From 0e0061e776ea7609bec2180c860ff2b1fdcc08d1 Mon Sep 17 00:00:00 2001 From: Davide Cioccia Date: Fri, 26 Apr 2024 17:40:28 +0200 Subject: [PATCH 1/6] added banner --- dist/evaluators/repository/WebHooksChecks.js | 1 - dist/index.js | 7 ++++++- dist/main.js | 6 ++++++ src/evaluators/repository/WebHooksChecks.ts | 2 +- src/main.ts | 8 ++++++++ 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/dist/evaluators/repository/WebHooksChecks.js b/dist/evaluators/repository/WebHooksChecks.js index f877a2f..0a4f25d 100644 --- a/dist/evaluators/repository/WebHooksChecks.js +++ b/dist/evaluators/repository/WebHooksChecks.js @@ -12,7 +12,6 @@ class WebHooksChecks { // check whether the repository has self hosted runners enabled async checkWebHooks() { const webhooks = await (0, WebHooks_1.getWebHooks)(this.repository.owner, this.repository.name); - console.log(webhooks); // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; const notAllowedDomains = []; diff --git a/dist/index.js b/dist/index.js index 6aba795..27f6992 100644 --- a/dist/index.js +++ b/dist/index.js @@ -48856,7 +48856,6 @@ class WebHooksChecks { // check whether the repository has self hosted runners enabled async checkWebHooks() { const webhooks = await (0, WebHooks_1.getWebHooks)(this.repository.owner, this.repository.name); - console.log(webhooks); // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; const notAllowedDomains = []; @@ -49506,6 +49505,12 @@ const Report_1 = __nccwpck_require__(9382); const policies_1 = __nccwpck_require__(7700); const core = __importStar(__nccwpck_require__(2186)); const run = async () => { + console.log(` + + GitArmor + by dcodx.com - version 1.0 + + `); try { const startTime = process.hrtime(); const inputs = (0, Input_1.parseInputs)(); diff --git a/dist/main.js b/dist/main.js index 987fde7..fe4ad09 100644 --- a/dist/main.js +++ b/dist/main.js @@ -32,6 +32,12 @@ const Report_1 = require("./reporting/Report"); const policies_1 = require("./utils/policies"); const core = __importStar(require("@actions/core")); const run = async () => { + console.log(` + + GitArmor + by dcodx.com - version 1.0 + + `); try { const startTime = process.hrtime(); const inputs = (0, Input_1.parseInputs)(); diff --git a/src/evaluators/repository/WebHooksChecks.ts b/src/evaluators/repository/WebHooksChecks.ts index cc4daf0..9727c07 100644 --- a/src/evaluators/repository/WebHooksChecks.ts +++ b/src/evaluators/repository/WebHooksChecks.ts @@ -18,7 +18,7 @@ export class WebHooksChecks { this.repository.name, ); - console.log(webhooks); + // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; diff --git a/src/main.ts b/src/main.ts index 270b4de..22ae6f4 100644 --- a/src/main.ts +++ b/src/main.ts @@ -10,6 +10,14 @@ import * as core from "@actions/core"; import { summary } from "@actions/core/lib/summary"; const run = async (): Promise => { + + console.log(` + + GitArmor + by dcodx.com - version 1.0 + + `); + try { const startTime = process.hrtime(); const inputs = parseInputs(); From 16acc450fb8d77812e69f24c9fd497c352905778 Mon Sep 17 00:00:00 2001 From: Stefan Petrushevski Date: Fri, 26 Apr 2024 21:28:38 +0200 Subject: [PATCH 2/6] documentation fixes --- .github/CONTRIBUTING.md | 2 +- README.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index da42f6f..0586d7b 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -36,6 +36,6 @@ For any issues or suggestions for improvement, please create an issue on the pro ## 🤝 Code of Conduct -This project adheres to a [Code of Conduct](.github/CODE_OF_CONDUCT.md). Participation in the GitArmor project means you agree to respect the code of conduct and treat all members of the community with kindness and respect. 💖 +This project adheres to a [Code of Conduct](CODE_OF_CONDUCT.md). Participation in the GitArmor project means you agree to respect the code of conduct and treat all members of the community with kindness and respect. 💖 Thank you for your contribution and involvement in making this project better! 🙏 diff --git a/README.md b/README.md index 1854b09..78f44c9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # GitArmor -gitarmor logo +
