From 936b632a6e0e1675cf580067a256a3d6da57ca66 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Fri, 24 Jan 2025 08:36:21 -0500 Subject: [PATCH 1/5] DevOps Shield - DevSecOps Automation - Create devopsshield-cis-anchore-grype.yml --- .../devopsshield-cis-anchore-grype.yml | 74 +++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 .github/workflows/devopsshield-cis-anchore-grype.yml diff --git a/.github/workflows/devopsshield-cis-anchore-grype.yml b/.github/workflows/devopsshield-cis-anchore-grype.yml new file mode 100644 index 0000000..4150b04 --- /dev/null +++ b/.github/workflows/devopsshield-cis-anchore-grype.yml @@ -0,0 +1,74 @@ +# Last applied at: Fri, 24 Jan 2025 13:36:22 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_CIS_ANCHORE_GRYPE +# Name: Anchore Grype Vulnerability Scan (Container Image Scanning) +# DevSecOpsControls: CIS +# Provider: Anchore +# Categories: Code Scanning, Dockerfile +# Description: +# Anchore Grype is a vulnerability scanner for container images and filesystems. +# Scan the contents of a container image or filesystem to find known vulnerabilities. +# Anchore container analysis and scan provided as a GitHub Action. +# This workflow checks out code, builds an image, performs a container image vulnerability scan with Anchore's Grype tool, +# and integrates the results with GitHub Advanced Security code scanning feature. +# Read the official documentation to find out more. +# For more information: +# https://github.com/anchore/grype +# ------------------------------------------------------------ +# Source repository: https://github.com/anchore/scan-action +############################################################## + +name: Anchore Grype Vulnerability Scan (Container Image Scanning) + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: 0 0 * * 0 + +jobs: + anchore-grype-scan: + name: Anchore Grype Vulnerability Scan + + runs-on: ubuntu-latest + + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + uses: docker/build-push-action@v4 + with: + tags: localbuild/testimage:latest + push: false + load: true + + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@v6 + id: scan + with: + image: "localbuild/testimage:latest" + fail-build: true + severity-cutoff: critical + - name: Upload Anchore vulnerability report to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} From dc7fceb6af38b24b5024a4e47b96e2761be8653b Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Fri, 24 Jan 2025 08:36:23 -0500 Subject: [PATCH 2/5] DevOps Shield - DevSecOps Automation - Create devopsshield-dast-zed-attack-proxy-zap.yml --- ...devopsshield-dast-zed-attack-proxy-zap.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 .github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml diff --git a/.github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml b/.github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml new file mode 100644 index 0000000..7aa0fc3 --- /dev/null +++ b/.github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml @@ -0,0 +1,61 @@ +# Last applied at: Fri, 24 Jan 2025 13:36:24 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_DAST_Zed_Attack_Proxy_ZAP +# Name: Zed Attack Proxy (ZAP) Penetration Testing +# DevSecOpsControls: DAST +# Provider: Checkmarx +# Categories: Code Scanning, Penetration Testing +# Description: +# Zed Attack Proxy (ZAP) by Checkmarx is a free, open-source penetration testing tool. +# ZAP is designed specifically for testing web applications and is both flexible and extensible. +# Automate with ZAP. ZAP provides range of options for security automation. +# The world's most widely used web app scanner. Free and open source. A community based GitHub Top 1000 project that anyone can contribute to. +# A GitHub Action for running the ZAP Full Scan to perform Dynamic Application Security Testing (DAST). +# The ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results. +# WARNING this action will perform attacks on the target website. You should only scan targets that you have permission to test. +# Read the official documentation to find out more. +# For more information: +# https://www.zaproxy.org/ +# https://www.zaproxy.org/docs/ +# https://github.com/zaproxy/ +# https://www.zaproxy.org/docs/automate/ +# https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/ +# ------------------------------------------------------------ +# Source repository: https://github.com/zaproxy/action-full-scan +############################################################## + +name: Zed Attack Proxy (ZAP) Full Scan + +on: + push: + branches: [ main ] + schedule: + - cron: 0 0 * * 0 + +jobs: + zap_scan: + name: ZAP Full Scan + runs-on: ubuntu-latest + + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + + - name: Run ZAP Scan + uses: zaproxy/action-full-scan@v0.12.0 + id: zap + with: + target: 'https://www.zaproxy.org/' From bc8cc0a204211d4a7666ddcd27c5d417c079de96 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Fri, 24 Jan 2025 08:36:25 -0500 Subject: [PATCH 3/5] DevOps Shield - DevSecOps Automation - Create devopsshield-msdo-microsoft-security-devops.yml --- ...sshield-msdo-microsoft-security-devops.yml | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/devopsshield-msdo-microsoft-security-devops.yml diff --git a/.github/workflows/devopsshield-msdo-microsoft-security-devops.yml b/.github/workflows/devopsshield-msdo-microsoft-security-devops.yml new file mode 100644 index 0000000..ef3e1e8 --- /dev/null +++ b/.github/workflows/devopsshield-msdo-microsoft-security-devops.yml @@ -0,0 +1,75 @@ +# Last applied at: Fri, 24 Jan 2025 13:36:26 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_MSDO_Microsoft_Security_DevOps +# Name: Microsoft Security DevOps (MSDO) - Defender for DevOps +# DevSecOpsControls: SAST, CIS, IACS +# Provider: Microsoft +# Categories: Code Scanning, Dockerfile, Python, JavaScript, EcmaScript, TypeScript, C#, .NET, ARM Template, Bicep, Kubernetes, JSON, YAML, CloudFormation, HCL, Terraform +# Description: +# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. +# MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). +# Defender for DevOps helps integrate multiple tools with Advanced Security and sends the results to Defender for Cloud dashboard. +# Please note this workflow do not integrate with Microsoft Defender For DevOps. +# You