From b4d9a306b3872b9a6814996100e866e9f5a64724 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Sat, 10 Sep 2022 16:01:57 +1000 Subject: [PATCH 01/11] Create tfsec.yml --- .github/workflows/tfsec.yml | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/workflows/tfsec.yml diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml new file mode 100644 index 00000000..654ee9bc --- /dev/null +++ b/.github/workflows/tfsec.yml @@ -0,0 +1,38 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: tfsec + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '41 2 * * 0' + +jobs: + tfsec: + name: Run tfsec sarif report + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Clone repo + uses: actions/checkout@v3 + + - name: Run tfsec + uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f + with: + sarif_file: tfsec.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: tfsec.sarif From 02e3995655e8f8586fcd51e43da8152c282ba7f2 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Sat, 10 Sep 2022 16:05:58 +1000 Subject: [PATCH 02/11] Create SECURITY.md --- SECURITY.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..034e8480 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,21 @@ +# Security Policy + +## Supported Versions + +Use this section to tell people about which versions of your project are +currently being supported with security updates. + +| Version | Supported | +| ------- | ------------------ | +| 5.1.x | :white_check_mark: | +| 5.0.x | :x: | +| 4.0.x | :white_check_mark: | +| < 4.0 | :x: | + +## Reporting a Vulnerability + +Use this section to tell people how to report a vulnerability. + +Tell them where to go, how often they can expect to get an update on a +reported vulnerability, what to expect if the vulnerability is accepted or +declined, etc. From 72736927feba7c660417debc9344cd66b148d08b Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Sat, 10 Sep 2022 16:06:53 +1000 Subject: [PATCH 03/11] Create codeql.yml --- .github/workflows/codeql.yml | 72 ++++++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..1adc0512 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,72 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "main" ] + schedule: + - cron: '19 8 * * 5' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 From b11555db4cfb475e737b89ba83090b0bc1eb37b8 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Wed, 31 May 2023 17:49:46 +1000 Subject: [PATCH 04/11] Update index.js --- test/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/index.js b/test/index.js index 3129eb72..0246c181 100644 --- a/test/index.js +++ b/test/index.js @@ -4,7 +4,7 @@ var tar = require('../index') var path = require('path') var fs = require('fs') var os = require('os') - +AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q var win32 = os.platform() === 'win32' var mtime = function (st) { From e9fd18556665513b448480f8b2e2eb5ae2eb2149 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Wed, 31 May 2023 17:50:56 +1000 Subject: [PATCH 05/11] Update index.js --- test/index.js | 1 - 1 file changed, 1 deletion(-) diff --git a/test/index.js b/test/index.js index 0246c181..495d632f 100644 --- a/test/index.js +++ b/test/index.js @@ -4,7 +4,6 @@ var tar = require('../index') var path = require('path') var fs = require('fs') var os = require('os') -AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q var win32 = os.platform() === 'win32' var mtime = function (st) { From 64d6cb63bd5d38d45db63a698de92f677357cd5e Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Wed, 31 May 2023 17:56:27 +1000 Subject: [PATCH 06/11] Update index.js (#1) --- test/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/index.js b/test/index.js index 495d632f..7e88811a 100644 --- a/test/index.js +++ b/test/index.js @@ -5,7 +5,7 @@ var path = require('path') var fs = require('fs') var os = require('os') var win32 = os.platform() === 'win32' - +AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q var mtime = function (st) { return Math.floor(st.mtime.getTime() / 1000) } From 68c43af3ae2ee43562d61981102d61744fa81821 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Wed, 31 May 2023 18:00:22 +1000 Subject: [PATCH 07/11] Create secrets.txt dd --- secrets.txt | 1 + 1 file changed, 1 insertion(+) create mode 100644 secrets.txt diff --git a/secrets.txt b/secrets.txt new file mode 100644 index 00000000..c8994354 --- /dev/null +++ b/secrets.txt @@ -0,0 +1 @@ +key-a67a11111b11a11a1a1ba1bbcf11f1c5 From 25ce53c835de72af90097d56d6673ef1f307e4d3 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:33:05 +1000 Subject: [PATCH 08/11] Create dependency-review.yml --- .github/workflows/dependency-review.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..fe461b42 --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,20 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, surfacing known-vulnerable versions of the packages declared or updated in the PR. Once installed, if the workflow run is marked as required, PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +# Public documentation: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@v3 + - name: 'Dependency Review' + uses: actions/dependency-review-action@v2 From fbaa723af0d4f1685d66e6067708a802dcd1c3b5 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:36:06 +1000 Subject: [PATCH 09/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e88fcc50..62c494ae 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Code Scanning JavaScript Tutorial - +# key-a67a11111b11a11a1a1ba1bbcf11f1c5 Welcome to the Code Scanning JavaScript Tutorial! This tutorial will take you through how to set up GitHub Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains vulnerability [CVE-2018-20835](https://github.com/advisories/GHSA-x2mc-8fgj-3wmr) (aka Zip Slip). ## Introduction From c29cda9eb4d8375bc3bacb67f386105cbc030056 Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:36:30 +1000 Subject: [PATCH 10/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 62c494ae..5c258f69 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,5 @@ # Code Scanning JavaScript Tutorial -# key-a67a11111b11a11a1a1ba1bbcf11f1c5 +key-a67a11111b11a11a1a1ba1bbcf11f1c5 Welcome to the Code Scanning JavaScript Tutorial! This tutorial will take you through how to set up GitHub Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains vulnerability [CVE-2018-20835](https://github.com/advisories/GHSA-x2mc-8fgj-3wmr) (aka Zip Slip). ## Introduction From d84d41e8e33abd7c13963e12eec027617762b55a Mon Sep 17 00:00:00 2001 From: Shlomi Shaki <89211854+Sentry01@users.noreply.github.com> Date: Fri, 20 Oct 2023 00:56:27 +0000 Subject: [PATCH 11/11] Create snyk-security.yml --- .github/workflows/snyk-security.yml | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 00000000..e1fbaa66 --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: ["main" ] + pull_request: + branches: ["main"] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v3 + # with: + # node-version: 16 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif