From 88d82a6f95069b1cc63a9580adfcb78f412cece5 Mon Sep 17 00:00:00 2001 From: "Emmanuel.Knafo" Date: Sun, 26 May 2024 23:17:33 -0400 Subject: [PATCH 1/2] uncommented 3 actions --- .../oss_pygoat-devsecops-advanced.yml | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/oss_pygoat-devsecops-advanced.yml b/.github/workflows/oss_pygoat-devsecops-advanced.yml index 1cf050b..db26b96 100644 --- a/.github/workflows/oss_pygoat-devsecops-advanced.yml +++ b/.github/workflows/oss_pygoat-devsecops-advanced.yml @@ -204,30 +204,30 @@ jobs: steps: - name: checkout uses: actions/checkout@v4.1.0 - # - name: Gitleaks - # continue-on-error: true - # # You may pin to the exact commit or the version. - # # uses: gitleaks/gitleaks-action@e6dab246340401bf53eec993b8f05aebe80ac636 - # uses: gitleaks/gitleaks-action@v2.3.4 - # env: - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # #GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts. - # - name: Depcheck - # uses: dependency-check/Dependency-Check_Action@main - # id: Depcheck - # with: - # project: 'test' - # path: '.' - # format: 'HTML' - # out: 'reports' # this is the default, no need to specify unless you wish to override it - # args: > - # --failOnCVSS 7 - # --enableRetired - # - name: Upload Test results - # uses: actions/upload-artifact@master - # with: - # name: Depcheck report - # path: ${{github.workspace}}/reports + - name: Gitleaks + continue-on-error: true + # You may pin to the exact commit or the version. + # uses: gitleaks/gitleaks-action@e6dab246340401bf53eec993b8f05aebe80ac636 + uses: gitleaks/gitleaks-action@v2.3.4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + #GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} # Only required for Organizations, not personal accounts. + - name: Depcheck + uses: dependency-check/Dependency-Check_Action@main + id: Depcheck + with: + project: 'test' + path: '.' + format: 'HTML' + out: 'reports' # this is the default, no need to specify unless you wish to override it + args: > + --failOnCVSS 7 + --enableRetired + - name: Upload Test results + uses: actions/upload-artifact@master + with: + name: Depcheck report + path: ${{github.workspace}}/reports test-run_devopsshield_scan_linux: name: Run DevOps Shield Scan Linux needs: From ba117e481cec9c4b0d5225ba1d0a0d4bd5d27c16 Mon Sep 17 00:00:00 2001 From: "Emmanuel.Knafo" Date: Sun, 26 May 2024 23:39:42 -0400 Subject: [PATCH 2/2] added lab 5 --- labs/lab05.md | 9 +- labs/lab06.md | 50 ----------- labs/lab07.md | 230 -------------------------------------------------- labs/setup.md | 6 +- 4 files changed, 8 insertions(+), 287 deletions(-) delete mode 100644 labs/lab06.md delete mode 100644 labs/lab07.md diff --git a/labs/lab05.md b/labs/lab05.md index 246fe1d..edd0deb 100644 --- a/labs/lab05.md +++ b/labs/lab05.md @@ -1,4 +1,4 @@ -# 5 - Custom actions +# 5 - Holistic Compliance View with DevOps Shield UI In this lab you will create and use custom actions. > Duration: 15-20 minutes @@ -9,9 +9,12 @@ References: - [GitHub Actions Toolkit](https://github.com/actions/toolkit) - [actions/github-script](https://github.com/actions/github-script) -## 5.1 Use the github-script action to apply a label to an issue +## 5.1 Run the Docker Container of DevOps Shield -1. Open the workflow file [github-script.yml](/.github/workflows/github-script.yml) +1. As per [DevOps Shield on DockerHub](https://hub.docker.com/r/devopsshield/devopsshield) +``` +docker run -d -p 8080:8080 devopsshield/devopsshield +``` 2. Edit the file and copy the following YAML content at the end of the file: ```YAML apply-label: diff --git a/labs/lab06.md b/labs/lab06.md deleted file mode 100644 index b81baea..0000000 --- a/labs/lab06.md +++ /dev/null @@ -1,50 +0,0 @@ -# 6 - Self-hosted runners -In this lab you will create and use your self-hosted runners. -> Duration: 10-15 minutes - -References: -- [Adding self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners) -- [Using self-hosted runners in a workflow](https://docs.github.com/en/actions/hosting-your-own-runners/using-self-hosted-runners-in-a-workflow) - -## (Optional) 6.1 Add a self-hosted runner -> Prerequisites: Access to a Cloud platform to create a runner machine - -1. If you have access to an Azure subscription, follow the guide to create a Linux virtual machine - - [Create a Linux virtual