From dbc31353a118c984902c52bf2658f82fea92ca4e Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Sun, 7 Jan 2024 23:58:44 +0100 Subject: [PATCH 01/16] Install and run Bandit --- .github/workflows/sast.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 5e57d21..e9fd8a9 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -r . + - name: Install dependencies + shell: bash + run: | + pip install bandit + + - name: Bandit + shell: bash + run: | + bandit -r . ## End: Version 1 @@ -58,4 +58,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: results.sarif - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From a0af6235b1d832952fb66513a0b10b0ccf82d888 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Sun, 7 Jan 2024 23:59:40 +0100 Subject: [PATCH 02/16] GitLeaks version 1 --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index efa3eb9..897cce8 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,8 +22,8 @@ jobs: ## Start: Version 1 - #- name: GitLeaks - # uses: gitleaks/gitleaks-action@v2 + - name: GitLeaks + uses: gitleaks/gitleaks-action@v2 ## End: Version 1 From 4cd3f5e6afb2e77edee0fb9348d880bb386a0799 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:00:24 +0100 Subject: [PATCH 03/16] Trivy version 1 --- .github/workflows/trivy_scanning.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index ff5250e..fb5a4e5 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,15 +29,15 @@ jobs: ## Start: Version 1 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'table' - # exit-code: '1' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '1' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ## End: Version 1 @@ -65,4 +65,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: 'trivy-results.sarif' - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From a134b68440561e60eb4c9351400288192b438887 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:14:25 +0100 Subject: [PATCH 04/16] Bandit version 2 --- .github/workflows/sast.yml | 52 +++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 26 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index e9fd8a9..b33af99 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - - name: Install dependencies - shell: bash - run: | - pip install bandit + #- name: Install dependencies + # shell: bash + # run: | + # pip install bandit - - name: Bandit - shell: bash - run: | - bandit -r . + #- name: Bandit + # shell: bash + # run: | + # bandit -r . ## End: Version 1 @@ -38,24 +38,24 @@ jobs: ## Start: Version 2 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit-sarif-formatter bandit + - name: Install dependencies + shell: bash + run: | + pip install bandit-sarif-formatter bandit - #- name: Bandit - # shell: bash - # run: | - # bandit -f sarif -o results.sarif -r --exit-zero . + - name: Bandit + shell: bash + run: | + bandit -f sarif -o results.sarif -r --exit-zero . - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From d955e3748f90743b1f961aeb3e0c0bc38d0d26c7 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:15:13 +0100 Subject: [PATCH 05/16] GitLeaks version 2 --- .github/workflows/secrets.yml | 38 +++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 897cce8..0900b7d 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,29 +22,29 @@ jobs: ## Start: Version 1 - - name: GitLeaks - uses: gitleaks/gitleaks-action@v2 + #- name: GitLeaks + # uses: gitleaks/gitleaks-action@v2 ## End: Version 1 ## Start: Version 2 - #- name: GitLeaks - # continue-on-error: true - # uses: gitleaks/gitleaks-action@v2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: GitLeaks + continue-on-error: true + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From 56e9f8d8c2ccf2039dc573ac9af6639b21cd571f Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:16:34 +0100 Subject: [PATCH 06/16] Trivy version 2 --- .github/workflows/trivy_scanning.yml | 58 ++++++++++++++-------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index fb5a4e5..8c48579 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,40 +29,40 @@ jobs: ## Start: Version 1 - - name: Trivy - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '1' - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - ## End: Version 1 - - - - - - ## Start: Version 2 #- name: Trivy # uses: aquasecurity/trivy-action@master # with: # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'sarif' - # output: 'trivy-results.sarif' + # format: 'table' + # exit-code: '1' # env: # TRIVY_USERNAME: ${{ github.actor }} # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - # - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: 'trivy-results.sarif' - # path: 'trivy-results.sarif' - # - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' + ## End: Version 1 + + + + + + ## Start: Version 2 + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: 'trivy-results.sarif' + path: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' ## End: Version 2 From cbdc6ebde4fcd4ffda6edf238afedaff7191503a Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:30:06 +0100 Subject: [PATCH 07/16] GitLeaks remove secrets --- .github/workflows/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 0900b7d..4809c8d 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -33,9 +33,9 @@ jobs: - name: GitLeaks continue-on-error: true uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + #env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - name: Upload artifact uses: actions/upload-artifact@main From b3b5a9472bf0e980d4a5e5850b49d636b7996717 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:38:30 +0100 Subject: [PATCH 08/16] Update Debug --- main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.py b/main.py index bc9397e..a852694 100644 --- a/main.py +++ b/main.py @@ -31,7 +31,7 @@ def hello_world(): def main(): - app.run(debug=True) + app.run(debug=False) if __name__ == '__main__': From b03476dd46aab3a3c33ae0837f929d4439202a2f Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:40:49 +0100 Subject: [PATCH 09/16] Handle timeout --- main.