From f4feb7e478c1994a0493bcf246601a772ee6032d Mon Sep 17 00:00:00 2001 From: e6-qwiet Date: Fri, 6 Dec 2024 16:27:07 -0600 Subject: [PATCH 1/7] Create settings.json --- .vscode/settings.json | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .vscode/settings.json diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 00000000..235d96a6 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "shiftleft-core.slHomePath": "/Users/rootman/.shiftleft" +} \ No newline at end of file From b353c0b01aa49c30d438c29b13c31d89597ec3c8 Mon Sep 17 00:00:00 2001 From: Eric Six Date: Fri, 13 Dec 2024 08:31:27 -0800 Subject: [PATCH 2/7] Create qwiet-prezero-workflow.yml --- .github/workflows/qwiet-prezero-workflow.yml | 35 ++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/qwiet-prezero-workflow.yml diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml new file mode 100644 index 00000000..fa6387dc --- /dev/null +++ b/.github/workflows/qwiet-prezero-workflow.yml @@ -0,0 +1,35 @@ +# This workflow integrates Qwiet preZero with GitHub +# Visit https://docs.shiftleft.io for help +name: Qwiet + +on: + pull_request: + workflow_dispatch: + push: + # We recommend triggering a scan when merging to your default branch + # as a best practice, especially if you'd like to compare the results + # of two scans (e.g., a feature branch against the default branch) + branches: + - main + - master + +jobs: + ngsast-build: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + + - name: Download the Qwiet CLI and set permissions + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + + # Qwiet requires Java 1.8 + - name: Set up Java + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --app shiftleft-python-demo-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From bf4625b43e41f21e0f540245429d0a1e4c81f937 Mon Sep 17 00:00:00 2001 From: Eric Six Date: Fri, 13 Dec 2024 08:45:43 -0800 Subject: [PATCH 3/7] Update qwiet-prezero-workflow.yml --- .github/workflows/qwiet-prezero-workflow.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml index fa6387dc..02d611de 100644 --- a/.github/workflows/qwiet-prezero-workflow.yml +++ b/.github/workflows/qwiet-prezero-workflow.yml @@ -1,4 +1,5 @@ # This workflow integrates Qwiet preZero with GitHub +# .... # Visit https://docs.shiftleft.io for help name: Qwiet From cc1a337f711bdf839c627c9d4348193789cfb6c0 Mon Sep 17 00:00:00 2001 From: Eric Six Date: Fri, 13 Dec 2024 08:57:18 -0800 Subject: [PATCH 4/7] Update qwiet-prezero-workflow.yml --- .github/workflows/qwiet-prezero-workflow.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml index 02d611de..d0a304e5 100644 --- a/.github/workflows/qwiet-prezero-workflow.yml +++ b/.github/workflows/qwiet-prezero-workflow.yml @@ -31,6 +31,6 @@ jobs: java-version: 1.8 - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --app shiftleft-python-demo-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python . + run: ${GITHUB_WORKSPACE}/sl analyze --app shiftleft-python-demo-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} . env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From fb3369aa405fa747aa4263bc9cf3310ae9f30854 Mon Sep 17 00:00:00 2001 From: e6-qwiet Date: Fri, 20 Dec 2024 11:05:42 -0600 Subject: [PATCH 5/7] Update qwiet-prezero-workflow.yml --- .github/workflows/qwiet-prezero-workflow.yml | 47 +++++++++++++------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml index fa6387dc..4ead7943 100644 --- a/.github/workflows/qwiet-prezero-workflow.yml +++ b/.github/workflows/qwiet-prezero-workflow.yml @@ -1,35 +1,48 @@ +<<<<<<< Updated upstream # This workflow integrates Qwiet preZero with GitHub # Visit https://docs.shiftleft.io for help name: Qwiet +======= +# This workflow integrates Qwiet preZero +name: QwietAFPRnBR +>>>>>>> Stashed changes on: pull_request: workflow_dispatch: - push: - # We recommend triggering a scan when merging to your default branch - # as a best practice, especially if you'd like to compare the results - # of two scans (e.g., a feature branch against the default branch) - branches: - - main - - master - + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 11 * * 6' jobs: - ngsast-build: - runs-on: ubuntu-20.04 + NextGen-Static-Analysis: + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v3 + + - name: Setup Java JDK v8 + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 - - name: Download the Qwiet CLI and set permissions + - name: Download Qwiet CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - # Qwiet requires Java 1.8 - - name: Set up Java - uses: actions/setup-java@v1.4.3 - with: - java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch +<<<<<<< Updated upstream - name: NextGen Static Analysis run: ${GITHUB_WORKSPACE}/sl analyze --app shiftleft-python-demo-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python . +======= + - name: preZero NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} +>>>>>>> Stashed changes env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 From 5cfff5322b0141092b877b78ff70c7cdca111c2e Mon Sep 17 00:00:00 2001 From: Eric Six Date: Fri, 20 Dec 2024 11:09:02 -0600 Subject: [PATCH 