+ gitarmor logo +
GitArmor is a handy tool that makes it easy to assess the secure setup of your developer platform. From fac8a0b9bc41d87a15e22a33e444ddec71150413 Mon Sep 17 00:00:00 2001 From: Stefan Petrushevski Date: Fri, 26 Apr 2024 21:38:59 +0200 Subject: [PATCH 3/6] addressing note CodeQL alerts --- dist/github/Utils.js | 15 --------------- dist/index.js | 1 - dist/main.js | 1 - src/evaluators/OrgPolicyEvaluator.ts | 1 - .../organization/OrgCustomRolesChecks.ts | 1 - src/evaluators/organization/OrgGHASChecks.ts | 1 - src/evaluators/repository/ActionsChecks.ts | 2 -- src/evaluators/repository/WebHooksChecks.ts | 2 -- src/github/Actions.ts | 1 - src/github/Issues.ts | 1 - src/github/Repositories.ts | 5 ++--- src/github/Utils.ts | 1 - src/main.ts | 5 +---- src/reporting/Report.ts | 3 +-- 14 files changed, 4 insertions(+), 36 deletions(-) delete mode 100644 dist/github/Utils.js diff --git a/dist/github/Utils.js b/dist/github/Utils.js deleted file mode 100644 index b5defcd..0000000 --- a/dist/github/Utils.js +++ /dev/null @@ -1,15 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getRepoFile = void 0; -const GitArmorKit_1 = require("./GitArmorKit"); -//Given a certain path in a repository, get the contents of the file -const getRepoFile = async (owner, repo, path) => { - const octokit = new GitArmorKit_1.GitArmorKit(); - const response = await octokit.rest.repos.getContent({ - owner: owner, - repo: repo, - path: path, - }); - return response.data; -}; -exports.getRepoFile = getRepoFile; diff --git a/dist/index.js b/dist/index.js index 27f6992..eb09e66 100644 --- a/dist/index.js +++ b/dist/index.js @@ -49519,7 +49519,6 @@ const run = async () => { let report = new Report_1.Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { Logger_1.logger.info("Running org level checks"); diff --git a/dist/main.js b/dist/main.js index fe4ad09..ffae7ad 100644 --- a/dist/main.js +++ b/dist/main.js @@ -46,7 +46,6 @@ const run = async () => { let report = new Report_1.Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { Logger_1.logger.info("Running org level checks"); diff --git a/src/evaluators/OrgPolicyEvaluator.ts b/src/evaluators/OrgPolicyEvaluator.ts index 546a50f..d8c50ec 100644 --- a/src/evaluators/OrgPolicyEvaluator.ts +++ b/src/evaluators/OrgPolicyEvaluator.ts @@ -4,7 +4,6 @@ import { OrgGHASChecks } from "./organization/OrgGHASChecks"; import { OrgAuthenticationChecks } from "./organization/OrgAuthenticationChecks"; import { OrgCustomRolesChecks } from "./organization/OrgCustomRolesChecks"; import { getOrganization } from "../github/Organization"; -import { FilesExistChecks } from "./multipurpose/FilesExistChecks"; import { PrivilegesChecks } from "./organization/PrivilegesChecks"; export class OrgPolicyEvaluator { diff --git a/src/evaluators/organization/OrgCustomRolesChecks.ts b/src/evaluators/organization/OrgCustomRolesChecks.ts index 81aa3cc..9220d7a 100644 --- a/src/evaluators/organization/OrgCustomRolesChecks.ts +++ b/src/evaluators/organization/OrgCustomRolesChecks.ts @@ -1,6 +1,5 @@ import { Organization, CheckResult } from "../../types/common/main"; import { getCustomRolesForOrg } from "../../github/Organization"; -import { logger } from "../../utils/Logger"; export class OrgCustomRolesChecks { private policy: any; diff --git a/src/evaluators/organization/OrgGHASChecks.ts b/src/evaluators/organization/OrgGHASChecks.ts index c7fa79d..89e269d 100644 --- a/src/evaluators/organization/OrgGHASChecks.ts +++ b/src/evaluators/organization/OrgGHASChecks.ts @@ -1,6 +1,5 @@ import { Organization, CheckResult } from "../../types/common/main"; import { getSecurityTeamsForOrg } from "../../github/Organization"; -import { logger } from "../../utils/Logger"; export class OrgGHASChecks { private policy: any; diff --git a/src/evaluators/repository/ActionsChecks.ts b/src/evaluators/repository/ActionsChecks.ts index 92f996a..78b5d44 100644 --- a/src/evaluators/repository/ActionsChecks.ts +++ b/src/evaluators/repository/ActionsChecks.ts @@ -2,8 +2,6 @@ import { CheckResult, Repository } from "../../types/common/main"; import { getRepoActionsPermissions, getRepoSelectedActions, - getRepoWorkflows, - getRepoWorkflowActions, } from "../../github/Actions"; import { logger } from "../../utils/Logger"; diff --git a/src/evaluators/repository/WebHooksChecks.ts b/src/evaluators/repository/WebHooksChecks.ts index 9727c07..6b84053 100644 --- a/src/evaluators/repository/WebHooksChecks.ts +++ b/src/evaluators/repository/WebHooksChecks.ts @@ -1,6 +1,5 @@ import { CheckResult, Repository } from "../../types/common/main"; import { getWebHooks, getWebHookConfig } from "../../github/WebHooks"; -import { logger } from "../../utils/Logger"; export class WebHooksChecks { private policy: any; @@ -18,7 +17,6 @@ export class WebHooksChecks { this.repository.name, ); - // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; diff --git a/src/github/Actions.ts b/src/github/Actions.ts index d4add4c..c7be3c0 100644 --- a/src/github/Actions.ts +++ b/src/github/Actions.ts @@ -1,7 +1,6 @@ import { Endpoints } from "@octokit/types"; import { GitArmorKit } from "./GitArmorKit"; import { logger } from "../utils/Logger"; -import { getRepoFile } from "./Utils"; //Get GitHub Actions permissions for a repository export const getRepoActionsPermissions = async ( diff --git a/src/github/Issues.ts b/src/github/Issues.ts index c0d948d..b948a69 100644 --- a/src/github/Issues.ts +++ b/src/github/Issues.ts @@ -1,4 +1,3 @@ -import { Issue } from "../types/common/main"; import { GitArmorKit } from "./GitArmorKit"; // export class to Issues class diff --git a/src/github/Repositories.ts b/src/github/Repositories.ts index 8c8a6f4..af7194b 100644 --- a/src/github/Repositories.ts +++ b/src/github/Repositories.ts @@ -28,15 +28,14 @@ export const getRepository = async ( repo: string, ): Promise => { const octokit = new GitArmorKit(); - + const response: Endpoints["GET /repos/{owner}/{repo}"]["response"] = await octokit.rest.repos.get({ owner: owner, repo: repo, }); - - return response.data; + return response.data; }; export const getRepoPullRequests = async ( diff --git a/src/github/Utils.ts b/src/github/Utils.ts index e87e0be..3519a0f 100644 --- a/src/github/Utils.ts +++ b/src/github/Utils.ts @@ -1,6 +1,5 @@ import { Endpoints } from "@octokit/types"; import { GitArmorKit } from "./GitArmorKit"; -import { logger } from "../utils/Logger"; //Given a certain path in a repository, get the contents of the file export const getRepoFile = async ( diff --git a/src/main.ts b/src/main.ts index 22ae6f4..d33fd61 100644 --- a/src/main.ts +++ b/src/main.ts @@ -7,10 +7,8 @@ import { Report } from "./reporting/Report"; import { RepoPolicy, OrgPolicy, Repository } from "./types/common/main"; import { loadPolicy } from "./utils/policies"; import * as core from "@actions/core"; -import { summary } from "@actions/core/lib/summary"; const run = async (): Promise => { - console.log(` GitArmor @@ -27,7 +25,6 @@ const run = async (): Promise => { let report = new Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { logger.info("Running org level checks"); @@ -72,7 +69,7 @@ const run = async (): Promise => { repository, policies.repo as RepoPolicy, ); - + await policyEvaluator.evaluatePolicy(); policyEvaluator.printCheckResults(); report.addOneRepoEvaluator(policyEvaluator); diff --git a/src/reporting/Report.ts b/src/reporting/Report.ts index 19f34ff..a1c1408 100644 --- a/src/reporting/Report.ts +++ b/src/reporting/Report.ts @@ -1,9 +1,8 @@ -import { CheckResult, Policy, Inputs } from "../types/common/main"; +import { Policy, Inputs } from "../types/common/main"; import { OrgPolicyEvaluator } from "../evaluators/OrgPolicyEvaluator"; import { RepoPolicyEvaluator } from "../evaluators/RepoPolicyEvaluator"; import { logger } from "./../utils/Logger"; import fs from "fs"; -import { json } from "stream/consumers"; export class Report { private orgEvaluators: Map; From e1d462f596b8c9683a31d9c2255ed7a8e29ac571 Mon Sep 17 00:00:00 2001 From: Davide Cioccia Date: Wed, 1 May 2024 10:20:13 +0200 Subject: [PATCH 4/6] changed CODEOWNER to david3107 --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f59d333..ee596c8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @theztefan @dcodx \ No newline at end of file +* @theztefan @david3107 \ No newline at end of file From c96a31013107fb7bc68edffa03155406f823b687 Mon Sep 17 00:00:00 2001 From: Davide Cioccia Date: Wed, 1 May 2024 10:43:45 +0200 Subject: [PATCH 5/6] not much --- policies/organization.threats.md | 1 + 1 file changed, 1 insertion(+) diff --git a/policies/organization.threats.md b/policies/organization.threats.md index 2b5847c..1962699 100644 --- a/policies/organization.threats.md +++ b/policies/organization.threats.md @@ -9,3 +9,4 @@ In this section we define the threats that could affect the organization securit An unauthorized actor could gain access to the organization repositories and exfiltrate sensitive data or inject malicious code. + From 85913b7ddcce7142bb0e7c4c6c23c59e6b2a9221 Mon Sep 17 00:00:00 2001 From: david3107 Date: Wed, 1 May 2024 11:32:49 +0200 Subject: [PATCH 6/6] removed duplicate codeql yml --- .github/workflows/codeql.yml | 55 ------------------------------------ dist/index.js | 2 +- dist/main.js | 2 +- src/main.ts | 2 +- 4 files changed, 3 insertions(+), 58 deletions(-) delete mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 6813845..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ "main" ] - paths-ignore: - - '**/*.md' - - '**/*.txt' - - '**/*.yml' - - '**/*.png' - pull_request: - branches: [ "main" ] - paths-ignore: - - '**/*.md' - - '**/*.txt' - - '**/*.yml' - - '**/*.png' - schedule: - - cron: '29 3 * * 6' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - security-events: write - packages: read - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - include: - - language: javascript-typescript - build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - queries: "security-extended" - paths: "src" - paths-ignore: "**/*.test.ts" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - diff --git a/dist/index.js b/dist/index.js index eb09e66..2ceef20 100644 --- a/dist/index.js +++ b/dist/index.js @@ -49505,7 +49505,7 @@ const Report_1 = __nccwpck_require__(9382); const policies_1 = __nccwpck_require__(7700); const core = __importStar(__nccwpck_require__(2186)); const run = async () => { - console.log(` + Logger_1.logger.info(` GitArmor by dcodx.com - version 1.0 diff --git a/dist/main.js b/dist/main.js index ffae7ad..d2d4db5 100644 --- a/dist/main.js +++ b/dist/main.js @@ -32,7 +32,7 @@ const Report_1 = require("./reporting/Report"); const policies_1 = require("./utils/policies"); const core = __importStar(require("@actions/core")); const run = async () => { - console.log(` + Logger_1.logger.info(` GitArmor by dcodx.com - version 1.0 diff --git a/src/main.ts b/src/main.ts index d33fd61..b525f51 100644 --- a/src/main.ts +++ b/src/main.ts @@ -9,7 +9,7 @@ import { loadPolicy } from "./utils/policies"; import * as core from "@actions/core"; const run = async (): Promise => { - console.log(` + logger.info(` GitArmor by dcodx.com - version 1.0