machine](https://docs.microsoft.com/en-us/learn/modules/host-build-agent/4-create-build-agent) -2. Create a new private repository `my-private-repo` - - [Creating a new repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/creating-a-new-repository) -3. Follow the guide to install the agent on the runner - - [Adding a self-hosted runner to a repository](https://docs.github.com/en/actions/hosting-your-own-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository) -4. Follow the guide to use the self-hosted runner in a workflow - - [Using self-hosted runners in a workflow](https://docs.github.com/en/actions/hosting-your-own-runners/using-self-hosted-runners-in-a-workflow) -5. Create a new workflow `.github/workflows/self-hosted-runners.yml` in your private repository and run the workflow on the self-hosted runner -```YAML -name: Self-Hosted Runners Hello - -on: - workflow_dispatch: - inputs: - name: - description: 'What is your name?' - required: true - default: 'World' - -jobs: - say_hello_linux: - name: Say Hello from Linux Self-Hosted Runner - runs-on: [self-hosted, linux, x64, self-hosted-linux] - steps: - - name: Say hello from self-hosted linux runner - run: | - echo "Hello ${{ github.event.inputs.name }}, from self-hosted linux runner!" - - say_hello_windows: - name: Say Hello from Windows Self-Hosted Runner - runs-on: [self-hosted, windows, x64, self-hosted-windows] - needs: say_hello_linux - steps: - - name: Say hello from self-hosted windows runner - run: | - echo "Hello ${{ github.event.inputs.name }}, from self-hosted windows runner!" -``` -6. Clean up your runner resources if not needed \ No newline at end of file diff --git a/labs/lab07.md b/labs/lab07.md deleted file mode 100644 index 44ea79c..0000000 --- a/labs/lab07.md +++ /dev/null @@ -1,230 +0,0 @@ -# 7 - CI/CD -In this lab you will use CI/CD workflows. -> Duration: 15-20 minutes - -References: -- [About continuous integration](https://docs.github.com/en/actions/automating-builds-and-tests/about-continuous-integration) -- [Using a build matrix for your jobs](https://docs.github.com/en/actions/using-jobs/using-a-build-matrix-for-your-jobs) -- [Storing workflow data as artifacts](https://docs.github.com/en/actions/using-workflows/storing-workflow-data-as-artifacts) -- [About continuous deployment](https://docs.github.com/en/actions/deployment/about-deployments/about-continuous-deployment) -- [Using concurrency](https://docs.github.com/en/actions/using-jobs/using-concurrency) - -## 7.1 Update the CI workflow - -1. Open the workflow file [ci-workflow.yml](/.github/workflows/ci-workflow.yml) -2. Edit the file and copy the following YAML content to replace the `strategy` of the `ci` job: -```YAML - strategy: - # Cancel all matrix jobs if one of them fails - fail-fast: true - matrix: - # our matrix for testing across node versions and OSs - node-version: [12, 14, 16] - os: [macos-latest, windows-latest, ubuntu-latest] -``` -3. In the `ci` job, before the `deploy-test` job, copy the following YAML content to use the `upload-artifact` action: -```YAML - - shell: bash - run: | - echo 'Test upload artifact' > output.log - - name: Upload output file - uses: actions/upload-artifact@v4 - with: - name: output-log-file - path: output.log -``` -4. In the `deploy-test` job, after the `checkout` action, copyt the following YAML content to use the `download-artifact` action -```YAML - - name: Download a single artifact - uses: actions/download-artifact@v4 - with: - name: output-log-file -``` -5. Commit the changes into a new `feature/lab07` branch -6. Open a new pull request from `Pull requests` -> Make sure it is your repository pull request to not propose changes to the upstream repository. From the drop-down list choose the base repository to be yours. -7. Once PR opened, go to `Actions` and see the details of your running workflow -8. Once all checks have passed, click on the button `Merge pull request` to complete the PR -9. Go to `Actions` and see the details of your running workflow - -## 7.2 Update the CD workflow - -1. Open the workflow file [cd-workflow.yml](/.github/workflows/cd-workflow.yml) -2. Edit the file and copy the following YAML content before the `Deploy to production` step: -```YAML - - name: Download artifact from build job - uses: actions/download-artifact@v4 - with: - name: node-app -``` -3. Update the workflow to run on push events -```YAML -on: - push: - branches: [main] -``` -4. Commit the changes into the `main` branch -5. Go to `Actions` and see the details of your running workflow - -## 7.3 Final -
