From 67872220753738e560cb6f2296adbb4d44335b41 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Tue, 21 Jun 2022 13:09:26 -0500 Subject: [PATCH 1/2] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..6f51c7c --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,63 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: | + pip install --upgrade setuptools wheel + pip install -r requirements.txt + ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app flask-webgoat --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + if: + ${{ hashFiles('requirements.txt') != '' }} + - name: Legacy Static Analysis + run: | + echo "Please update your `shiftleft-python-demo` fork!" + ${GITHUB_WORKSPACE}/sl analyze --strict --wait --no-cpg --app flask-webgoat --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + if: + ${{ hashFiles('requirements.txt') == '' }} + + ## Uncomment the following section to enable build rule checking and enforcing. + #Build-Rules: + #runs-on: ubuntu-latest + #needs: NextGen-Static-Analysis + #steps: + #- uses: actions/checkout@v2 + #- name: Download ShiftLeft CLI + # run: | + # curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + #- name: Validate Build Rules + # run: | + # ${GITHUB_WORKSPACE}/sl check-analysis --app flask-webgoat \ + # --source 'tag.branch=${{ github.event.pull_request.base.ref }}' \ + # --target "tag.branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + # --report \ + # --github-pr-number=${{github.event.number}} \ + # --github-pr-user=${{ github.repository_owner }} \ + # --github-pr-repo=${{ github.event.repository.name }} \ + # --github-token=${{ secrets.GITHUB_TOKEN }} + # env: + #SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + \ No newline at end of file From ffe5751cd666a209c3bbd8090ddc5e1094648e2c Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Tue, 21 Jun 2022 13:09:27 -0500 Subject: [PATCH 2/2] adding ShiftLeft action workflow config --- shiftleft.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 64a27f8..220d4ba 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -1,12 +1,12 @@ build_rules: - - id: no-findings-allowed-rule + - id: allow-zero-findings finding_types: - vuln - secret - insight - - extscan + - "*" severity: - SEVERITY_MEDIUM_IMPACT - SEVERITY_HIGH_IMPACT - SEVERITY_LOW_IMPACT - threshold: 0 + threshold: 0 \ No newline at end of file