Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run contextual analysis and secret detection in Docker scans #9

Closed
wants to merge 4 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
69 changes: 69 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
name: "🐛 Bug Report"
description: Create a report to help us improve
labels: [bug]
body:
- type: textarea
id: description
attributes:
label: Describe the bug
description: What is the problem? A clear and concise description of the bug.
validations:
required: true

- type: textarea
id: current
attributes:
label: Current behavior
description: |
Please include full errors, uncaught exceptions, screenshots, and relevant logs.
Using environment variable JFROG_CLI_LOG_LEVEL="DEBUG" upon running the command will provide more log information.
validations:
required: true

- type: textarea
id: reproduction
attributes:
label: Reproduction steps
description: |
Provide steps to reproduce the behavior.
validations:
required: false

- type: textarea
id: expected
attributes:
label: Expected behavior
description: |
What did you expect to happen?
validations:
required: false

- type: input
id: cli-security-version
attributes:
label: JFrog CLI-Security version
validations:
required: true

- type: input
id: cli-version
attributes:
label: JFrog CLI version (if applicable)
description: using "jf --version"
validations:
required: false

- type: input
id: os-version
attributes:
label: Operating system type and version
validations:
required: true

- type: input
id: xr-version
attributes:
label: JFrog Xray version
validations:
required: false
20 changes: 20 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: ⭐️ Feature request
about: Suggest an idea for this project
title: ''
labels: feature request
assignees: ''

---

**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like to see**
A clear and concise description of the new feature.

**Describe alternatives you've considered**
If applicable, a clear and concise description of any alternative solutions or features you've considered.

**Additional context**
Add any other context or screenshots about the feature request here.
8 changes: 8 additions & 0 deletions .github/ISSUE_TEMPLATE/question.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
name: ❓ Question
about: Ask a question
title: ''
labels: question
assignees: ''

---
7 changes: 7 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
- [ ] The pull request is targeting the `dev` branch.
- [ ] The code has been validated to compile successfully by running `go vet ./...`.
- [ ] The code has been formatted properly using `go fmt ./...`.
- [ ] All [static analysis checks](https://github.com/jfrog/jfrog-cli-security/actions/workflows/analysis.yml) passed.
- [ ] All [tests](https://github.com/jfrog/jfrog-cli-security/actions/workflows/test.yml) have passed. If this feature is not already covered by the tests, new tests have been added.

-----
20 changes: 20 additions & 0 deletions .github/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
changelog:
exclude:
labels:
- ignore for release
categories:
- title: Breaking Changes 🚨
labels:
- breaking change
- title: Exciting New Features 🎉
labels:
- new feature
- title: Improvements 🌱
labels:
- improvement
- title: Bug Fixes 🛠
labels:
- bug
- title: Other Changes 📚
labels:
- "*"
43 changes: 43 additions & 0 deletions .github/workflows/analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
name: "Static Analysis"
on:
push:
branches:
- '**'
tags-ignore:
- '**'
pull_request:
jobs:
Static-Check:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v3

- name: Install Go
uses: actions/setup-go@v3
with:
go-version: 1.20.x

- name: Static Code Analysis
uses: golangci/golangci-lint-action@v3
with:
args: |
--timeout 5m --out-${NO_FUTURE}format colored-line-number --enable errcheck,gosimple,govet,ineffassign,staticcheck,typecheck,unused,gocritic,asasalint,asciicheck,errchkjson,exportloopref,forcetypeassert,makezero,nilerr,unparam,unconvert,wastedassign,usestdlibvars


Go-Sec:
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v3

- name: Install Go
uses: actions/setup-go@v3
with:
go-version: 1.20.x

# Temporarily set version 2.18.0 to workaround https://github.com/securego/gosec/issues/1046
- name: Run Gosec Security Scanner
uses: securego/[email protected]
with:
args: -exclude G204,G301,G302,G304,G306 -tests -exclude-dir \.*test\.* ./...
35 changes: 35 additions & 0 deletions .github/workflows/cla.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: "CLA Assistant"
on:
# issue_comment triggers this action on each comment on issues and pull requests
issue_comment:
types: [ created ]
pull_request_target:
types: [ opened,synchronize ]

jobs:
CLAssistant:
runs-on: ubuntu-latest
steps:
- uses: actions-ecosystem/action-regex-match@v2
id: sign-or-recheck
with:
text: ${{ github.event.comment.body }}
regex: '\s*(I have read the CLA Document and I hereby sign the CLA)|(recheck)\s*'

- name: "CLA Assistant"
if: ${{ steps.sign-or-recheck.outputs.match != '' || github.event_name == 'pull_request_target' }}
# Alpha Release
uses: cla-assistant/[email protected]
env:
# Generated and maintained by GitHub
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# JFrog organization secret
PERSONAL_ACCESS_TOKEN: ${{ secrets.CLA_SIGN_TOKEN }}
with:
path-to-signatures: 'signed_clas.json'
path-to-document: 'https://jfrog.com/cla/'
remote-organization-name: 'jfrog'
remote-repository-name: 'jfrog-signed-clas'
# branch should not be protected
branch: 'master'
allowlist: bot*
47 changes: 47 additions & 0 deletions .github/workflows/frogbot-scan-pull-request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: "Frogbot Scan Pull Request"
on:
pull_request_target:
types: [ opened, synchronize ]
permissions:
pull-requests: write
contents: read
jobs:
scan-pull-request:
runs-on: ubuntu-latest
# A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the
# "frogbot" GitHub environment can approve the pull request to be scanned.
environment: frogbot
steps:
- uses: jfrog/frogbot@v2
env:
JFROG_CLI_LOG_LEVEL: "DEBUG"
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.FROGBOT_URL }}

# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}

# [Mandatory]
# The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# [Optional]
# Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans.
# SMTP server URL including should the relevant port: (Example: smtp.server.com:8080)
JF_SMTP_SERVER: ${{ secrets.JF_SMTP_SERVER }}

# [Mandatory if JF_SMTP_SERVER is set]
# The username required for authenticating with the SMTP server.
JF_SMTP_USER: ${{ secrets.JF_SMTP_USER }}

# [Mandatory if JF_SMTP_SERVER is set]
# The password associated with the username required for authentication with the SMTP server.
JF_SMTP_PASSWORD: ${{ secrets.JF_SMTP_PASSWORD }}

# [Optional]
# List of comma separated email addresses to receive email notifications about secrets
# detected during pull request scanning. The notification is also sent to the email set
# in the committer git profile regardless of whether this variable is set or not.
JF_EMAIL_RECEIVERS: "[email protected]"
36 changes: 36 additions & 0 deletions .github/workflows/frogbot-scan-repository.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: "Frogbot Scan Repository"
on:
workflow_dispatch:
schedule:
# The repository will be scanned once a day at 00:00 GMT.
- cron: "0 0 * * *"
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
scan-repository:
runs-on: ubuntu-latest
strategy:
matrix:
# The repository scanning will be triggered periodically on the following branches.
branch: [ "dev" ]
steps:
- uses: jfrog/frogbot@v2
env:
JFROG_CLI_LOG_LEVEL: "DEBUG"
# [Mandatory]
# JFrog platform URL (This functionality requires version 3.29.0 or above of Xray)
JF_URL: ${{ secrets.FROGBOT_URL }}

# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.FROGBOT_ACCESS_TOKEN }}

# [Mandatory]
# The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# [Mandatory]
# The name of the branch on which Frogbot will perform the scan
JF_GIT_BASE_BRANCH: ${{ matrix.branch }}
18 changes: 18 additions & 0 deletions .github/workflows/removeLabel.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Remove Label
on:
pull_request_target:
types: [labeled]
# Ensures that only the latest commit is running for each PR at a time.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
cancel-in-progress: true
jobs:
Remove-Label:
if: contains(github.event.pull_request.labels.*.name, 'safe to test')
name: Remove label
runs-on: ubuntu-latest
steps:
- name: Remove 'safe to test'
uses: actions-ecosystem/action-remove-labels@v1
with:
labels: "safe to test"
72 changes: 72 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: JFrog CLI Security Tests
on:
push:
branches:
- '**'
tags-ignore:
- '**'
# Triggers the workflow on labeled PRs only.
pull_request_target:
types: [ labeled ]
# Ensures that only the latest commit is running for each PR at a time.
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
if: contains(github.event.pull_request.labels.*.name, 'safe to test') || github.event_name == 'push'
runs-on: ${{ matrix.os }}-latest
strategy:
fail-fast: false
matrix:
os: [ ubuntu, windows, macos ]
env:
GOPROXY: direct
GRADLE_OPTS: -Dorg.gradle.daemon=false
steps:
# Install dependencies
- name: Install Go
uses: actions/setup-go@v3
with:
go-version: 1.20.x
- name: Install npm
uses: actions/setup-node@v3
with:
node-version: "16"
- name: Install Java
uses: actions/setup-java@v3
with:
java-version: "11"
distribution: "adopt"
- name: Install NuGet
uses: nuget/setup-nuget@v1
with:
nuget-version: 6.x
- name: Install dotnet
uses: actions/setup-dotnet@v3
with:
dotnet-version: '6.x'
- name: Setup Python3
uses: actions/setup-python@v4
with:
python-version: "3.x"
- name: Setup Pipenv
run: python -m pip install pipenv
- name: Setup Poetry
run: python -m pip install poetry
- name: Setup Gradle
uses: gradle/gradle-build-action@v2
with:
gradle-version: 7.6
# Checkout code
- name: Checkout code
uses: actions/checkout@v3
with:
ref: ${{ github.event.pull_request.head.sha }}
# Test
- name: Run security tests (without Docker Scan)
run: go test -v github.com/jfrog/jfrog-cli-security --timeout 0 --test.security --jfrog.url=${{ secrets.PLATFORM_URL }} --jfrog.adminToken=${{ secrets.PLATFORM_ADMIN_TOKEN }} --jfrog.user=${{ secrets.PLATFORM_USER }} --test.containerRegistry=${{ secrets.CONTAINER_REGISTRY }} --ci.runId=${{ runner.os }}-xray
if: ${{ matrix.os != 'ubuntu' }}
- name: Run security tests (with Docker Scan, only on Ubuntu)
run: go test -v github.com/jfrog/jfrog-cli-security --timeout 0 --test.security --test.dockerScan --jfrog.url=${{ secrets.PLATFORM_URL }} --jfrog.adminToken=${{ secrets.PLATFORM_ADMIN_TOKEN }} --test.containerRegistry=${{ secrets.CONTAINER_REGISTRY }} --ci.runId=${{ runner.os }}-xray
if: ${{ matrix.os == 'ubuntu' }}
Loading
Loading