have to create an integration and provide permission before this can report data back to Azure. +# Read the official documentation to find out more. +# For more information: +# https://github.com/microsoft/security-devops-action +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action +# https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github +# ------------------------------------------------------------ +# Source repository: https://github.com/microsoft/security-devops-action +############################################################## + +name: Microsoft Security DevOps (MSDO) - Defender for DevOps + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: 0 0 * * 0 + +jobs: + MSDO: + name: Microsoft Security DevOps (MSDO) + + # Windows and Linux agents are supported + runs-on: windows-latest + + permissions: + contents: read + # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + security-events: write + + steps: + # Checkout your code repository to scan + - uses: actions/checkout@v4 + + # Run analyzers + - name: Run Microsoft Security DevOps + uses: microsoft/security-devops-action@v1.6.0 + id: msdo + # with: + # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig'). + # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub. + # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all. + # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all. + # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'. + + # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS) + - name: Upload results to Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.msdo.outputs.sarifFile }} From 069b3b4f64e0b7dde69e1d8bb8e2b9221788c283 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Fri, 24 Jan 2025 08:36:27 -0500 Subject: [PATCH 4/5] DevOps Shield - DevSecOps Automation - Create devopsshield-sca-anchore-syft.yml --- .../devopsshield-sca-anchore-syft.yml | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/devopsshield-sca-anchore-syft.yml diff --git a/.github/workflows/devopsshield-sca-anchore-syft.yml b/.github/workflows/devopsshield-sca-anchore-syft.yml new file mode 100644 index 0000000..c8e3436 --- /dev/null +++ b/.github/workflows/devopsshield-sca-anchore-syft.yml @@ -0,0 +1,60 @@ +# Last applied at: Fri, 24 Jan 2025 13:36:28 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_SCA_ANCHORE_SYFT +# Name: Anchore Syft SBOM Scan +# DevSecOpsControls: SCA +# Provider: Anchore +# Categories: Code Scanning, Dockerfile, Dependency Management +# Description: +# Produce Software Bills of Materials based on Anchore's open source Syft tool. +# Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. +# It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security. +# This workflow checks out code, builds an image, performs a container image +# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency submission API. +# Read the official documentation to find out more. +# For more information: +# https://github.com/anchore/syft +# ------------------------------------------------------------ +# Source repository: https://github.com/anchore/sbom-action +############################################################## + +name: Anchore Syft SBOM Scan + +on: + push: + branches: [ main ] + +jobs: + anchore-syft-Scan: + name: Anchore Syft SBOM Scan + + runs-on: ubuntu-latest + + permissions: + contents: write # required to upload to the Dependency submission API + actions: read # to find workflow artifacts when attaching release assets + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + + - name: Scan the image and upload dependency results + uses: anchore/sbom-action@v0 + with: + image: "localbuild/testimage:latest" + artifact-name: image.spdx.json + dependency-snapshot: true From a6e4f00c11ae9e46287f114aaecba5dab1dd8bf2 Mon Sep 17 00:00:00 2001 From: Calin Lupas Date: Fri, 24 Jan 2025 08:36:28 -0500 Subject: [PATCH 5/5] DevOps Shield - DevSecOps Automation - Create devopsshield-ss-trufflehog.yml --- .../workflows/devopsshield-ss-trufflehog.yml | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 .github/workflows/devopsshield-ss-trufflehog.yml diff --git a/.github/workflows/devopsshield-ss-trufflehog.yml b/.github/workflows/devopsshield-ss-trufflehog.yml new file mode 100644 index 0000000..5edd52b --- /dev/null +++ b/.github/workflows/devopsshield-ss-trufflehog.yml @@ -0,0 +1,59 @@ +# Last applied at: Fri, 24 Jan 2025 13:36:29 GMT +# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. +# https://devopsshield.com +############################################################## +# This is a DevOps Shield - Application Security - Code Security Template. + +# This workflow template uses actions that are not certified by DevOps Shield. +# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. + +# Use this workflow template for integrating code security into your pipelines and workflows. + +# DevOps Shield Workflow Template Details: +# ------------------------------------------------------------ +# Code: GH_SS_TRUFFLEHOG +# Name: TruffleHog Secret Scanning +# DevSecOpsControls: SS +# Provider: Truffle Security Co. +# Categories: Code Scanning, Secrets +# Description: +# TruffleHog is the most powerful secrets Discovery, Classification, Validation, and Analysis tool. +# In this context secret refers to a credential a machine uses to authenticate itself to another machine. +# This includes API keys, database passwords, private encryption keys, and more. +# Find, verify, and analyze leaked credentials. +# Read the official documentation to find out more. +# For more information: +# https://trufflesecurity.com/ +# https://github.com/trufflesecurity/trufflehog +# ------------------------------------------------------------ +# Source repository: https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#octocat-trufflehog-github-action +############################################################## + +name: TruffleHog Secret Scanning + +on: + push: + pull_request: + workflow_dispatch: + schedule: + - cron: 0 0 * * * + +jobs: + gitleaks: + name: TruffleHog Secret Scanning + + runs-on: ubuntu-latest + + permissions: + contents: read + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run TruffleHog + uses: trufflesecurity/trufflehog@v3 + id: trufflehog + with: + extra_args: --results=verified,unknown \ No newline at end of file