From 6d3bf0048cc38319528a4202797f2242f73bc45c Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 7 Dec 2023 18:36:41 +0800 Subject: [PATCH 1/2] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 59 +++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 00000000000..299dc6fa99c --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,59 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app vue --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --js --cpg . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + + ## Uncomment the following section to enable build rule checking and enforcing. + #Build-Rules: + #runs-on: ubuntu-latest + #needs: NextGen-Static-Analysis + #steps: + #- uses: actions/checkout@v3 + #- name: Download ShiftLeft CLI + # run: | + # curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + #- name: Validate Build Rules + # run: | + # ${GITHUB_WORKSPACE}/sl check-analysis --app vue \ + # --branch '${{ github.event.pull_request.base.ref }}' \ + # --target 'tag.branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}' \ + # --github-pr-number=${{github.event.number}} \ + # --github-pr-user=${{ github.repository_owner }} \ + # --github-pr-repo=${{ github.event.repository.name }} \ + # --github-token=${{ secrets.GITHUB_TOKEN }} + # env: + #SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + #SHIFTLEFT_API_HOST: www.shiftleft.io + #SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + #SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 \ No newline at end of file From ee1d6c57a5cf9e32f9a0c8feaf81b83fe57919c2 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Thu, 7 Dec 2023 18:36:41 +0800 Subject: [PATCH 2/2] adding Qwiet preZero Static Analysis action workflow config --- shiftleft.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000000..820144af298 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,15 @@ +version: 2 +build_rules: + - id: Allow no critical findings + severities: + - critical + - id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 + - id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + options: + reachable: true