diff --git a/pkg/connectors/github/githubConnector.go b/pkg/connectors/github/githubConnector.go index ced2148..fc48853 100644 --- a/pkg/connectors/github/githubConnector.go +++ b/pkg/connectors/github/githubConnector.go @@ -86,8 +86,8 @@ func (gc *GithubConnector) addRepo(githubJsonObject map[string]*GithubOwner, rep FullName: *repo.FullName, ID: int(*repo.ID), ProgrammingLanguages: languages, - GithubActionsWorkflows: make(map[string]*PipelineFile), - JfrogPipelines: make(map[string]*PipelineFile), + GithubActionsWorkflows: make(map[string]*connectors.PipelineFile), + JfrogPipelines: make(map[string]*connectors.PipelineFile), } return nil @@ -153,8 +153,8 @@ func (gc *GithubConnector) processWorkflowFiles(githubJsonObject map[string]*Git return processingError } -func (gc *GithubConnector) getWorkflowFilesEntities(repo *github.Repository) (chan *PipelineFile, error) { - workflowFilesEntitiesChan := make(chan *PipelineFile) +func (gc *GithubConnector) getWorkflowFilesEntities(repo *github.Repository) (chan *connectors.PipelineFile, error) { + workflowFilesEntitiesChan := make(chan *connectors.PipelineFile) var getEntitiesErr error go func() { @@ -171,7 +171,7 @@ func (gc *GithubConnector) getWorkflowFilesEntities(repo *github.Repository) (ch } relevantFilesPaths := gc.matchedFiles(tree, cicdPlatform.RelevantFilesRegex) for _, filePath := range relevantFilesPaths { - workflowFilesEntitiesChan <- &PipelineFile{ + workflowFilesEntitiesChan <- &connectors.PipelineFile{ RelativePath: filePath, Filename: path.Base(filePath), Origin: cicdPlatform.Name, diff --git a/pkg/connectors/github/githubJson.type.go b/pkg/connectors/github/githubJson.type.go index 10d0541..b551362 100644 --- a/pkg/connectors/github/githubJson.type.go +++ b/pkg/connectors/github/githubJson.type.go @@ -1,5 +1,7 @@ package githubConnector +import "github.com/allero-io/allero/pkg/connectors" + type GithubOwner struct { Name string `json:"ownerName"` Type string `json:"ownerType"` @@ -8,17 +10,10 @@ type GithubOwner struct { } type GithubRepository struct { - Name string `json:"name"` - FullName string `json:"fullName"` - ID int `json:"id"` - ProgrammingLanguages []string `json:"programmingLanguages"` - GithubActionsWorkflows map[string]*PipelineFile `json:"github-actions-workflows"` - JfrogPipelines map[string]*PipelineFile `json:"jfrog-pipelines"` -} - -type PipelineFile struct { - RelativePath string `json:"relativePath"` - Filename string `json:"filename"` - Origin string `json:"origin"` - Content interface{} `json:"content"` + Name string `json:"name"` + FullName string `json:"fullName"` + ID int `json:"id"` + ProgrammingLanguages []string `json:"programmingLanguages"` + GithubActionsWorkflows map[string]*connectors.PipelineFile `json:"github-actions-workflows"` + JfrogPipelines map[string]*connectors.PipelineFile `json:"jfrog-pipelines"` } diff --git a/pkg/connectors/gitlab/gitlabConnector.go b/pkg/connectors/gitlab/gitlabConnector.go index 659966c..1198966 100644 --- a/pkg/connectors/gitlab/gitlabConnector.go +++ b/pkg/connectors/gitlab/gitlabConnector.go @@ -105,8 +105,8 @@ func (gc *GitlabConnector) processPipelineFiles(gitlabJsonObject map[string]*Git return processingError } -func (gc *GitlabConnector) getPipelineFiles(project *gitlab.Project) (chan *PipelineFile, error) { - pipelineFilesChan := make(chan *PipelineFile) +func (gc *GitlabConnector) getPipelineFiles(project *gitlab.Project) (chan *connectors.PipelineFile, error) { + pipelineFilesChan := make(chan *connectors.PipelineFile) var getEntitiesErr error go func() { @@ -124,7 +124,7 @@ func (gc *GitlabConnector) getPipelineFiles(project *gitlab.Project) (chan *Pipe } relevantFilesPaths := gc.matchedFiles(treeNodes, cicdPlatform.RelevantFilesRegex) for _, filePath := range relevantFilesPaths { - pipelineFilesChan <- &PipelineFile{ + pipelineFilesChan <- &connectors.PipelineFile{ RelativePath: filePath, Filename: path.Base(filePath), Origin: cicdPlatform.Name, @@ -173,8 +173,8 @@ func (gc *GitlabConnector) addProject(gitlabJsonObject map[string]*GitlabGroup, Name: projectName, FullName: fullName, ID: project.ID, - GitlabCi: make(map[string]*PipelineFile), - JfrogPipelines: make(map[string]*PipelineFile), + GitlabCi: make(map[string]*connectors.PipelineFile), + JfrogPipelines: make(map[string]*connectors.PipelineFile), } return nil diff --git a/pkg/connectors/gitlab/gitlabJson.type.go b/pkg/connectors/gitlab/gitlabJson.type.go index 4f2d184..18f65ca 100644 --- a/pkg/connectors/gitlab/gitlabJson.type.go +++ b/pkg/connectors/gitlab/gitlabJson.type.go @@ -1,5 +1,7 @@ package gitlabConnector +import "github.com/allero-io/allero/pkg/connectors" + type GitlabGroup struct { Name string `json:"groupName"` ID int `json:"id"` @@ -7,16 +9,9 @@ type GitlabGroup struct { } type GitlabProject struct { - Name string `json:"name"` - FullName string `json:"fullName"` - ID int `json:"id"` - GitlabCi map[string]*PipelineFile `json:"gitlab-ci"` - JfrogPipelines map[string]*PipelineFile `json:"jfrog-pipelines"` -} - -type PipelineFile struct { - RelativePath string `json:"relativePath"` - Filename string `json:"filename"` - Origin string `json:"origin"` - Content map[string]interface{} `json:"content"` + Name string `json:"name"` + FullName string `json:"fullName"` + ID int `json:"id"` + GitlabCi map[string]*connectors.PipelineFile `json:"gitlab-ci"` + JfrogPipelines map[string]*connectors.PipelineFile `json:"jfrog-pipelines"` } diff --git a/pkg/connectors/local/localGithubConnector.go b/pkg/connectors/local/localGithubConnector.go index fa9b758..4b4af63 100644 --- a/pkg/connectors/local/localGithubConnector.go +++ b/pkg/connectors/local/localGithubConnector.go @@ -42,8 +42,8 @@ func (lc *LocalConnector) addRootPathAsNewRepo(githubJsonObject map[string]*gith FullName: escapedRepoName, ID: 0, ProgrammingLanguages: nil, - GithubActionsWorkflows: make(map[string]*githubConnector.PipelineFile), - JfrogPipelines: make(map[string]*githubConnector.PipelineFile), + GithubActionsWorkflows: make(map[string]*connectors.PipelineFile), + JfrogPipelines: make(map[string]*connectors.PipelineFile), } return nil @@ -90,8 +90,8 @@ func (lc *LocalConnector) processGithubWorkflowFiles(githubJsonObject map[string return processingError } -func (lc *LocalConnector) getWorkflowFilesEntities(repoName string) (chan *githubConnector.PipelineFile, error) { - workflowFilesEntitiesChan := make(chan *githubConnector.PipelineFile) +func (lc *LocalConnector) getWorkflowFilesEntities(repoName string) (chan *connectors.PipelineFile, error) { + workflowFilesEntitiesChan := make(chan *connectors.PipelineFile) var getEntitiesErr error go func() { @@ -106,7 +106,7 @@ func (lc *LocalConnector) getWorkflowFilesEntities(repoName string) (chan *githu return } for _, filePath := range relevantFilesPaths { - workflowFilesEntitiesChan <- &githubConnector.PipelineFile{ + workflowFilesEntitiesChan <- &connectors.PipelineFile{ RelativePath: filePath, Filename: path.Base(filePath), Origin: cicdPlatform.Name, diff --git a/pkg/connectors/local/localGitlabConnector.go b/pkg/connectors/local/localGitlabConnector.go index fcf03f0..eb348ac 100644 --- a/pkg/connectors/local/localGitlabConnector.go +++ b/pkg/connectors/local/localGitlabConnector.go @@ -40,8 +40,8 @@ func (lc *LocalConnector) addRootPathAsNewProject(gitlabJsonObject map[string]*g Name: escapedRepoName, FullName: escapedRepoName, ID: 0, - GitlabCi: make(map[string]*gitlabConnector.PipelineFile), - JfrogPipelines: make(map[string]*gitlabConnector.PipelineFile), + GitlabCi: make(map[string]*connectors.PipelineFile), + JfrogPipelines: make(map[string]*connectors.PipelineFile), } return nil @@ -88,8 +88,8 @@ func (lc *LocalConnector) processGitlabWorkflowFiles(gitlabJsonObject map[string return processingError } -func (lc *LocalConnector) getGitlabWorkflowFilesEntities(repoName string) (chan *gitlabConnector.PipelineFile, error) { - workflowFilesEntitiesChan := make(chan *gitlabConnector.PipelineFile) +func (lc *LocalConnector) getGitlabWorkflowFilesEntities(repoName string) (chan *connectors.PipelineFile, error) { + workflowFilesEntitiesChan := make(chan *connectors.PipelineFile) var getEntitiesErr error go func() { @@ -108,7 +108,7 @@ func (lc *LocalConnector) getGitlabWorkflowFilesEntities(repoName string) (chan return } for _, filePath := range relevantFilesPaths { - workflowFilesEntitiesChan <- &gitlabConnector.PipelineFile{ + workflowFilesEntitiesChan <- &connectors.PipelineFile{ RelativePath: filePath, Filename: path.Base(filePath), Origin: cicdPlatform.Name, diff --git a/pkg/connectors/shared.go b/pkg/connectors/shared.go index 9ed9c62..36b773b 100644 --- a/pkg/connectors/shared.go +++ b/pkg/connectors/shared.go @@ -19,6 +19,13 @@ type CICDPlatform struct { GitlabValid bool } +type PipelineFile struct { + RelativePath string `json:"relativePath"` + Filename string `json:"filename"` + Origin string `json:"origin"` + Content map[string]interface{} `json:"content"` +} + var SUPPORTED_CICD_PLATFORMS = []CICDPlatform{ { Name: "github_actions", diff --git a/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go b/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go index 9930d35..12bc9b0 100644 --- a/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go +++ b/pkg/rulesConfig/defaultRules/10-ensure-sca-scanner.go @@ -4,6 +4,7 @@ import ( "encoding/json" "fmt" + "github.com/allero-io/allero/pkg/connectors" githubConnector "github.com/allero-io/allero/pkg/connectors/github" gitlabConnector "github.com/allero-io/allero/pkg/connectors/gitlab" ) @@ -12,15 +13,24 @@ func EnsureScaScanner(githubData map[string]*githubConnector.GithubOwner, gitlab schemaErrors := make([]*SchemaError, 0) var err error + sharedRegexExpressions := []string{ + "^[\\S]*trivy.*|.*docker( .*)? run .*(aquasec/)?trivy.*", + "^[\\S]*grype.*|.*docker( .*)? run .*(anchore/)?grype.*", + "(jfrog|jf) (s|scan).*", + "ws scan.*", + "snyk (code |)test.*", + "(jfrog|jf) (xr).*", + } + if githubData != nil { - schemaErrors, err = githubErrorsRule10(githubData) + schemaErrors, err = githubErrorsRule10(githubData, sharedRegexExpressions) if err != nil { return nil, err } } if gitlabData != nil { - schemaErrors, err = gitlabErrorsRule10(gitlabData) + schemaErrors, err = gitlabErrorsRule10(gitlabData, sharedRegexExpressions) if err != nil { return nil, err } @@ -29,7 +39,7 @@ func EnsureScaScanner(githubData map[string]*githubConnector.GithubOwner, gitlab return schemaErrors, nil } -func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]*SchemaError, error) { +func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner, runRegexExpressions []string) ([]*SchemaError, error) { schemaErrors := make([]*SchemaError, 0) usesRegexExpressions := []string{ @@ -40,14 +50,6 @@ func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]* ".*snyk/actions/maven@.*", } - runRegexExpressions := []string{ - ".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*", - "^[\\S]*grype|docker .* run .*(anchore/)?grype.*", - "(jfrog|jf) (s|scan).*", - "ws scan.*", - "snyk (code | )test.