From e20c0a3796d68b393cd3848d3799ebfc7290a054 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:05:27 -0500 Subject: [PATCH 1/8] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index bd9a5f4..e5f7576 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: id: extract_branch - name: NextGen Static Analysis # Run the analyzer and wait for it to finis, the app is a part of a group and we can dynamicaly capture the branch we're on for tagging. It's a java app and we point to where the binary can be found - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg --v2 target/hello-shiftleft-*.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} From a71c867b3a38383df4b3f01c31329bc4cb6a5901 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:27:17 -0500 Subject: [PATCH 2/8] Update main.yml --- .github/workflows/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e5f7576..f1b5b74 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -38,7 +38,7 @@ jobs: id: extract_branch - name: NextGen Static Analysis # Run the analyzer and wait for it to finis, the app is a part of a group and we can dynamicaly capture the branch we're on for tagging. It's a java app and we point to where the binary can be found - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg --v2 target/hello-shiftleft-*.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-java-demo --tag app.group=HSL --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/hello-shiftleft-*.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} SHIFTLEFT_ORG_ID: ${{ secrets.SHIFTLEFT_ORG_ID }} @@ -48,7 +48,7 @@ jobs: # Lets check the previous analysis for this branch to our baseline on Main, # since we specify a 'branch' we don't have to specify a '--source' run: | - ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo \ + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-java-demo --v2 \ --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ --report \ --github-pr-number=${{ github.event.number }} \ From 19a1ff4f601b9a9f165ba14175afc63d9e206cea Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 09:45:28 -0500 Subject: [PATCH 3/8] Create shiftleft.yml --- .github/workflows/shiftleft.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..2e99352 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,26 @@ +source: + branch: master + scan: previous +build_rules: + - id: build-rule-identifier + finding_types: + - vuln + - secret + severity: + - moderate + - critical + type: + - SQL Injection + - Sensitive Data Leak + owasp_category: + - a1-injection + threshold: 100 + - id: another-build-rule + severity: + - info + threshold: 100 + - id: reachable-oss-vuln + finding_types: Spoofing + options: + reachable: true + num_findings: 10 From f6309938d08bd8f03697fccc13b65718d8319294 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 09:56:17 -0500 Subject: [PATCH 4/8] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 2e99352..5a524e4 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -14,7 +14,7 @@ build_rules: - Sensitive Data Leak owasp_category: - a1-injection - threshold: 100 + threshold: 0 - id: another-build-rule severity: - info From bc6410081930cbd5812a8af2cc65739d5dbe3baf Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 09:59:50 -0500 Subject: [PATCH 5/8] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index 5a524e4..be50b3e 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -18,9 +18,9 @@ build_rules: - id: another-build-rule severity: - info - threshold: 100 + threshold: 0 - id: reachable-oss-vuln finding_types: Spoofing options: reachable: true - num_findings: 10 + num_findings: 2 From 59bedc0c0c2dedb156be86233b2501a5ff9911f1 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 10:00:07 -0500 Subject: [PATCH 6/8] Create shiftleft.yml From 848acce4d84184a34ae29e438a738a39baee6686 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 10:08:04 -0500 Subject: [PATCH 7/8] Update main.yml --- .github/workflows/main.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f1b5b74..5ddff76 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,16 +1,16 @@ --- # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help -name: NG SAST Scan - ShiftLeft +name: ShiftLeft + on: - # Trigger the workflow on push to update the baseline scan - # or pull request going to main + # Trigger the workflow on push or pull request, + # but only for the main branch + workflow_dispatch: push: - branches: - - main + branches: [ main ] pull_request: - branches: - - main + branches: [ main ] jobs: NextGen-Static-Analysis: From 28e98b9d61e7734730f3727254a5271b30a20844 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Jan 2022 10:58:11 -0500 Subject: [PATCH 8/8] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index be50b3e..624e12e 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -5,7 +5,7 @@ build_rules: - id: build-rule-identifier finding_types: - vuln - - secret + - oss_vuln severity: - moderate - critical @@ -15,12 +15,7 @@ build_rules: owasp_category: - a1-injection threshold: 0 - - id: another-build-rule - severity: - - info - threshold: 0 - - id: reachable-oss-vuln - finding_types: Spoofing + - id: oss-vuln options: reachable: true - num_findings: 2 + num_findings: 10