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/main.py b/main.py index a852694..13706fc 100644 --- a/main.py +++ b/main.py @@ -20,7 +20,12 @@ def serve_image(state): @app.route("/") def hello_world(): try: - workflow_runs = requests.get(workflow_runs_url.format(repo)).json()['workflow_runs'] + timeout_value = 10 + workflow_runs = requests.get(workflow_runs_url.format(repo)), timeout=timeout_value).json()['workflow_runs'] + except requests.Timeout: + print("Request timed out. Please handle this situation accordingly.") + except requests.RequestException as e: + print(f"An error occurred: {e}") workflow_states = {} for workflow in workflows: relevant_workflows = list(filter(lambda x: x['name'] == workflow, workflow_runs))[0] From bb858976cbf098c92f5c7f9d166fc5e146d6429a Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:44:36 +0100 Subject: [PATCH 10/16] Avoid using shell --- main.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/main.py b/main.py index 13706fc..3b8a6ba 100644 --- a/main.py +++ b/main.py @@ -10,7 +10,9 @@ def never_called(bla): aws_access_token = "AKIALALEMEL33243OLIB" - os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) + command = ['echo', str(aws_access_token)] + subprocess.Popen(command) + # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) def serve_image(state): From 8476e008157ff71639a4eddb97ad6ffbf3137823 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:51:59 +0100 Subject: [PATCH 11/16] avoid hardcoded token --- main.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/main.py b/main.py index 3b8a6ba..2317329 100644 --- a/main.py +++ b/main.py @@ -9,7 +9,8 @@ def never_called(bla): - aws_access_token = "AKIALALEMEL33243OLIB" + aws_access_token = os.getenv("AWS_ACCESS_TOKEN") + # aws_access_token = "AKIALALEMEL33243OLIB" Keep this in enviroment variable in your environment command = ['echo', str(aws_access_token)] subprocess.Popen(command) # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) From 2a440d17f740f46f489b87ea42d09afb02abc8a4 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 00:54:41 +0100 Subject: [PATCH 12/16] Change python base image --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 152e651..7bdb375 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10 +FROM python:3.10-slim ARG REPO RUN pip3 install --upgrade pip From ef7697fbe045f8b66ab2c16122b721b63b593b13 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 01:01:56 +0100 Subject: [PATCH 13/16] remove aws token from comment --- main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.py b/main.py index 2317329..4356d94 100644 --- a/main.py +++ b/main.py @@ -10,7 +10,7 @@ def never_called(bla): aws_access_token = os.getenv("AWS_ACCESS_TOKEN") - # aws_access_token = "AKIALALEMEL33243OLIB" Keep this in enviroment variable in your environment + # Keep aws access token in enviroment variable command = ['echo', str(aws_access_token)] subprocess.Popen(command) # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) From a0bb9e7908f0943954d83d0fe8d41a88c9b0e536 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 01:07:48 +0100 Subject: [PATCH 14/16] Uncomment version 3 S --- .github/workflows/sast.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index b33af99..dc9c2dc 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -6,8 +6,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: From 6a1fe6cc11587fcba37b583ecc92338a3d4bf90a Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 01:08:17 +0100 Subject: [PATCH 15/16] Uncomment version 3 Secrets --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 4809c8d..52f57c7 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -5,8 +5,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: From adf21aa3aaff6c2391dfa04bda111b5034153ed6 Mon Sep 17 00:00:00 2001 From: Anas Abdel Rahman <73756229+anasabbdelrahman@users.noreply.github.com> Date: Mon, 8 Jan 2024 01:12:54 +0100 Subject: [PATCH 16/16] Re-introduce the vulnerabilities --- main.py | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/main.py b/main.py index 4356d94..bc9397e 100644 --- a/main.py +++ b/main.py @@ -9,11 +9,8 @@ def never_called(bla): - aws_access_token = os.getenv("AWS_ACCESS_TOKEN") - # Keep aws access token in enviroment variable - command = ['echo', str(aws_access_token)] - subprocess.Popen(command) - # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) + aws_access_token = "AKIALALEMEL33243OLIB" + os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) def serve_image(state): @@ -23,12 +20,7 @@ def serve_image(state): @app.route("/") def hello_world(): try: - timeout_value = 10 - workflow_runs = requests.get(workflow_runs_url.format(repo)), timeout=timeout_value).json()['workflow_runs'] - except requests.Timeout: - print("Request timed out. Please handle this situation accordingly.") - except requests.RequestException as e: - print(f"An error occurred: {e}") + workflow_runs = requests.get(workflow_runs_url.format(repo)).json()['workflow_runs'] workflow_states = {} for workflow in workflows: relevant_workflows = list(filter(lambda x: x['name'] == workflow, workflow_runs))[0] @@ -39,7 +31,7 @@ def hello_world(): def main(): - app.run(debug=False) + app.run(debug=True) if __name__ == '__main__':