*", - } - for _, owner := range githubData { for _, repo := range owner.Repositories { foundScaScanner := false @@ -59,7 +61,7 @@ func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]* return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err @@ -96,11 +98,20 @@ func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]* } } + if !foundScaScanner { + var err error + foundScaScanner, err = findJfrogScanScannerRule10(repo.JfrogPipelines, runRegexExpressions) + + if err != nil { + return nil, err + } + } + if !foundScaScanner { schemaErrors = append(schemaErrors, &SchemaError{ ErrorLevel: 2, RepositryName: repo.Name, - CiCdPlatform: "github-actions-workflows", + CiCdPlatform: "", OwnerName: owner.Name, ScmPlatform: "github", }) @@ -111,12 +122,12 @@ func githubErrorsRule10(githubData map[string]*githubConnector.GithubOwner) ([]* return schemaErrors, nil } -func gitlabErrorsRule10(gitlabData map[string]*gitlabConnector.GitlabGroup) ([]*SchemaError, error) { +func gitlabErrorsRule10(gitlabData map[string]*gitlabConnector.GitlabGroup, scriptsRegexExpressions []string) ([]*SchemaError, error) { schemaErrors := make([]*SchemaError, 0) for _, group := range gitlabData { for _, project := range group.Projects { - foundScaScanner, err := findScaScannerRule10(project) + foundScaScanner, err := findGitlabScaScannerRule10(project, scriptsRegexExpressions) if err != nil { return nil, err } @@ -125,7 +136,7 @@ func gitlabErrorsRule10(gitlabData map[string]*gitlabConnector.GitlabGroup) ([]* schemaErrors = append(schemaErrors, &SchemaError{ ErrorLevel: 2, RepositryName: project.Name, - CiCdPlatform: "gitlab-ci", + CiCdPlatform: "", OwnerName: group.Name, ScmPlatform: "gitlab", }) @@ -136,20 +147,12 @@ func gitlabErrorsRule10(gitlabData map[string]*gitlabConnector.GitlabGroup) ([]* return schemaErrors, nil } -func findScaScannerRule10(project *gitlabConnector.GitlabProject) (bool, error) { +func findGitlabScaScannerRule10(project *gitlabConnector.GitlabProject, scriptsRegexExpressions []string) (bool, error) { imageRegexExpressions := []string{ "registry.gitlab.com/secure.*", } - scriptRegexExpressions := []string{ - ".*^[\\S]*trivy.*|.*docker .* run .*(aquasec/)?trivy.*", - "^[\\S]*grype|docker .* run .*(anchore/)?grype.*", - "(jfrog|jf) (s|scan).*", - "ws scan.*", - "snyk ?(code | )test.*", - } - for _, pipeline := range project.GitlabCi { for key, value := range pipeline.Content { @@ -178,7 +181,7 @@ func findScaScannerRule10(project *gitlabConnector.GitlabProject) (bool, error) } if stageWithSingleScript.Script != "" { - for _, regexExpression := range scriptRegexExpressions { + for _, regexExpression := range scriptsRegexExpressions { if matchRegex(regexExpression, stageWithSingleScript.Script) { return true, nil } @@ -187,7 +190,7 @@ func findScaScannerRule10(project *gitlabConnector.GitlabProject) (bool, error) if stageWithScripts.Scripts != nil { for _, script := range stageWithScripts.Scripts { - for _, regexExpression := range scriptRegexExpressions { + for _, regexExpression := range scriptsRegexExpressions { if matchRegex(regexExpression, script) { return true, nil } @@ -197,5 +200,46 @@ func findScaScannerRule10(project *gitlabConnector.GitlabProject) (bool, error) } } + foundInJfrog, err := findJfrogScanScannerRule10(project.JfrogPipelines, scriptsRegexExpressions) + if err != nil { + return false, err + } + + return foundInJfrog, nil +} + +func findJfrogScanScannerRule10(jfrogPipelines map[string]*connectors.PipelineFile, executionRegexExpressions []string) (bool, error) { + jfrogPiplineFiles := make([]*JfrogPipelineFile, 0) + + for _, pipeline := range jfrogPipelines { + content := pipeline.Content + contentByteArr, err := json.Marshal(content) + if err != nil { + return false, err + } + + var jfrogPipelineFile JfrogPipelineFile + err = json.Unmarshal(contentByteArr, &jfrogPipelineFile) + if