Merge branch 'main' into main

This commit is contained in:
Mani Sai V
2022-05-09 14:22:14 +05:30
committed by GitHub
17 changed files with 416 additions and 23 deletions
+9 -7
View File
@@ -48,8 +48,11 @@ jobs:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
@@ -58,13 +61,12 @@ jobs:
# ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
# and modify them (or add more) to build your code if your project
# uses a compiled language
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
#- run: |
# make bootstrap
# make release
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
+175
View File
@@ -0,0 +1,175 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# Run a Nexploit Scan
# This action runs a new security scan in Nexploit, or reruns an existing one.
# Build Secure Apps & APIs. Fast.
# [NeuraLegion](https://www.neuralegion.com) is a powerful dynamic application & API security testing (DAST) platform that security teams trust and developers love.
# Automatically Tests Every Aspect of Your Apps & APIs
# Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports
# Seamlessly integrates with the Tools and Workflows You Already Use
#
# NeuraLegion works with your existing CI/CD pipelines trigger scans on every commit, pull request or build with unit testing.
# Spin-Up, Configure and Control Scans with Code
# One file. One command. One scan. No UI needed.
#
# Super-Fast Scans
#
# Interacts with applications and APIs, instead of just crawling them and guessing.
# Scans are fast as our AI-powered engine can understand application architecture and generate sophisticated and targeted attacks.
#
# No False Positives
#
# Stop chasing ghosts and wasting time. NeuraLegion doesnt return false positives, so you can focus on releasing code.
#
# Comprehensive Security Testing
#
# NeuraLegion tests for all common vulnerabilities, such as SQL injection, CSRF, XSS, and XXE -- as well as uncommon vulnerabilities, such as business logic vulnerabilities.
#
# More information is available on NeuraLegions:
# * [Website](https://www.neuralegion.com/)
# * [Knowledge base](https://docs.neuralegion.com/docs/quickstart)
# * [YouTube channel](https://www.youtube.com/channel/UCoIC0T1pmozq3eKLsUR2uUw)
# * [GitHub Actions](https://github.com/marketplace?query=neuralegion+)
#
# Inputs
#
# `name`
#
# **Required**. Scan name.
#
# _Example:_ `name: GitHub scan ${{ github.sha }}`
#
# `api_token`
#
# **Required**. Your Nexploit API authorization token (key). You can generate it in the **Organization** section on [nexploit.app](https://nexploit.app/login). Find more information [here](https://kb.neuralegion.com/#/guide/np-web-ui/advanced-set-up/managing-org?id=managing-organization-apicli-authentication-tokens).
#
# _Example:_ `api_token: ${{ secrets.NEXPLOIT_TOKEN }}`
#
# `restart_scan`
#
# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
#
# _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
#
# `discovery_types`
#
# **Required**. Array of discovery types. The following types are available:
# * `archive` - uses an uploaded HAR-file for a scan
# * `crawler` - uses a crawler to define the attack surface for a scan
# * `oas` - uses an uploaded OpenAPI schema for a scan <br>
# If no discovery type is specified, `crawler` is applied by default.
#
# _Example:_
#
# ```yml
# discovery_types: |
# [ "crawler", "archive" ]
# ```
#
# `file_id`
#
# **Required** if the discovery type is set to `archive` or `oas`. ID of a HAR-file or an OpenAPI schema you want to use for a scan. You can get the ID of an uploaded HAR-file or an OpenAPI schema in the **Storage** section on [nexploit.app](https://nexploit.app/login).
#
# _Example:_
#
# ```
# FILE_ID=$(nexploit-cli archive:upload \
# --token ${{ secrets.NEXPLOIT_TOKEN }} \
# --discard true \
# ./example.har)
# ```
#
# `crawler_urls`
#
# **Required** if the discovery type is set to `crawler`. Target URLs to be used by the crawler to define the attack surface.
#
# _Example:_
#
# ```
# crawler_urls: |
# [ "http://vulnerable-bank.com" ]
# ```
#
# `hosts_filter`
#
# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
#
# Outputs
#
# `url`
#
# Url of the resulting scan
#
# `id`
#
# ID of the created scan. This ID could then be used to restart the scan, or for the following GitHub actions:
# * [Nexploit Wait for Issues](https://github.com/marketplace/actions/nexploit-wait-for-issues)
# * [Nexploit Stop Scan](https://github.com/marketplace/actions/nexploit-stop-scan)
#
# Example usage
#
# Start a new scan with parameters
#
# ```yml
# steps:
# - name: Start Nexploit Scan
# id: start
# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
# with:
# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
# name: GitHub scan ${{ github.sha }}
# discovery_types: |
# [ "crawler", "archive" ]
# crawler_urls: |
# [ "http://vulnerable-bank.com" ]
# file_id: LiYknMYSdbSZbqgMaC9Sj
# hosts_filter: |
# [ ]
# - name: Get the output scan url
# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
# ```
#
# Restart an existing scan
#
# ```yml
# steps:
# - name: Start Nexploit Scan
# id: start
# uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
# with:
# api_token: ${{ secrets.NEXPLOIT_TOKEN }}
# name: GitHub scan ${{ github.sha }}
# restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ
# - name: Get the output scan url
# run: echo "The scan was started on ${{ steps.start.outputs.url }}"
name: "NeuraLegion"
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
neuralegion_scan:
runs-on: ubuntu-18.04
name: A job to run a Nexploit scan
steps:
- uses: actions/checkout@v2
- name: Start Nexploit Scan 🏁
id: start
uses: NeuraLegion/run-scan@29ebd17b4fd6292ce7a238a59401668953b37fbe
with:
api_token: ${{ secrets.NEURALEGION_TOKEN }}
name: GitHub scan ${{ github.sha }}
discovery_types: |
[ "crawler" ]
crawler_urls: |
[ "https://brokencrystals.com" ] # ✏️ Update this to the url you wish to scan
@@ -1,6 +1,6 @@
{
"name": "Dependency Review",
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable depdendencies to the repository",
"description": "Scans Pull Requests on each push for the introduction and/or resolution of vulnerable dependencies to the repository",
"iconName": "octicon mark-github",
"categories": [
"Dependency review",
@@ -0,0 +1,24 @@
{
"name": "NeuraLegion",
"creator": "NeuraLegion",
"description": "Scans any target, whether Web Apps, APIs (REST. & SOAP, GraphQL & more), Web sockets or mobile, providing actionable reports",
"iconName": "neuralegion",
"categories": [
"Code Scanning",
"C",
"C#",
"C++",
"Go",
"Java",
"JavaScript",
"Kotlin",
"Objective C",
"PHP",
"Python",
"Ruby",
"Rust",
"Scala",
"Swift",
"TypeScript"
]
}
@@ -0,0 +1,11 @@
{
"name": "Sobelow",
"creator": "nccgroup",
"description": "Sobelow is a security-focused static analysis tool for the Phoenix framework.",
"iconName": "sobelow",
"categories": [
"Code Scanning",
"Elixir"
]
}
+40
View File
@@ -0,0 +1,40 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
#
# Sobelow is a security-focused static analysis tool for the Phoenix framework. https://sobelow.io/
#
# To use this workflow, you must have GitHub Advanced Security (GHAS) enabled for your repository.
#
# Instructions:
# 2. Follow the annotated workflow below and make any necessary modifications then save the workflow to your repository
# and review the "Security" tab once the action has run.
name: Sobelow
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
permissions:
contents: read
jobs:
security-scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: run-action
uses: sobelow/action@1afd6d2cae70ae8bd900b58506f54487ed863912
- name: Upload report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif