From 2ae0593f3bd456b469e07ef3ed21e9a446690f44 Mon Sep 17 00:00:00 2001 From: insider-automation <117348511+insider-automation@users.noreply.github.com> Date: Tue, 31 Oct 2023 08:00:23 +0300 Subject: [PATCH 1/3] Security | Add git-leak.yml action --- .github/workflows/git-leak.yml | 44 ++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/git-leak.yml diff --git a/.github/workflows/git-leak.yml b/.github/workflows/git-leak.yml new file mode 100644 index 0000000..e2b8e00 --- /dev/null +++ b/.github/workflows/git-leak.yml @@ -0,0 +1,44 @@ +name: gitleaks +on: + pull_request: + types: [ready_for_review] +env: + GIT_DISCOVERY_ACROSS_FILESYSTEM: 1 +jobs: + gitleaks: + runs-on: self-runner-node + steps: + - name: Checkout Repository + uses: actions/checkout@v2 + with: + fetch-depth: '2' + - name: Detecting new added lines + run: | + git fetch origin ${{ github.event.repository.default_branch }} + git diff origin/${{ github.event.repository.default_branch }}..HEAD --name-only | xargs git diff origin/${{ github.event.repository.default_branch }}..HEAD -- | grep '+' | sed 's/+//' | sed 's/^[ \t]*//' > new-added-lines.txt + working-directory: ${{ github.workspace }} + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: 1.16 + - name: Install gitleaks + run: | + go get github.com/zricethezav/gitleaks/v7 + - name: Run gitleaks + run: | + gitleaks --no-git --path ${{ github.workspace }}/new-added-lines.txt --verbose --report=${{ github.workspace }}/gitleaks-report.json + - name: Send to Lambda + if: ${{ always() }} + run: | + python -c ' + import json,sys,requests; + try: + output=open("./gitleaks-report.json"); + except IOError: + sys.exit(0); + json_result=json.loads(output.read()); + github_result = {"repository": "'${{ github.repository }}'", "server_url": "'${{ github.server_url }}'", "run_id": "'${{ github.run_id }}'", "pr_number": "'${{ github.event.number }}'"}; + request_json = {"gitleaks_result": json_result,"github": github_result}; + requests.post("'$LambdaWebHook'", json=request_json)' + env: + LambdaWebHook: ${{ secrets.CHECKMARX_LAMBDA_WEBHOOK }} \ No newline at end of file From a7e919d3afeed55eab7542bd4397ce2e64142f3e Mon Sep 17 00:00:00 2001 From: insider-automation <117348511+insider-automation@users.noreply.github.com> Date: Tue, 31 Oct 2023 08:00:25 +0300 Subject: [PATCH 2/3] Security | Add cxflow.yml action --- .github/workflows/cxflow.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 .github/workflows/cxflow.yml diff --git a/.github/workflows/cxflow.yml b/.github/workflows/cxflow.yml new file mode 100644 index 0000000..cb22006 --- /dev/null +++ b/.github/workflows/cxflow.yml @@ -0,0 +1,17 @@ +name: CxFlow-GitHub-Pull-Request +on: + pull_request: + types: [ready_for_review] +jobs: + build: + runs-on: self-runner-node + steps: + - name: Trigger to Scanner Lambda + run: | + python -c ' + import json,sys,requests; + github = {"repository": "'${{ github.event.repository.name }}'", "ref": "'${{ github.head_ref }}'"}; + github_request = {"checkmarx_gitaction": github}; + requests.post("'$LambdaWebHook'", json=github_request);' + env: + LambdaWebHook: ${{ secrets.CHECKMARX_LAMBDA_WEBHOOK }} \ No newline at end of file From 1da3c309a8b09de6aa83426abda975771ab2fff3 Mon Sep 17 00:00:00 2001 From: insider-automation <117348511+insider-automation@users.noreply.github.com> Date: Fri, 1 Dec 2023 16:17:59 +0300 Subject: [PATCH 3/3] new workflow added --- .github/workflows/git-leak.yml | 43 ++++++---------------------------- 1 file changed, 7 insertions(+), 36 deletions(-) diff --git a/.github/workflows/git-leak.yml b/.github/workflows/git-leak.yml index e2b8e00..3b6abe3 100644 --- a/.github/workflows/git-leak.yml +++ b/.github/workflows/git-leak.yml @@ -1,44 +1,15 @@ -name: gitleaks -on: - pull_request: - types: [ready_for_review] -env: - GIT_DISCOVERY_ACROSS_FILESYSTEM: 1 +name: Gitleaks-Action +on: [push] jobs: - gitleaks: + build: runs-on: self-runner-node steps: - - name: Checkout Repository - uses: actions/checkout@v2 - with: - fetch-depth: '2' - - name: Detecting new added lines - run: | - git fetch origin ${{ github.event.repository.default_branch }} - git diff origin/${{ github.event.repository.default_branch }}..HEAD --name-only | xargs git diff origin/${{ github.event.repository.default_branch }}..HEAD -- | grep '+' | sed 's/+//' | sed 's/^[ \t]*//' > new-added-lines.txt - working-directory: ${{ github.workspace }} - - name: Install Go - uses: actions/setup-go@v2 - with: - go-version: 1.16 - - name: Install gitleaks - run: | - go get github.com/zricethezav/gitleaks/v7 - - name: Run gitleaks - run: | - gitleaks --no-git --path ${{ github.workspace }}/new-added-lines.txt --verbose --report=${{ github.workspace }}/gitleaks-report.json - - name: Send to Lambda - if: ${{ always() }} + - name: Trigger to Gitleak run: | python -c ' import json,sys,requests; - try: - output=open("./gitleaks-report.json"); - except IOError: - sys.exit(0); - json_result=json.loads(output.read()); - github_result = {"repository": "'${{ github.repository }}'", "server_url": "'${{ github.server_url }}'", "run_id": "'${{ github.run_id }}'", "pr_number": "'${{ github.event.number }}'"}; - request_json = {"gitleaks_result": json_result,"github": github_result}; - requests.post("'$LambdaWebHook'", json=request_json)' + github = {"repository": "'${{ github.event.repository.name }}'", "ref": "'${{ github.ref_name }}'"}; + github_request = {"insider_gitleak": github}; + requests.post("'$LambdaWebHook'", json=github_request);' env: LambdaWebHook: ${{ secrets.CHECKMARX_LAMBDA_WEBHOOK }} \ No newline at end of file