err != nil { + return false, err + } + + jfrogPiplineFiles = append(jfrogPiplineFiles, &jfrogPipelineFile) + } + + for _, jfrogPipelineFile := range jfrogPiplineFiles { + for _, pipeline := range jfrogPipelineFile.Pipelines { + for _, step := range pipeline.Steps { + for _, executionCommand := range step.Execution.OnExecute { + for _, regexExpression := range executionRegexExpressions { + if matchRegex(regexExpression, executionCommand) { + return true, nil + } + } + } + } + } + } + return false, nil } diff --git a/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go b/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go index 276aec0..b57478a 100644 --- a/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go +++ b/pkg/rulesConfig/defaultRules/11-ensure-terraform-scanner.go @@ -57,7 +57,7 @@ func githubErrorsRule11(githubData map[string]*githubConnector.GithubOwner) ([]* return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err diff --git a/pkg/rulesConfig/defaultRules/14-ensure-code-coverage.go b/pkg/rulesConfig/defaultRules/14-ensure-code-coverage.go index 5f050b5..84e5408 100644 --- a/pkg/rulesConfig/defaultRules/14-ensure-code-coverage.go +++ b/pkg/rulesConfig/defaultRules/14-ensure-code-coverage.go @@ -50,7 +50,7 @@ func githubErrorsRule14(githubData map[string]*githubConnector.GithubOwner) ([]* return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err diff --git a/pkg/rulesConfig/defaultRules/15-ensure-secrets-scanner.go b/pkg/rulesConfig/defaultRules/15-ensure-secrets-scanner.go index 778b9b1..b8a5d44 100644 --- a/pkg/rulesConfig/defaultRules/15-ensure-secrets-scanner.go +++ b/pkg/rulesConfig/defaultRules/15-ensure-secrets-scanner.go @@ -63,7 +63,7 @@ func githubErrorsRule15(githubData map[string]*githubConnector.GithubOwner) ([]* if err != nil { return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err diff --git a/pkg/rulesConfig/defaultRules/16-ensure-linter.go b/pkg/rulesConfig/defaultRules/16-ensure-linter.go index 940fa19..43ff0e6 100644 --- a/pkg/rulesConfig/defaultRules/16-ensure-linter.go +++ b/pkg/rulesConfig/defaultRules/16-ensure-linter.go @@ -56,7 +56,7 @@ func githubErrorsRule16(githubData map[string]*githubConnector.GithubOwner) ([]* return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err diff --git a/pkg/rulesConfig/defaultRules/17-ensure-code-quality.go b/pkg/rulesConfig/defaultRules/17-ensure-code-quality.go index db5d5a7..bf779a4 100644 --- a/pkg/rulesConfig/defaultRules/17-ensure-code-quality.go +++ b/pkg/rulesConfig/defaultRules/17-ensure-code-quality.go @@ -52,7 +52,7 @@ func githubErrorsRule17(githubData map[string]*githubConnector.GithubOwner) ([]* return nil, err } - var workflowObj Workflow + var workflowObj GithubWorkflow err = json.Unmarshal(contentByteArr, &workflowObj) if err != nil { return nil, err diff --git a/pkg/rulesConfig/defaultRules/defaultRules.go b/pkg/rulesConfig/defaultRules/defaultRules.go index 243f328..a1ef695 100644 --- a/pkg/rulesConfig/defaultRules/defaultRules.go +++ b/pkg/rulesConfig/defaultRules/defaultRules.go @@ -26,15 +26,15 @@ type Rule struct { InCodeImplementation bool `json:"inCodeImplementation"` } -type Workflow struct { - Jobs map[string]Job `json:"jobs"` +type GithubWorkflow struct { + Jobs map[string]GithubJob `json:"jobs"` } -type Job struct { - Steps []Step `json:"steps"` +type GithubJob struct { + Steps []GithubStep `json:"steps"` } -type Step struct { +type GithubStep struct { Uses string `json:"uses"` Run string `json:"run"` With map[string]any `json:"with"` @@ -48,6 +48,22 @@ type GitlabStageScripts struct { Scripts []string `json:"script"` } +type JfrogPipelineFile struct { + Pipelines []JfrogPipeline `json:"pipelines"` +} + +type