diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 5e57d21..9a03a89 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -r . + # - name: Install dependencies + # shell: bash + # run: | + # pip install bandit + + # - name: Bandit + # shell: bash + # run: | + # bandit -r . ## End: Version 1 @@ -38,24 +38,24 @@ jobs: ## Start: Version 2 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit-sarif-formatter bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -f sarif -o results.sarif -r --exit-zero . + - name: Install dependencies + shell: bash + run: | + pip install bandit-sarif-formatter bandit + + - name: Bandit + shell: bash + run: | + bandit -f sarif -o results.sarif -r --exit-zero . - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif - ## End: Version 2 \ No newline at end of file + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif + ## End: Version 2 diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index efa3eb9..b128a62 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -5,8 +5,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: @@ -22,29 +22,29 @@ jobs: ## Start: Version 1 - #- name: GitLeaks - # uses: gitleaks/gitleaks-action@v2 + # - name: GitLeaks + # uses: gitleaks/gitleaks-action@v2 ## End: Version 1 ## Start: Version 2 - #- name: GitLeaks - # continue-on-error: true - # uses: gitleaks/gitleaks-action@v2 + - name: GitLeaks + continue-on-error: true + uses: gitleaks/gitleaks-action@v2 # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index ff5250e..de78a61 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,15 +29,15 @@ jobs: ## Start: Version 1 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'table' - # exit-code: '1' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + # - name: Trivy + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: ${{ steps.meta.outputs.tags }} + # format: 'table' + # exit-code: '1' + # env: + # TRIVY_USERNAME: ${{ github.actor }} + # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ## End: Version 1 @@ -45,24 +45,24 @@ jobs: ## Start: Version 2 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'sarif' - # output: 'trivy-results.sarif' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - # - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: 'trivy-results.sarif' - # path: 'trivy-results.sarif' - # - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' - ## End: Version 2 \ No newline at end of file + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: 'trivy-results.sarif' + path: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + ## End: Version 2 diff --git a/Dockerfile b/Dockerfile index 152e651..7bdb375 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10 +FROM python:3.10-slim ARG REPO RUN pip3 install --upgrade pip diff --git a/main.py b/main.py index bc9397e..64171e2 100644 --- a/main.py +++ b/main.py @@ -9,9 +9,11 @@ def never_called(bla): - aws_access_token = "AKIALALEMEL33243OLIB" - os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) - + # aws_access_token = "" + aws_access_token = os.getenv("AWS_ACCESS_TOKEN") + command = ['echo',str(aws_access_token)] + # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) + def serve_image(state): return send_file("bla.jpeg", mimetype="image/png") @@ -32,6 +34,7 @@ def hello_world(): def main(): app.run(debug=True) + app.run(debug=False) if __name__ == '__main__':