Skip to content

Commit

Permalink
ci: add sast
Browse files Browse the repository at this point in the history
  • Loading branch information
xopham committed Feb 1, 2024
1 parent 2648474 commit b2901b8
Show file tree
Hide file tree
Showing 8 changed files with 125 additions and 73 deletions.
24 changes: 24 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,30 @@ updates:
pip-packages:
patterns:
- "*"
- package-ecosystem: "pip"
directory: "/docs"
schedule:
interval: "weekly"
commit-message:
prefix: "update"
insecure-external-code-execution: "deny"
target-branch: "dev"
groups:
pip-packages:
patterns:
- "*"
- package-ecosystem: "pip"
directory: "/tests"
schedule:
interval: "monthly"
commit-message:
prefix: "update"
insecure-external-code-execution: "deny"
target-branch: "dev"
groups:
pip-packages:
patterns:
- "*"
- package-ecosystem: "docker"
directory: "/docker"
schedule:
Expand Down
132 changes: 71 additions & 61 deletions .github/workflows/.reusable-sast.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,47 @@ on:
#permissions: {} #TODO: reactivate for non-private

jobs:
bandit:
runs-on: ubuntu-latest
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'all'
permissions:
security-events: write
container:
image: python:slim
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Packages
run: pip3 install -r tests/requirements.txt
- name: Run Bandit

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: pipCommand not pinned by hash
Click Remediation section below to solve this issue
if: inputs.output == 'table'
run: bandit -r -f screen semgr8s/
- name: Run Bandit
if: inputs.output == 'sarif'
run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero
- name: Upload
if: inputs.output == 'sarif'
uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
sarif_file: 'bandit-results.sarif'

black:
runs-on: ubuntu-latest
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all'
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install packages
run: pip3 install -r tests/requirements.txt
- name: Test formatting

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: pipCommand not pinned by hash
Click Remediation section below to solve this issue
run: |
python3 -m black . 2>&1 | grep -q "reformatted" && { echo 'Not properly formatted.'; exit 1; } || true
checkov:
runs-on: ubuntu-latest
if: |
Expand All @@ -32,7 +73,7 @@ jobs:
rm -rf test # remove 'test' folder from scan #TODO: fix once final
rm -rf tests # remove 'tests' folder from scan
mkdir deployment
helm template charts/connaisseur > deployment/deployment.yaml
helm template charts/semgr8s > deployment/deployment.yaml
shell: bash
- name: Scan
if: inputs.output == 'table'
Expand All @@ -58,66 +99,19 @@ jobs:
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'non-required' &&
inputs.skip != 'all' &&
inputs.output == 'sarif'
# permissions: #TODO: reactivate for non-private
# pull-requests: read
# security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Initialize CodeQL
uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
with:
languages: 'go'
- name: Analyze
uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7

golangci-lint:
runs-on: ubuntu-latest
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
cache: false
go-version: '1.21'
- name: Analyze
uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
with:
version: latest
args: '--timeout=10m --skip-dirs="test" --tests=false'

gosec:
runs-on: ubuntu-latest
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'all'
# permissions: #TODO: reactivate for non-private
# security-events: write
permissions:
security-events: write
pull-requests: read
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Analyze
uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2
if: inputs.output == 'table'
with:
args: '-fmt text -exclude-dir=test -exclude-dir=tools ./...'
- name: Analyze
uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2
if: inputs.output == 'sarif'
with:
args: '-exclude-dir=test -exclude-dir=tools -no-fail -fmt sarif -out gosec-results.sarif ./...'
- name: Upload
uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
if: inputs.output == 'sarif'
with:
sarif_file: 'gosec-results.sarif'
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Initialize CodeQL
uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
languages: 'python'
- name: Analyze
uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8

hadolint:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -167,14 +161,14 @@ jobs:
if: inputs.output == 'table'
with:
config: .kube-linter/config.yaml
directory: charts/connaisseur
directory: charts/semgr8s
format: plain
- name: Scan
uses: stackrox/kube-linter-action@ca0d55b925470deb5b04b556e6c4276ea94d03c3 # v1.0.4
if: inputs.output == 'sarif'
with:
config: .kube-linter/config.yaml
directory: charts/connaisseur
directory: charts/semgr8s
format: sarif
output-file: kubelinter-results.sarif
- name: Upload
Expand All @@ -183,6 +177,22 @@ jobs:
with:
sarif_file: 'kubelinter-results.sarif'

pylint:
runs-on: ubuntu-latest
if: |
(github.actor != 'dependabot[bot]') &&
inputs.skip != 'all'
container:
image: python:3.11-slim
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install
run: |
pip3 install -r tests/requirements.txt

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: pipCommand not pinned by hash
Click Remediation section below to solve this issue
- name: Lint
run: pylint --ignore-patterns=tests,coverage semgr8s

semgrep:
runs-on: ubuntu-latest
if: |
Expand Down
15 changes: 6 additions & 9 deletions .github/workflows/.reusable-unit-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,15 +18,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: '1.21'
- name: Test
if: inputs.skip == 'non-required'
run: go test ./cmd/... -coverprofile=coverage.out -covermode=atomic
- name: Install
run: |
pip3 install -r tests/requirements.txt && pip3 install .

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: pipCommand not pinned by hash
Click Remediation section below to solve this issue

Check warning

Code scanning / Scorecard

Pinned-Dependencies Medium

score is 8: pipCommand not pinned by hash
Click Remediation section below to solve this issue
- name: Test
if: inputs.skip != 'non-required'
run: go test ./... -race -coverprofile=coverage.out -covermode=atomic
run: pytest --cov=semgr8s --cov-report=xml tests/
- name: Upload
uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
with:
file: coverage.xml
2 changes: 1 addition & 1 deletion .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
skip_build: 'none'
skip_compliance_checks: 'none'
skip_unit_tests: 'all'
skip_sast: 'all'
skip_sast: 'none'
skip_sca: 'all'
skip_docs: 'all'
skip_integration_tests: 'all'
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/push.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
skip_build: 'none'
skip_compliance_checks: 'none'
skip_unit_tests: 'all'
skip_sast: 'all'
skip_sast: 'non-required'
skip_sca: 'all'
skip_docs: 'all'
skip_integration_tests: 'all'
Expand Down
2 changes: 2 additions & 0 deletions docs/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
mkdocs-material~=9.4.14
mike~=2.0.0
6 changes: 5 additions & 1 deletion semgr8s/app.py
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,11 @@ def validate():
["* " + f["check_id"] for f in results["results"]]
)
APP.logger.debug("+ %s findings: %s", num_findings, findings)
return send_response(False, uid, f"Found {num_findings} violation(s) of the following policies: {findings}")
return send_response(
False,
uid,
f"Found {num_findings} violation(s) of the following policies: {findings}",
)
except Exception as err:
return send_response(False, uid, f"Webhook exception: {err}")
finally:
Expand Down
15 changes: 15 additions & 0 deletions tests/requirements.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
-r ../requirements.txt
aioresponses~=0.7.6
bandit~=1.7.7
bandit-sarif-formatter~=1.1.1
black~=24.1.1
freezegun~=1.2.2
parsedatetime~=2.6
pylint~=3.0.2
pytest-asyncio~=0.21.1
pytest-cov~=4.1.0
pytest-mock~=3.12.0
pytest-subprocess~=1.5.0
requests-mock~=1.11.0
setuptools~=69.0.2
wheel~=0.42.0

0 comments on commit b2901b8

Please sign in to comment.