githubabcs-devops · CalinL · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025 · Jan 24, 2025
diff --git a/.github/workflows/devopsshield-cis-anchore-grype.yml b/.github/workflows/devopsshield-cis-anchore-grype.yml
@@ -0,0 +1,74 @@
+# Last applied at: Fri, 24 Jan 2025 13:36:22 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_CIS_ANCHORE_GRYPE
+# Name: Anchore Grype Vulnerability Scan (Container Image Scanning)
+# DevSecOpsControls: CIS
+# Provider: Anchore
+# Categories: Code Scanning, Dockerfile
+# Description: 
+# Anchore Grype is a vulnerability scanner for container images and filesystems. 
+# Scan the contents of a container image or filesystem to find known vulnerabilities.
+# Anchore container analysis and scan provided as a GitHub Action.
+# This workflow checks out code, builds an image, performs a container image vulnerability scan with Anchore's Grype tool, 
+# and integrates the results with GitHub Advanced Security code scanning feature.
+# Read the official documentation to find out more. 
+# For more information: 
+# https://github.com/anchore/grype
+# ------------------------------------------------------------
+# Source repository: https://github.com/anchore/scan-action
+##############################################################
+
+name: Anchore Grype Vulnerability Scan (Container Image Scanning)
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: 0 0 * * 0
+
+jobs:
+  anchore-grype-scan:
+    name: Anchore Grype Vulnerability Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+
+    steps:      
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build an image from Dockerfile
+      uses: docker/build-push-action@v4
+      with:
+        tags: localbuild/testimage:latest
+        push: false
+        load: true
+
+    - name: Run the Anchore Grype scan action
+      uses: anchore/scan-action@v6
+      id: scan
+      with:
+        image: "localbuild/testimage:latest"
+        fail-build: true
+        severity-cutoff: critical
+    - name: Upload Anchore vulnerability report to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/.github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml b/.github/workflows/devopsshield-dast-zed-attack-proxy-zap.yml
@@ -0,0 +1,61 @@
+# Last applied at: Fri, 24 Jan 2025 13:36:24 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_DAST_Zed_Attack_Proxy_ZAP
+# Name: Zed Attack Proxy (ZAP) Penetration Testing
+# DevSecOpsControls: DAST
+# Provider: Checkmarx
+# Categories: Code Scanning, Penetration Testing
+# Description: 
+# Zed Attack Proxy (ZAP) by Checkmarx is a free, open-source penetration testing tool. 
+# ZAP is designed specifically for testing web applications and is both flexible and extensible.
+# Automate with ZAP. ZAP provides range of options for security automation. 
+# The world's most widely used web app scanner. Free and open source. A community based GitHub Top 1000 project that anyone can contribute to. 
+# A GitHub Action for running the ZAP Full Scan to perform Dynamic Application Security Testing (DAST).
+# The ZAP full scan action runs the ZAP spider against the specified target (by default with no time limit) followed by an optional ajax spider scan and then a full active scan before reporting the results.
+# WARNING this action will perform attacks on the target website. You should only scan targets that you have permission to test.
+# Read the official documentation to find out more. 
+# For more information: 
+# https://www.zaproxy.org/
+# https://www.zaproxy.org/docs/
+# https://github.com/zaproxy/
+# https://www.zaproxy.org/docs/automate/
+# https://www.zaproxy.org/docs/guides/zapping-the-top-10-2021/
+# ------------------------------------------------------------
+# Source repository: https://github.com/zaproxy/action-full-scan
+##############################################################
+
+name: Zed Attack Proxy (ZAP) Full Scan
+
+on:
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: 0 0 * * 0
+
+jobs:
+  zap_scan:
+    name: ZAP Full Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Run ZAP Scan
+      uses: zaproxy/action-full-scan@v0.12.0
+      id: zap
+      with:
+        target: 'https://www.zaproxy.org/'
diff --git a/.github/workflows/devopsshield-msdo-microsoft-security-devops.yml b/.github/workflows/devopsshield-msdo-microsoft-security-devops.yml
@@ -0,0 +1,75 @@
+# Last applied at: Fri, 24 Jan 2025 13:36:26 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_MSDO_Microsoft_Security_DevOps
+# Name: Microsoft Security DevOps (MSDO) - Defender for DevOps
+# DevSecOpsControls: SAST, CIS, IACS
+# Provider: Microsoft
+# Categories: Code Scanning, Dockerfile, Python, JavaScript, EcmaScript, TypeScript, C#, .NET, ARM Template, Bicep, Kubernetes, JSON, YAML, CloudFormation, HCL, Terraform
+# Description: 
+# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle. 
+# MSDO installs, configures and runs the latest versions of static analysis tools (including, but not limited to, SDL/security and compliance tools). 
+# Defender for DevOps helps integrate multiple tools with Advanced Security and sends the results to Defender for Cloud dashboard. 
+# Please note this workflow do not integrate with Microsoft Defender For DevOps. 
+# You have to create an integration and provide permission before this can report data back to Azure. 
+# Read the official documentation to find out more. 
+# For more information: 
+# https://github.com/microsoft/security-devops-action
+# https://learn.microsoft.com/en-us/azure/defender-for-cloud/github-action
+# https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+# ------------------------------------------------------------
+# Source repository: https://github.com/microsoft/security-devops-action
+##############################################################
+
+name: Microsoft Security DevOps (MSDO) - Defender for DevOps
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: 0 0 * * 0
+
+jobs:
+  MSDO:
+    name: Microsoft Security DevOps (MSDO)
+
+    # Windows and Linux agents are supported
+    runs-on: windows-latest
+
+    permissions:
+      contents: read
+      # Write access for security-events is only required for customers looking for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+      security-events: write
+
+    steps:
+      # Checkout your code repository to scan
+    - uses: actions/checkout@v4
+
+      # Run analyzers
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/security-devops-action@v1.6.0
+      id: msdo
+    # with:
+      # config: string. Optional. A file path to an MSDO configuration file ('*.gdnconfig').
+      # policy: 'GitHub' | 'microsoft' | 'none'. Optional. The name of a well-known Microsoft policy. If no configuration file or list of tools is provided, the policy may instruct MSDO which tools to run. Default: GitHub.
+      # categories: string. Optional. A comma-separated list of analyzer categories to run. Values: 'code', 'artifacts', 'IaC', 'containers'. Example: 'IaC, containers'. Defaults to all.
+      # languages: string. Optional. A comma-separated list of languages to analyze. Example: 'javascript,typescript'. Defaults to all.
+      # tools: string. Optional. A comma-separated list of analyzer tools to run. Values: 'bandit', 'binskim', 'checkov', 'eslint', 'templateanalyzer', 'terrascan', 'trivy'.
+
+      # Upload alerts to the Security tab - required for MSDO results to appear in the codeQL security alerts tab on GitHub (Requires GHAS)
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}
diff --git a/.github/workflows/devopsshield-sca-anchore-syft.yml b/.github/workflows/devopsshield-sca-anchore-syft.yml
@@ -0,0 +1,60 @@
+# Last applied at: Fri, 24 Jan 2025 13:36:28 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_SCA_ANCHORE_SYFT
+# Name: Anchore Syft SBOM Scan
+# DevSecOpsControls: SCA
+# Provider: Anchore
+# Categories: Code Scanning, Dockerfile, Dependency Management
+# Description: 
+# Produce Software Bills of Materials based on Anchore's open source Syft tool.
+# Syft is a powerful and easy-to-use open-source tool for generating Software Bill of Materials (SBOMs) for container images and filesystems. 
+# It provides detailed visibility into the packages and dependencies in your software, helping you manage vulnerabilities, license compliance, and software supply chain security.
+# This workflow checks out code, builds an image, performs a container image
+# scan with Anchore's Syft tool, and uploads the results to the GitHub Dependency submission API.
+# Read the official documentation to find out more. 
+# For more information: 
+# https://github.com/anchore/syft
+# ------------------------------------------------------------
+# Source repository: https://github.com/anchore/sbom-action
+##############################################################
+
+name: Anchore Syft SBOM Scan
+
+on:
+  push:
+    branches: [ main ]
+
+jobs:
+  anchore-syft-Scan:
+    name: Anchore Syft SBOM Scan
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # required to upload to the Dependency submission API
+      actions: read # to find workflow artifacts when attaching release assets
+
+    steps:      
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
+
+    - name: Scan the image and upload dependency results
+      uses: anchore/sbom-action@v0
+      with:
+        image: "localbuild/testimage:latest"
+        artifact-name: image.spdx.json
+        dependency-snapshot: true
diff --git a/.github/workflows/devopsshield-ss-trufflehog.yml b/.github/workflows/devopsshield-ss-trufflehog.yml
@@ -0,0 +1,59 @@
+# Last applied at: Fri, 24 Jan 2025 13:36:29 GMT
+# DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps.
+# https://devopsshield.com
+##############################################################
+# This is a DevOps Shield - Application Security - Code Security Template. 
+
+# This workflow template uses actions that are not certified by DevOps Shield. 
+# They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation.
+
+# Use this workflow template for integrating code security into your pipelines and workflows.
+
+# DevOps Shield Workflow Template Details:
+# ------------------------------------------------------------
+# Code: GH_SS_TRUFFLEHOG
+# Name: TruffleHog Secret Scanning
+# DevSecOpsControls: SS
+# Provider: Truffle Security Co.
+# Categories: Code Scanning, Secrets
+# Description: 
+# TruffleHog is the most powerful secrets Discovery, Classification, Validation, and Analysis tool. 
+# In this context secret refers to a credential a machine uses to authenticate itself to another machine. 
+# This includes API keys, database passwords, private encryption keys, and more. 
+# Find, verify, and analyze leaked credentials.
+# Read the official documentation to find out more. 
+# For more information: 
+# https://trufflesecurity.com/
+# https://github.com/trufflesecurity/trufflehog
+# ------------------------------------------------------------
+# Source repository: https://github.com/trufflesecurity/trufflehog?tab=readme-ov-file#octocat-trufflehog-github-action
+##############################################################
+
+name: TruffleHog Secret Scanning
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: 0 0 * * *
+
+jobs:
+  gitleaks:
+    name: TruffleHog Secret Scanning
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Run TruffleHog
+      uses: trufflesecurity/trufflehog@v3
+      id: trufflehog
+      with:
+        extra_args: --results=verified,unknown