects (-bt msbuild); however, you must convert the workflow to use a Windows runner. + # ScanCentral has additional options that should be set for PHP and Python projects + # For other build tools, add your build commands to download necessary dependencies and prepare according to Fortify on Demand Packaging documentation. + # ScanCentral Client documentation is located at https://www.microfocus.com/documentation/fortify-software-security-center/ + - name: Download Fortify ScanCentral Client + uses: fortify/gha-setup-scancentral-client@5b7382f8234fb9840958c49d5f32ae854115f9f3 + - name: Package Code + Dependencies + run: scancentral package $PACKAGE_OPTS -o package.zip + env: + PACKAGE_OPTS: "-bt mvn" + + # Start Fortify on Demand SAST scan and wait until results complete. For more information on FoDUploader commands, see https://github.com/fod-dev/fod-uploader-java + # TODO: Update ENV variables for your application and create the necessary GitHub Secrets. Helpful hints: + # Credentials and release ID should be obtained from your FoD tenant (either Personal Access Token or API Key can be used). + # Automated Audit preference should be configured for the release's Static Scan Settings in the Fortify on Demand portal. + - name: Download Fortify on Demand Universal CI Tool + uses: fortify/gha-setup-fod-uploader@6e6bb8a33cb476e240929fa8ebc739ff110e7433 + - name: Perform SAST Scan + run: java -jar $FOD_UPLOAD_JAR -z package.zip -aurl $FOD_API_URL -purl $FOD_URL -rid "$FOD_RELEASE_ID" -tc "$FOD_TENANT" -uc "$FOD_USER" "$FOD_PAT" $FOD_UPLOADER_OPTS -n "$FOD_UPLOADER_NOTES" + env: + FOD_URL: "https://ams.fortify.com/" + FOD_API_URL: "https://api.ams.fortify.com/" + FOD_TENANT: ${{ secrets.FOD_TENANT }} + FOD_USER: ${{ secrets.FOD_USER }} + FOD_PAT: ${{ secrets.FOD_PAT }} + FOD_RELEASE_ID: ${{ secrets.FOD_RELEASE_ID }} + FOD_UPLOADER_OPTS: "-ep 2 -pp 0 -I 1 -apf" + FOD_UPLOADER_NOTES: 'Triggered by GitHub Actions (${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }})' + + # Once scan completes, pull SAST issues from Fortify on Demand and generate SARIF output. + - name: Export results to GitHub-optimized SARIF + uses: fortify/gha-export-vulnerabilities@fcb374411cff9809028c911dabb8b57dbdae623b + with: + fod_base_url: "https://ams.fortify.com/" + fod_tenant: ${{ secrets.FOD_TENANT }} + fod_user: ${{ secrets.FOD_USER }} + fod_password: ${{ secrets.FOD_PAT }} + fod_release_id: ${{ secrets.FOD_RELEASE_ID }} + + # Import Fortify on Demand results to GitHub Security Code Scanning + - name: Import Results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ./gh-fortify-sast.sarif diff --git a/code-scanning/properties/cloudrail.properties.json b/code-scanning/properties/cloudrail.properties.json new file mode 100644 index 0000000..830d966 --- /dev/null +++ b/code-scanning/properties/cloudrail.properties.json @@ -0,0 +1,7 @@ +{ + "name": "cloudrail", + "creator": "Indeni Cloudrail", + "description": "Cloudrail can be used to scan your infrastructure-as-code files for potential security and compliance issues. The Cloudrail action is often used as part of both CI workflows (on pull_request) and on CD workflows to identify potential issues.", + "iconName": "cloudrail", + "categories": ["Code Scanning", "HCL"] +} diff --git a/code-scanning/properties/fortify.properties.json b/code-scanning/properties/fortify.properties.json new file mode 100644 index 0000000..100b4bb --- /dev/null +++ b/code-scanning/properties/fortify.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Fortify on Demand Scan", + "creator": "Micro Focus", + "description": "Integrate Fortify's comprehensive static code analysis (SAST) for 27+ languages into your DevSecOps workflows to build secure software faster.", + "iconName": "fortify", + "categories": ["Code Scanning", "ABAP", "ActionScript", "Apex", "C#", "C", "C++", "COBOL", "ColdFusion", "Dockerfile", "Go", "HTML", "Java", "JavaScript", "JSON", "Java Server Pages", "Kotlin", "MXML", "Objective-C", "Objective-C++", "PHP", "PLSQL", "Python", "Ruby", "Scala", "Swift", "TSQL", "TypeScript", "VBScript", "Visual Basic .NET", "Visual Basic", "XML"] +} diff --git a/code-scanning/properties/sysdig-scan.properties.json b/code-scanning/properties/sysdig-scan.properties.json new file mode 100644 index 0000000..d39072e --- /dev/null +++ b/code-scanning/properties/sysdig-scan.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Sysdig Inline Scan", + "creator": "Sysdig", + "description": "Performs analysis on locally built container image and posts the results in SARIF report", + "iconName": "sysdig-scan", + "categories": ["Code Scanning", "Dockerfile", "C", "C#", "C++", "Go", "Java", "JavaScript", "Node", "Python", "Powershell", "Ruby"] +} diff --git a/code-scanning/sysdig-scan.yml b/code-scanning/sysdig-scan.yml new file mode 100644 index 0000000..49841d7 --- /dev/null +++ b/code-scanning/sysdig-scan.yml @@ -0,0 +1,54 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ $default-branch, $protected-branches ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +jobs: + + build: + + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v2 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v1 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} \ No newline at end of file diff --git a/deployments/aws.yml b/deployments/aws.yml index 8b10116..6a6643c 100644 --- a/deployments/aws.yml +++ b/deployments/aws.yml @@ -5,29 +5,40 @@ # # 1. Create an ECR repository to store your images. # For example: `aws ecr create-repository --repository-name my-ecr-repo --region us-east-2`. -# Replace the value of `ECR_REPOSITORY` in the workflow below with your repository's name. -# Replace the value of `aws-region` in the workflow below with your repository's region. +# Replace the value of the `ECR_REPOSITORY` environment variable in the workflow below with your repository's name. +# Replace the value of the `AWS_REGION` environment variable in the workflow below with your repository's region. # # 2. Create an ECS task definition, an ECS cluster, and an ECS service. # For example, follow the Getting Started guide on the ECS console: # https://us-east-2.console.aws.amazon.com/ecs/home?region=us-east-2#/firstRun -# Replace the values for `service` and `cluster` in the workflow below with your service and cluster names. +# Replace the value of the `ECS_SERVICE` environment variable in the workflow below with the name you set for the Amazon ECS service. +# Replace the value of the `ECS_CLUSTER` environment variable in the workflow below with the name you set for the cluster. # # 3. Store your ECS task definition as a JSON file in your repository. # The format should follow the output of `aws ecs register-task-definition --generate-cli-skeleton`. -# Replace the value of `task-definition` in the workflow below with your JSON file's name. -# Replace the value of `container-name` in the workflow below with the name of the container +# Replace the value of the `ECS_TASK_DEFINITION` environment variable in the workflow below with the path to the JSON file. +# Replace the value of the `CONTAINER_NAME` environment variable in the workflow below with the name of the container # in the `containerDefinitions` section of the task definition. # # 4. Store an IAM user access key in GitHub Actions secrets named `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`. # See the documentation for each action used below for the recommended IAM policies for this IAM user, # and best practices on handling the access key credentials. +name: Deploy to Amazon ECS + on: release: types: [created] -name: Deploy to Amazon ECS +env: + AWS_REGION: MY_AWS_REGION # set this to your preferred AWS region, e.g. us-west-1 + ECR_REPOSITORY: MY_ECR_REPOSITORY # set this to your Amazon ECR repository name + ECS_SERVICE: MY_ECS_SERVICE # set this to your Amazon ECS service name + ECS_CLUSTER: MY_ECS_CLUSTER # set this to your Amazon ECS cluster name + ECS_TASK_DEFINITION: MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition + # file, e.g. .aws/task-definition.json + CONTAINER_NAME: MY_CONTAINER_NAME # set this to the name of the container in the + # containerDefinitions section of your task definition jobs: deploy: @@ -44,7 +55,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: us-east-2 + aws-region: ${{ env.AWS_REGION }} - name: Login to Amazon ECR id: login-ecr @@ -54,7 +65,6 @@ jobs: id: build-image env: ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} - ECR_REPOSITORY: my-ecr-repo IMAGE_TAG: ${{ github.sha }} run: | # Build a docker container and @@ -68,14 +78,14 @@ jobs: id: task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: - task-definition: task-definition.json - container-name: sample-app + task-definition: ${{ env.ECS_TASK_DEFINITION }} + container-name: ${{ env.CONTAINER_NAME }} image: ${{ steps.build-image.outputs.image }} - name: Deploy Amazon ECS task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.task-def.outputs.task-definition }} - service: sample-app-service - cluster: default + service: ${{ env.ECS_SERVICE }} + cluster: ${{ env.ECS_CLUSTER }} wait-for-service-stability: true diff --git a/icons/azure-data-factory.svg b/icons/azure-data-factory.svg deleted file mode 100644 index 2237336..0000000 --- a/icons/azure-data-factory.svg +++ /dev/null @@ -1 +0,0 @@ -Icon-databases-126 \ No newline at end of file diff --git a/icons/cloudrail.svg b/icons/cloudrail.svg new file mode 100644 index 0000000..9aaf9c3 --- /dev/null +++ b/icons/cloudrail.svg @@ -0,0 +1,53 @@ + + + + + + + + + + + + + + diff --git a/icons/fortify.svg b/icons/fortify.svg new file mode 100644 index 0000000..45a0d77 --- /dev/null +++ b/icons/fortify.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/icons/sysdig-scan.svg b/icons/sysdig-scan.svg new file mode 100644 index 0000000..85d5de0 --- /dev/null +++ b/icons/sysdig-scan.svg @@ -0,0 +1 @@ +Artboard 1 \ No newline at end of file diff --git a/script/sync-ghes/settings.json b/script/sync-ghes/settings.json index e4f50fa..9648ab4 100644 --- a/script/sync-ghes/settings.json +++ b/script/sync-ghes/settings.json @@ -2,7 +2,6 @@ "folders": [ "../../ci", "../../automation", - "../../deployments", "../../code-scanning" ], "enabledActions": [