From 6e1ec93fdf7d607d18faf9becd581fc1d5593bd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <76956526+fproulx-boostsecurity@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:58:19 -0400 Subject: [PATCH 01/11] Add GitHub Action and self-test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> --- action.yml | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 action.yml diff --git a/action.yml b/action.yml new file mode 100644 index 00000000..835eca18 --- /dev/null +++ b/action.yml @@ -0,0 +1,48 @@ +name: poutine - GitHub Actions SAST +description: | + BoostSecurity.io’s poutine detects vulnerabilities and misconfigurations in your GitHub Actions workflows. + Designed to streamline security analysis, poutine scans your repository’s CI/CD pipelines. + It offers insights to secure your software supply chain efficiently. +inputs: + path: + description: 'Path to the local repository to analyze.' + required: true + default: '.' +runs: + using: composite + steps: + - name: Download and Setup + id: setup + shell: bash + env: + PINNED_VERSION: v0.9.3 + PINNED_ARCH: poutine_Linux_x86_64.tar.gz + PINNED_HASH: 938c36de89eea18d69c8d5605a64ef1573e682cfd02b61d4cc2de3b0663a63bc + run: | + # Create a temp dir for the tool and its results + POUTINE_TOOL_DIR=$(mktemp -d) + cd "${POUTINE_TOOL_DIR}" + echo "POUTINE_TOOL_DIR=${POUTINE_TOOL_DIR}" >> "${GITHUB_ENV}" + + # Download tool archive and verify checksum + curl -sLO "https://github.com/boostsecurityio/poutine/releases/download/${PINNED_VERSION}/${PINNED_ARCH}" + echo "${PINNED_HASH} ${PINNED_ARCH}" | shasum -a 256 --check + + # Decompress the tool + tar -xzf "${PINNED_ARCH}" + + - name: Analyze the repository + id: analyze + shell: bash + run: | + POUTINE_SARIF_FILE="${POUTINE_TOOL_DIR}/results.sarif" + echo "POUTINE_SARIF_FILE=${POUTINE_SARIF_FILE}" >> "${GITHUB_ENV}" + "${POUTINE_TOOL_DIR}/poutine" -format sarif analyze_local "${TARGET_PATH}" > "${POUTINE_SARIF_FILE}" + env: + TARGET_PATH: ${{ inputs.path }} + + - name: Upload SARIF Findings + id: upload + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 + with: + sarif_file: ${{ env.POUTINE_SARIF_FILE }} From d683c7819e787998e8ba0c65de8841fabc87fcb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <76956526+fproulx-boostsecurity@users.noreply.github.com> Date: Thu, 11 Apr 2024 15:58:53 -0400 Subject: [PATCH 02/11] Create pop.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> --- .github/workflows/pop.yml | 35 +++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/pop.yml diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml new file mode 100644 index 00000000..031abc70 --- /dev/null +++ b/.github/workflows/pop.yml @@ -0,0 +1,35 @@ +name: POP - poutine on poutine + +on: + push: + branches: [ main ] + paths: + - .github/workflows/** + - action.yml + pull_request: + branches: [ main ] + paths: + - .github/workflows/** + - action.yml + +permissions: + security-events: write + contents: read + +jobs: + pop: + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + github.com:443 + api.github.com:443 + codeload.github.com:443 + objects.githubusercontent.com:443 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: ./ + name: "Run poutine on poutine's own codebase" + id: self-test From e38ea216f2d1a102692fb06af4d2ddc3bcffd33b Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:19:22 -0400 Subject: [PATCH 03/11] Update action.yml Signed-off-by: Becojo --- action.yml | 54 ++++++++++++++---------------------------------------- 1 file changed, 14 insertions(+), 40 deletions(-) diff --git a/action.yml b/action.yml index 835eca18..63a6e87e 100644 --- a/action.yml +++ b/action.yml @@ -4,45 +4,19 @@ description: | Designed to streamline security analysis, poutine scans your repository’s CI/CD pipelines. It offers insights to secure your software supply chain efficiently. inputs: - path: - description: 'Path to the local repository to analyze.' + format: + description: 'Report format' + default: sarif + required: true + output: + description: 'Report file output' + default: results.sarif required: true - default: '.' runs: - using: composite - steps: - - name: Download and Setup - id: setup - shell: bash - env: - PINNED_VERSION: v0.9.3 - PINNED_ARCH: poutine_Linux_x86_64.tar.gz - PINNED_HASH: 938c36de89eea18d69c8d5605a64ef1573e682cfd02b61d4cc2de3b0663a63bc - run: | - # Create a temp dir for the tool and its results - POUTINE_TOOL_DIR=$(mktemp -d) - cd "${POUTINE_TOOL_DIR}" - echo "POUTINE_TOOL_DIR=${POUTINE_TOOL_DIR}" >> "${GITHUB_ENV}" - - # Download tool archive and verify checksum - curl -sLO "https://github.com/boostsecurityio/poutine/releases/download/${PINNED_VERSION}/${PINNED_ARCH}" - echo "${PINNED_HASH} ${PINNED_ARCH}" | shasum -a 256 --check - - # Decompress the tool - tar -xzf "${PINNED_ARCH}" - - - name: Analyze the repository - id: analyze - shell: bash - run: | - POUTINE_SARIF_FILE="${POUTINE_TOOL_DIR}/results.sarif" - echo "POUTINE_SARIF_FILE=${POUTINE_SARIF_FILE}" >> "${GITHUB_ENV}" - "${POUTINE_TOOL_DIR}/poutine" -format sarif analyze_local "${TARGET_PATH}" > "${POUTINE_SARIF_FILE}" - env: - TARGET_PATH: ${{ inputs.path }} - - - name: Upload SARIF Findings - id: upload - uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 - with: - sarif_file: ${{ env.POUTINE_SARIF_FILE }} + using: docker + image: docker://ghcr.io/boostsecurityio/poutine:0.9.7@sha256:034326fac021cbedf8df99e90d993ec3553c7649395040bbb8bca05b601de35a + entrypoint: /bin/sh + args: + - -c + - | + poutine -format "$INPUT_FORMAT" analyze_local "$GITHUB_WORKSPACE" > "$INPUT_OUTPUT" From ee5197eaa87ac0c8cf9fd9ca8210cb108b75e370 Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:19:34 -0400 Subject: [PATCH 04/11] Update pop.yml Signed-off-by: Becojo --- .github/workflows/pop.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml index 031abc70..7bc95207 100644 --- a/.github/workflows/pop.yml +++ b/.github/workflows/pop.yml @@ -2,10 +2,6 @@ name: POP - poutine on poutine on: push: - branches: [ main ] - paths: - - .github/workflows/** - - action.yml pull_request: branches: [ main ] paths: From 93db4f17b2955c9bd6ba4670c6109db83910ff8f Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:21:15 -0400 Subject: [PATCH 05/11] Update pop.yml Signed-off-by: Becojo --- .github/workflows/pop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml index 7bc95207..05fa9379 100644 --- a/.github/workflows/pop.yml +++ b/.github/workflows/pop.yml @@ -19,7 +19,7 @@ jobs: - uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 with: disable-sudo: true - egress-policy: block + egress-policy: audit allowed-endpoints: > github.com:443 api.github.com:443 From e12e639fd06d8bd4a4c9e41a953b819455866647 Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:32:12 -0400 Subject: [PATCH 06/11] dockerfile as root b/c github actions --- Dockerfile.action | 5 +++++ action.yml | 4 +--- 2 files changed, 6 insertions(+), 3 deletions(-) create mode 100644 Dockerfile.action diff --git a/Dockerfile.action b/Dockerfile.action new file mode 100644 index 00000000..b39c4e5b --- /dev/null +++ b/Dockerfile.action @@ -0,0 +1,5 @@ +FROM ghcr.io/boostsecurityio/poutine:0.9.7@sha256:034326fac021cbedf8df99e90d993ec3553c7649395040bbb8bca05b601de35a + +USER root + +ENTRYPOINT ["/bin/sh", "-c"] diff --git a/action.yml b/action.yml index 63a6e87e..1dfad7de 100644 --- a/action.yml +++ b/action.yml @@ -14,9 +14,7 @@ inputs: required: true runs: using: docker - image: docker://ghcr.io/boostsecurityio/poutine:0.9.7@sha256:034326fac021cbedf8df99e90d993ec3553c7649395040bbb8bca05b601de35a - entrypoint: /bin/sh + image: Dockerfile.action args: - - -c - | poutine -format "$INPUT_FORMAT" analyze_local "$GITHUB_WORKSPACE" > "$INPUT_OUTPUT" From 0d8201cc123ad7e6e6c5bff57f2ab26fe23cc048 Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:33:31 -0400 Subject: [PATCH 07/11] trust /src --- action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/action.yml b/action.yml index 1dfad7de..e07ef43c 100644 --- a/action.yml +++ b/action.yml @@ -17,4 +17,5 @@ runs: image: Dockerfile.action args: - | + git config --global --add safe.directory /src poutine -format "$INPUT_FORMAT" analyze_local "$GITHUB_WORKSPACE" > "$INPUT_OUTPUT" From 46b10390e38e544562b8fff8b1287c43d3ce0d9e Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:34:59 -0400 Subject: [PATCH 08/11] oupe --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index e07ef43c..9d7a7ad0 100644 --- a/action.yml +++ b/action.yml @@ -17,5 +17,5 @@ runs: image: Dockerfile.action args: - | - git config --global --add safe.directory /src + git config --global --add safe.directory "$GITHUB_WORKSPACE" poutine -format "$INPUT_FORMAT" analyze_local "$GITHUB_WORKSPACE" > "$INPUT_OUTPUT" From fd4e4f18587764dd0620ef4909a6bdd0fe834102 Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:36:41 -0400 Subject: [PATCH 09/11] upload sarif --- .github/workflows/pop.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml index 05fa9379..d5fba569 100644 --- a/.github/workflows/pop.yml +++ b/.github/workflows/pop.yml @@ -2,6 +2,11 @@ name: POP - poutine on poutine on: push: + branches: [ main ] + paths: + - .github/workflows/** + - action.yml + pull_request: branches: [ main ] paths: @@ -29,3 +34,6 @@ jobs: - uses: ./ name: "Run poutine on poutine's own codebase" id: self-test + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 From 2df37ac1910215886cd334d45e5ed5e5e626a4e2 Mon Sep 17 00:00:00 2001 From: Becojo Date: Sun, 14 Apr 2024 21:38:30 -0400 Subject: [PATCH 10/11] sarif_file --- .github/workflows/pop.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml index d5fba569..d9470cbe 100644 --- a/.github/workflows/pop.yml +++ b/.github/workflows/pop.yml @@ -37,3 +37,5 @@ jobs: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif From c7244cf9d705ba156ee577d881bc4b695f51a5a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Proulx?= <76956526+fproulx-boostsecurity@users.noreply.github.com> Date: Sun, 14 Apr 2024 18:42:31 -0700 Subject: [PATCH 11/11] Update pop.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: François Proulx <76956526+fproulx-boostsecurity@users.noreply.github.com> --- .github/workflows/pop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pop.yml b/.github/workflows/pop.yml index d9470cbe..73e02510 100644 --- a/.github/workflows/pop.yml +++ b/.github/workflows/pop.yml @@ -36,6 +36,6 @@ jobs: id: self-test - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@4355270be187e1b672a7a1c7c7bae5afdc1ab94a # v3.24.10 with: sarif_file: results.sarif