- ci-workflow.yml - -```YAML -name: 07-1. CI Workflow - -# Trigger CI for every PR event, when PR has target branch = main -on: - push: - branches: [main] - pull_request: - branches: [main] - -jobs: - # The first job lints the code base - lint: - uses: githubabcs/gh-abcs-actions/.github/workflows/super-linter.yml@main - - # CI job to run a test suite on the code base - ci: - name: CI - # We want to test across mutiple OSs, defined by our matrix - runs-on: ${{ matrix.os }} - needs: lint - strategy: - # Cancel all matrix jobs if one of them fails - fail-fast: true - matrix: - # our matrix for testing across node versions and OSs - node-version: [12, 14, 16] - os: [macos-latest, windows-latest, ubuntu-latest] - - steps: - - name: Checkout - uses: actions/checkout@v4 - - # Configure our node environment according to matrix - - name: Setup node ${{ matrix.node-version }} on ${{ matrix.os }} - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node-version }} - - - name: Run test suite - run: | - echo npm ci - echo npm run build --if-present - echo npm test - - # Add here the upload-artifact action - - shell: bash - run: | - echo 'Test upload artifact' > output.log - - name: Upload output file - uses: actions/upload-artifact@v4 - with: - name: output-log-file - path: output.log - - # If both linting and CI succeeds we want to deploy the code to a test environment - deploy-test: - name: Deploy to test env - runs-on: ubuntu-latest - needs: ci - environment: - name: TEST - url: https://test.company.com - steps: - - name: Checkout - uses: actions/checkout@v4 - - # Add here the download-artifact step - - name: Download a single artifact - uses: actions/download-artifact@v4 - with: - name: output-log-file - - # Placeholder - this step would be some action or run commands that deploys the code - - name: Deploy to test env - if: ${{ success() }} - run: | - echo "Deploying to test environment" - -``` -
- -
- cd-workflow.yml - -```YAML -name: 07-2. CD Workflow - -on: - push: - branches: [main] - -env: - AZURE_WEBAPP_NAME: your-app-name # set this to your application's name - AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root - NODE_VERSION: '14.x' # set this to the node version to use - -# We only want to allow one deploy-to-prod workflow running at any point in time -concurrency: - group: cd-${{ github.ref }} - cancel-in-progress: true - -jobs: - build: - name: Build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - name: Set up Node.js - uses: actions/setup-node@v4 - with: - node-version: ${{ env.NODE_VERSION }} - - - name: npm install, build, and test - run: | - echo npm install - echo npm run build --if-present - echo npm run test --if-present - - - name: Upload artifact for deployment job - uses: actions/upload-artifact@v4 - with: - name: node-app - path: . - - deploy: - name: Deploy - runs-on: ubuntu-latest - needs: build - - environment: - name: PROD - url: ${{ steps.deploy-to-webapp.outputs.webapp-url }} - - steps: - - # Add here the download-artifact step - - name: Download artifact from build job - uses: actions/download-artifact@v4 - with: - name: node-app - - - name: Deploy to Prod - if: ${{ success() }} - run: echo "Specific deploy steps..." - - - name: 'Deploy to Azure WebApp' - id: deploy-to-webapp - uses: azure/webapps-deploy@v3 - continue-on-error: true - with: - app-name: ${{ env.AZURE_WEBAPP_NAME }} - publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} - package: ${{ env.AZURE_WEBAPP_PACKAGE_PATH }} - -``` -
\ No newline at end of file diff --git a/labs/setup.md b/labs/setup.md index 7723391..fbcb714 100644 --- a/labs/setup.md +++ b/labs/setup.md @@ -24,9 +24,7 @@ References: - [ ] Module 1: Introduction to Defect Dojo - [ ] Module 2: Explore Your Kubernetes Cluster - [ ] Module 3: Running the Basic and Advanced DevSecOps Pipelines -- [ ] Module 4: Workflow Templates -- [ ] Module 5: Custom actions -- [ ] Module 6: Self-hosted runners -- [ ] Module 7: CI/CD +- [ ] Module 4: Adding Additional DevSecOps Controls +- [ ] Module 5: Holistic Compliance View with DevOps Shield UI ``` 7. Fetch upstream to get the latest changes from the upstream repository