JfrogPipeline struct { + Steps []JfrogPipelineStep `json:"steps"` +} + +type JfrogPipelineStep struct { + Execution JfrogPipelineStepExecution `json:"execution"` +} + +type JfrogPipelineStepExecution struct { + OnExecute []string `json:"onExecute"` +} + func Validate(rule *Rule, githubData map[string]*githubConnector.GithubOwner, gitlabData map[string]*gitlabConnector.GitlabGroup) ([]*SchemaError, error) { if rule.UniqueId == 10 { return EnsureScaScanner(githubData, gitlabData) diff --git a/pkg/rulesConfig/tests/github/10-fail.json b/pkg/rulesConfig/tests/github/10-fail.json new file mode 100644 index 0000000..5cdef78 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-fail.json @@ -0,0 +1,100 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "checkov[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/checkov.yml", + "filename": "checkov.yml", + "origin": "github_actions", + "content": { + "jobs": { + "checkov-job": { + "name": "checkov-action", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "Checkout repo", + "uses": "actions/checkout@master" + }, + { + "name": "use sca example", + "run": "fail trivy image python:3.4-alpine" + }, + { + "id": "checkov", + "name": "Run Checkov action", + "uses": "bridgecrewio/checkov-action@master", + "with": { + "baseline": "cloudformation/.checkov.baseline", + "check": "CKV_AWS_1", + "config_file": "path/this_file", + "container_user": 1000, + "directory": "example/", + "download_external_modules": true, + "file": "example/tfplan.json", + "framework": "terraform", + "log_level": "DEBUG", + "output_format": "sarif", + "quiet": true, + "skip_check": "CKV_AWS_2", + "soft_fail": true + } + } + ] + } + }, + "true": [ + "push" + ] + } + }, + "uncontrolled-value[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/uncontrolled-value.yml", + "filename": "uncontrolled-value.yml", + "origin": "github_actions", + "content": { + "jobs": { + "Explore-GitHub-Actions": { + "runs-on": "ubuntu-latest", + "steps": [ + { + "run": "echo \"A demo job to test uncontrolled values\"" + }, + { + "run": "echo \"should not use ${{ github.event.pull_request.title }}\"" + }, + { + "run": "echo \"should not use ${{ github.event.actor.id }}\"" + }, + { + "run": "echo \"should not use ${{ github.event.actor.login }}\"" + }, + { + "run": "echo \"should not use ${{ github.event.actor.display_login }}\"" + }, + { + "run": "echo \"should not use ${{ github.event.org.login }}\"" + } + ] + } + }, + "name": "Uncontrolled Value Example", + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-1.json b/pkg/rulesConfig/tests/github/10-pass-1.json new file mode 100644 index 0000000..8d942a2 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-1.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "uses": "anchore/scan-action@1" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-10.json b/pkg/rulesConfig/tests/github/10-pass-10.json new file mode 100644 index 0000000..609f89e --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-10.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "snyk test" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-11.json b/pkg/rulesConfig/tests/github/10-pass-11.json new file mode 100644 index 0000000..7ffc41d --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-11.json @@ -0,0 +1,97 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "jfrog foo" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": { + "jfrog-pipelines-hello-world[ESCAPED_DOT]yml": { + "relativePath": "jfrog-pipelines-hello-world.yml", + "filename": "jfrog-pipelines-hello-world.yml", + "origin": "jfrog_pipelines", + "content": { + "pipelines": [ + { + "name": "my_first_pipeline", + "steps": [ + { + "configuration": { + "inputResources": [ + { + "name": "myFirstRepo" + } + ] + }, + "execution": { + "onExecute": [ + "jf xr", + "add_run_variables current_runid=$run_id", + "add_run_variables commitSha=$res_myFirstRepo_commitSha", + "echo \"Previous run ID is $prev_runid\"" + ] + }, + "name": "p1_s1", + "type": "Bash" + } + ] + } + ], + "resources": [ + { + "configuration": { + "branches": { + "include": "master" + }, + "gitProvider": "DYNAMIC_VALUE", + "path": "DYNAMIC_VALUE" + }, + "name": "myFirstRepo", + "type": "GitRepo" + }, + { + "configuration": { + "commitSha": 1, + "runID": 1 + }, + "name": "myPropertyBag", + "type": "PropertyBag" + } + ], + "template": true, + "valuesFilePath": "./values.yml" + } + } + } + } + } + } +} diff --git a/pkg/rulesConfig/tests/github/10-pass-2.json b/pkg/rulesConfig/tests/github/10-pass-2.json new file mode 100644 index 0000000..7496441 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-2.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "uses": "synopsys-sig/detect-action@1" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-3.json b/pkg/rulesConfig/tests/github/10-pass-3.json new file mode 100644 index 0000000..f679aa9 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-3.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "uses": "aquasecurity/trivy-action@1" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-4.json b/pkg/rulesConfig/tests/github/10-pass-4.json new file mode 100644 index 0000000..dbc7e95 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-4.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "uses": "checkmarx-ts/checkmarx-cxflow-github-action@1" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-5.json b/pkg/rulesConfig/tests/github/10-pass-5.json new file mode 100644 index 0000000..5d4c3bd --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-5.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "uses": "snyk/actions/maven@1" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-6.json b/pkg/rulesConfig/tests/github/10-pass-6.json new file mode 100644 index 0000000..0cd79d2 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-6.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "docker run aquasec/trivy image python:3.4-alpine" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-7.json b/pkg/rulesConfig/tests/github/10-pass-7.json new file mode 100644 index 0000000..ef99094 --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-7.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "docker run anchore/grype:latest" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-8.json b/pkg/rulesConfig/tests/github/10-pass-8.json new file mode 100644 index 0000000..80af3cf --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-8.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "jfrog scan" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + } diff --git a/pkg/rulesConfig/tests/github/10-pass-9.json b/pkg/rulesConfig/tests/github/10-pass-9.json new file mode 100644 index 0000000..c56343b --- /dev/null +++ b/pkg/rulesConfig/tests/github/10-pass-9.json @@ -0,0 +1,40 @@ +{ + "allero-io": { + "ownerName": "allero-io", + "ownerType": "Organization", + "id": 98962497, + "repositories": { + "demo": { + "name": "demo", + "fullName": "allero-io/demo", + "id": 539394261, + "programmingLanguages": null, + "github-actions-workflows": { + "sca-scanner[ESCAPED_DOT]yml": { + "relativePath": ".github/workflows/sca-scanner.yml", + "filename": "sca-scanner.yml", + "origin": "github_actions", + "content": { + "jobs": { + "sca-job": { + "name": "sca-job", + "runs-on": "ubuntu-latest", + "steps": [ + { + "name": "use sca example", + "run": "ws scan" + } + ] + } + }, + "true": [ + "push" + ] + } + } + }, + "jfrog-pipelines": {} + } + } + } + }