6/7] Update qwiet-prezero-workflow.yml --- .github/workflows/qwiet-prezero-workflow.yml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml index 4ead7943..a186db04 100644 --- a/.github/workflows/qwiet-prezero-workflow.yml +++ b/.github/workflows/qwiet-prezero-workflow.yml @@ -1,11 +1,6 @@ -<<<<<<< Updated upstream # This workflow integrates Qwiet preZero with GitHub # Visit https://docs.shiftleft.io for help name: Qwiet -======= -# This workflow integrates Qwiet preZero -name: QwietAFPRnBR ->>>>>>> Stashed changes on: pull_request: @@ -34,13 +29,9 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch -<<<<<<< Updated upstream - - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --app shiftleft-python-demo-GH --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python . -======= - name: preZero NextGen Static Analysis run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} ->>>>>>> Stashed changes + env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_API_HOST: www.shiftleft.io From 11dbe33fa1c902aec00c48dd1d2aba42e9b99f07 Mon Sep 17 00:00:00 2001 From: e6-qwiet Date: Mon, 23 Dec 2024 09:58:37 -0600 Subject: [PATCH 7/7] Rules and ignore added Qwiet rules and gitignore added --- .gitignore | 139 ++++++++++++++++++++++++++++++++++++++ shiftleft-python-demo.iml | 9 +++ shiftleft.yml | 110 ++++++++++++++++++++++++++++++ 3 files changed, 258 insertions(+) create mode 100644 .gitignore create mode 100644 shiftleft-python-demo.iml create mode 100644 shiftleft.yml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..f98932a9 --- /dev/null +++ b/.gitignore @@ -0,0 +1,139 @@ +*.DS_STORE +.idea/ +.gitleaks_bin/ +repos/ +.vscode/ +.idea/ +.tox/ +.tool-versions +venv/ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +*.py,cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 +db.sqlite3-journal + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don't work, or not +# install all needed dependencies. +#Pipfile.lock + +# PEP 582; used by e.g. github.com/David-OConnor/pyflow +__pypackages__/ + +# Celery stuff +celerybeat-schedule +celerybeat.pid + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ +.coverage +reports/ diff --git a/shiftleft-python-demo.iml b/shiftleft-python-demo.iml new file mode 100644 index 00000000..8021953e --- /dev/null +++ b/shiftleft-python-demo.iml @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 00000000..4750a57b --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,110 @@ +build_rules: + - id: "No critical or high SAST findings" + finding_types: + - vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + - id: "Allow 0 secrets" + finding_types: + - secret + threshold: 0 + options: + num_findings: 10 # Return 10 sast findings + - id: "No reachable SCA findings" + finding_types: + - oss_vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + reachable: true + num_findings: 10 # Return 10 reachable sca findings + - id: "No critical or high container findings" + finding_types: + - container + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + num_findings: 10 # Return 10 container findings +# The above rule is perhaps the most common in that it +# is designed to be used with Pull Request and to block +# new vulns from being introduced that aren't already on +# the 'main' branch +# +# Below is enchalada with all the options shown +# +# ID is the name that will be reflected in the PR comments +# - id: build-rule-enchalada +# - vuln +#. - oss_vuln +# - secret +# - insight +# - container +# Do you want to block ALL types by severity? +# cvss_31_severity_ratings: +# - critical +# - high +# - medium +#. - low +# Do you want to focus on just one or more types? +# type: +# - Weak Random +# - Sensitive Data Leak +# - Deserialization +# - Directory Traversal +# - Sensitive Data Exposure +# - Remote Code Execution +# - Command Injection +# - Security Best Practices +# - Unsafe Reflection +# - Regex Injection +# - SQL Injection +# - XML External Entities +# - Template Injection +# - Cross-Site Scripting +# - JSON Injection +# - Potential SQL Injection +# - Potential Regex Injection +# - Header Injection +# - Security Misconfiguration +# - Deprecated Function Use +# - Mail Injection +# - Race Condition +# - Sensitive Data Usage +# - Open Redirect +# - Error Handling +# - HTTP to Database +# - HTTP to Model +# - LDAP Injection +# - Denial of Service +# - CRLF Injection +# - NoSQL Injection +# - Weak Hash +# - Session Injection +# - Server-Side Request Forgery +# - Prototype Pollution +# - Log Forging +# - XPath Injection +# - Insecure Authentication +# - Intent Redirection +# - Authentication Bypass +# - Weak Cipher +# - Crypto +# Focus by OWASP Category? +# owasp_category: +# - a01-2021-broken-access-control +# - a02-2021-cryptographic-failures +# - a03-2021-injection +# - a04-2021-insecure-design +# - a05-2021-security-misconfiguration +# - a06-2021-vulnerable-and-outdated-components +# - a07-2021-identification-and-authentication-failures +# - a08-2021-software-and-data-integrity-failures +# - a09-2021-security-logging-and-monitoring-failures +# - a10-2021-server-side-request-forgery-(ssrf) +