From 1db411fdfaaa8c0861497f0effcceb3826349042 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:03:27 +0100 Subject: [PATCH 01/11] Update sast.yml --- .github/workflows/sast.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 5e57d21..e9fd8a9 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -r . + - name: Install dependencies + shell: bash + run: | + pip install bandit + + - name: Bandit + shell: bash + run: | + bandit -r . ## End: Version 1 @@ -58,4 +58,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: results.sarif - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From 8cb89c06a45b9a3378b94f7a50282224671ef4b3 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:03:44 +0100 Subject: [PATCH 02/11] Update secrets.yml --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index efa3eb9..897cce8 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,8 +22,8 @@ jobs: ## Start: Version 1 - #- name: GitLeaks - # uses: gitleaks/gitleaks-action@v2 + - name: GitLeaks + uses: gitleaks/gitleaks-action@v2 ## End: Version 1 From 033be59a07be44d6ad69abd70d2c924fec78fe7f Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:04:04 +0100 Subject: [PATCH 03/11] Update trivy_scanning.yml --- .github/workflows/trivy_scanning.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index ff5250e..fb5a4e5 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,15 +29,15 @@ jobs: ## Start: Version 1 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'table' - # exit-code: '1' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '1' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ## End: Version 1 @@ -65,4 +65,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: 'trivy-results.sarif' - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From 0880c26370babbdb1e2c0f9f5033c608098f6737 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:07:57 +0100 Subject: [PATCH 04/11] Update trivy_scanning.yml --- .github/workflows/trivy_scanning.yml | 58 ++++++++++++++-------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index fb5a4e5..8c48579 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,40 +29,40 @@ jobs: ## Start: Version 1 - - name: Trivy - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '1' - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - ## End: Version 1 - - - - - - ## Start: Version 2 #- name: Trivy # uses: aquasecurity/trivy-action@master # with: # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'sarif' - # output: 'trivy-results.sarif' + # format: 'table' + # exit-code: '1' # env: # TRIVY_USERNAME: ${{ github.actor }} # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - # - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: 'trivy-results.sarif' - # path: 'trivy-results.sarif' - # - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' + ## End: Version 1 + + + + + + ## Start: Version 2 + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: 'trivy-results.sarif' + path: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' ## End: Version 2 From fa5ba5d03119533fdeade13e74c40868e92808d1 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:08:30 +0100 Subject: [PATCH 05/11] Update secrets.yml --- .github/workflows/secrets.yml | 38 +++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 897cce8..0900b7d 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,29 +22,29 @@ jobs: ## Start: Version 1 - - name: GitLeaks - uses: gitleaks/gitleaks-action@v2 + #- name: GitLeaks + # uses: gitleaks/gitleaks-action@v2 ## End: Version 1 ## Start: Version 2 - #- name: GitLeaks - # continue-on-error: true - # uses: gitleaks/gitleaks-action@v2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: GitLeaks + continue-on-error: true + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From 7b91db4cfe3ac01a6ca14f8fe0fc88fcf8b2049f Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 17:09:44 +0100 Subject: [PATCH 06/11] Update sast.yml --- .github/workflows/sast.yml | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index e9fd8a9..b33af99 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - - name: Install dependencies - shell: bash - run: | - pip install bandit + #- name: Install dependencies + # shell: bash + # run: | + # pip install bandit - - name: Bandit - shell: bash - run: | - bandit -r . + #- name: Bandit + # shell: bash + # run: | + # bandit -r . ## End: Version 1 @@ -38,24 +38,24 @@ jobs: ## Start: Version 2 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit-sarif-formatter bandit + - name: Install dependencies + shell: bash + run: | + pip install bandit-sarif-formatter bandit - #- name: Bandit - # shell: bash - # run: | - # bandit -f sarif -o results.sarif -r --exit-zero . + - name: Bandit + shell: bash + run: | + bandit -f sarif -o results.sarif -r --exit-zero . - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From fa49210debeeffbf92357ad19d075774fe081234 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:46:36 +0100 Subject: [PATCH 07/11] Update main.py --- main.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.py b/main.py index bc9397e..510b530 100644 --- a/main.py +++ b/main.py @@ -9,7 +9,8 @@ def never_called(bla): - aws_access_token = "AKIALALEMEL33243OLIB" + #aws_access_token = "AKIALALEMEL33243OLIB" + aws_access_token = os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) From e33e010f698566f88f2488af85945c9bf3fe0adf Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:50:08 +0100 Subject: [PATCH 08/11] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 152e651..7bdb375 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10 +FROM python:3.10-slim ARG REPO RUN pip3 install --upgrade pip From abf486db2ba4669e00b69ad6b3cd06c599169429 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:56:32 +0100 Subject: [PATCH 09/11] Update sast.yml --- .github/workflows/sast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index b33af99..dc9c2dc 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -6,8 +6,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: From 094f3e825499a714266096a439a6d2412c1e6897 Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Wed, 3 Jan 2024 18:56:44 +0100 Subject: [PATCH 10/11] Update secrets.yml --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 0900b7d..f55ead9 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -5,8 +5,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: From adc5c9a9c2279ea1491069f527050ee25abd443a Mon Sep 17 00:00:00 2001 From: DishaBahre <40956199+DishaBahre@users.noreply.github.com> Date: Fri, 5 Jan 2024 21:17:36 +0100 Subject: [PATCH 11/11] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 7bdb375..152e651 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10-slim +FROM python:3.10 ARG REPO RUN pip3 install --upgrade pip