-
Notifications
You must be signed in to change notification settings - Fork 20
Expand file tree
/
Copy pathsetup-securecloudpay.sh
More file actions
executable file
·177 lines (140 loc) · 3.47 KB
/
setup-securecloudpay.sh
File metadata and controls
executable file
·177 lines (140 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
#!/bin/bash
set -e
echo "🚧 Setting up SecureCloudPay DevSecOps simulation..."
# Create folder structure
mkdir -p securecloudpay/{backend/{node-service,go-service},terraform,k8s,.github/workflows,scripts}
# --- Node.js service ---
cat <<'EOF' > securecloudpay/backend/node-service/app.js
const express = require('express');
const app = express();
const port = 3000;
const jwtSecret = 'super-secret-token'; // 🚨 Intentionally hardcoded
app.get('/', (req, res) => {
res.send('Hello from Node.js!');
});
app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
EOF
cat <<'EOF' > securecloudpay/backend/node-service/package.json
{
"name": "node-service",
"version": "1.0.0",
"main": "app.js",
"dependencies": {
"express": "4.17.1"
}
}
EOF
cat <<'EOF' > securecloudpay/backend/node-service/Dockerfile
FROM node:14-alpine
WORKDIR /app
COPY . .
RUN npm install
CMD ["node", "app.js"]
EOF
# --- Go service ---
cat <<'EOF' > securecloudpay/backend/go-service/main.go
package main
import (
"fmt"
"net/http"
)
func handler(w http.ResponseWriter, r *http.Request) {
fmt.Fprintf(w, "Hello from Go!")
}
func main() {
http.HandleFunc("/", handler)
fmt.Println("Starting Go server on :8080")
http.ListenAndServe(":8080", nil)
}
EOF
cat <<'EOF' > securecloudpay/backend/go-service/Dockerfile
FROM golang:1.17
WORKDIR /app
COPY . .
RUN go build -o app
CMD ["./app"]
EOF
# --- Terraform file ---
cat <<'EOF' > securecloudpay/terraform/main.tf
provider "aws" {
region = "us-west-2"
}
resource "aws_s3_bucket" "insecure_bucket" {
bucket = "securecloudpay-dev"
acl = "public-read"
}
EOF
# --- Kubernetes YAMLs ---
cat <<'EOF' > securecloudpay/k8s/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: node-service
spec:
replicas: 1
selector:
matchLabels:
app: node-service
template:
metadata:
labels:
app: node-service
spec:
containers:
- name: node-service
image: node:14-alpine
command: ["node", "app.js"]
securityContext:
runAsUser: 0
EOF
cat <<'EOF' > securecloudpay/k8s/service.yaml
apiVersion: v1
kind: Service
metadata:
name: node-service
spec:
type: ClusterIP
selector:
app: node-service
ports:
- protocol: TCP
port: 80
targetPort: 3000
EOF
# --- GitHub Actions Trivy workflow ---
cat <<'EOF' > securecloudpay/.github/workflows/trivy-scan.yml
name: Trivy Security Scan
on:
pull_request:
branches: [ "main" ]
jobs:
trivy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: File system scan (Secrets, Vuln)
run: trivy fs --exit-code 1 --severity HIGH,CRITICAL .
- name: Config scan (IaC + Dockerfile)
run: trivy config --exit-code 1 --severity HIGH,CRITICAL .
- name: Upload results (SARIF)
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
EOF
# --- Pre-commit scan script ---
cat <<'EOF' > securecloudpay/scripts/precommit-scan.sh
#!/bin/bash
echo "🛡️ Trivy Pre-commit Scan Started..."
echo "🔍 Scanning file system..."
trivy fs --scanners vuln,secret .
echo "🔧 Scanning Dockerfiles and IaC configs..."
trivy config .
echo "✅ Scan complete."
EOF
chmod +x securecloudpay/scripts/precommit-scan.sh