From 6471c1217dd7cec8ac869e02db36d9d3f77211ac Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:23:21 +0100 Subject: [PATCH 01/10] Update sast.yml version1, adding Bandit --- .github/workflows/sast.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index 5e57d21..e9fd8a9 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -r . + - name: Install dependencies + shell: bash + run: | + pip install bandit + + - name: Bandit + shell: bash + run: | + bandit -r . ## End: Version 1 @@ -58,4 +58,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: results.sarif - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From fd98783355709f9e3436f4cc6c3bae2a698912a8 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:23:58 +0100 Subject: [PATCH 02/10] Update secrets.yml Secrets scanning with GitLeaks - Version1 --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index efa3eb9..897cce8 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,8 +22,8 @@ jobs: ## Start: Version 1 - #- name: GitLeaks - # uses: gitleaks/gitleaks-action@v2 + - name: GitLeaks + uses: gitleaks/gitleaks-action@v2 ## End: Version 1 From ada111ef268938c1277256c2acfbd741ee02ab7d Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:24:35 +0100 Subject: [PATCH 03/10] Update trivy_scanning.yml Container Scanning with Trivy-Version1 --- .github/workflows/trivy_scanning.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index ff5250e..714aeb3 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,15 +29,15 @@ jobs: ## Start: Version 1 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'table' - # exit-code: '1' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'table' + exit-code: '1' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ## End: Version 1 @@ -65,4 +65,4 @@ jobs: # uses: github/codeql-action/upload-sarif@v2 # with: # sarif_file: 'trivy-results.sarif' - ## End: Version 2 \ No newline at end of file + ## End: Version 2 From c3e1339c8e3a2c72201a62a66ef3e637b51a89b6 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:34:06 +0100 Subject: [PATCH 04/10] Update sast.yml SAST with Bandit-Version2 --- .github/workflows/sast.yml | 56 +++++++++++++++++++------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index e9fd8a9..9a03a89 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -22,15 +22,15 @@ jobs: ## Start: Version 1 - - name: Install dependencies - shell: bash - run: | - pip install bandit - - - name: Bandit - shell: bash - run: | - bandit -r . + # - name: Install dependencies + # shell: bash + # run: | + # pip install bandit + + # - name: Bandit + # shell: bash + # run: | + # bandit -r . ## End: Version 1 @@ -38,24 +38,24 @@ jobs: ## Start: Version 2 - #- name: Install dependencies - # shell: bash - # run: | - # pip install bandit-sarif-formatter bandit - - #- name: Bandit - # shell: bash - # run: | - # bandit -f sarif -o results.sarif -r --exit-zero . + - name: Install dependencies + shell: bash + run: | + pip install bandit-sarif-formatter bandit + + - name: Bandit + shell: bash + run: | + bandit -f sarif -o results.sarif -r --exit-zero . - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From 919332adfb371758497aa8628f985cc257567e41 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:34:57 +0100 Subject: [PATCH 05/10] Update secrets.yml Secrets scanning with GitLeaks-Version2 --- .github/workflows/secrets.yml | 38 +++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 897cce8..9d702e0 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -22,29 +22,29 @@ jobs: ## Start: Version 1 - - name: GitLeaks - uses: gitleaks/gitleaks-action@v2 + # - name: GitLeaks + # uses: gitleaks/gitleaks-action@v2 ## End: Version 1 ## Start: Version 2 - #- name: GitLeaks - # continue-on-error: true - # uses: gitleaks/gitleaks-action@v2 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: results.sarif - # path: results.sarif - - #- name: Upload SARIF file - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: results.sarif + - name: GitLeaks + continue-on-error: true + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: results.sarif + path: results.sarif + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif ## End: Version 2 From a7222d394d8ddc7962d2b86840d5d8f31aa4e342 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:36:01 +0100 Subject: [PATCH 06/10] Update trivy_scanning.yml Container Scanning with Trivy-Version2 --- .github/workflows/trivy_scanning.yml | 58 ++++++++++++++-------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/trivy_scanning.yml b/.github/workflows/trivy_scanning.yml index 714aeb3..de78a61 100644 --- a/.github/workflows/trivy_scanning.yml +++ b/.github/workflows/trivy_scanning.yml @@ -29,15 +29,15 @@ jobs: ## Start: Version 1 - - name: Trivy - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '1' - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + # - name: Trivy + # uses: aquasecurity/trivy-action@master + # with: + # image-ref: ${{ steps.meta.outputs.tags }} + # format: 'table' + # exit-code: '1' + # env: + # TRIVY_USERNAME: ${{ github.actor }} + # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} ## End: Version 1 @@ -45,24 +45,24 @@ jobs: ## Start: Version 2 - #- name: Trivy - # uses: aquasecurity/trivy-action@master - # with: - # image-ref: ${{ steps.meta.outputs.tags }} - # format: 'sarif' - # output: 'trivy-results.sarif' - # env: - # TRIVY_USERNAME: ${{ github.actor }} - # TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - # - #- name: Upload artifact - # uses: actions/upload-artifact@main - # with: - # name: 'trivy-results.sarif' - # path: 'trivy-results.sarif' - # - #- name: Upload Trivy scan results to GitHub Security tab - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: 'trivy-results.sarif' + - name: Trivy + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + env: + TRIVY_USERNAME: ${{ github.actor }} + TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@main + with: + name: 'trivy-results.sarif' + path: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' ## End: Version 2 From c4c05f0216678ae7d18f3293b186eba164d1de3b Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:44:19 +0100 Subject: [PATCH 07/10] Update secrets.yml Removing secrets from Gitleaks --- .github/workflows/secrets.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index 9d702e0..eb4f386 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -33,9 +33,9 @@ jobs: - name: GitLeaks continue-on-error: true uses: gitleaks/gitleaks-action@v2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false + # env: + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # GITLEAKS_ENABLE_UPLOAD_ARTIFACT: false - name: Upload artifact uses: actions/upload-artifact@main From 4c75f9a818c47886efc1ec114fe125c13836b935 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:52:27 +0100 Subject: [PATCH 08/10] Update main.py Removing hardcoded token and debug update --- main.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/main.py b/main.py index bc9397e..64171e2 100644 --- a/main.py +++ b/main.py @@ -9,9 +9,11 @@ def never_called(bla): - aws_access_token = "AKIALALEMEL33243OLIB" - os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) - + # aws_access_token = "" + aws_access_token = os.getenv("AWS_ACCESS_TOKEN") + command = ['echo',str(aws_access_token)] + # os.subprocess.Popen('echo ${}'.format(aws_access_token), shell=True) + def serve_image(state): return send_file("bla.jpeg", mimetype="image/png") @@ -32,6 +34,7 @@ def hello_world(): def main(): app.run(debug=True) + app.run(debug=False) if __name__ == '__main__': From 1061e05fec6a2c1eb66760d36068728822bc7fe2 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:52:46 +0100 Subject: [PATCH 09/10] Update Dockerfile python version change --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 152e651..7bdb375 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM python:3.10 +FROM python:3.10-slim ARG REPO RUN pip3 install --upgrade pip From f0d02a5a1cd0d00b1765c8571c1b296f700599a0 Mon Sep 17 00:00:00 2001 From: HSheela <158300903+HSheela@users.noreply.github.com> Date: Wed, 31 Jan 2024 16:58:57 +0100 Subject: [PATCH 10/10] Update secrets.yml Secrets scanning with GitLeaks - version3 --- .github/workflows/secrets.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/secrets.yml b/.github/workflows/secrets.yml index eb4f386..b128a62 100644 --- a/.github/workflows/secrets.yml +++ b/.github/workflows/secrets.yml @@ -5,8 +5,8 @@ on: branches: ['main'] workflow_dispatch: ## Start: Version 3 - #pull_request: - # types: [opened, reopened, synchronize] + pull_request: + types: [opened, reopened, synchronize] ## End: Version 3 jobs: