forked from ShiftLeftSecurity/shiftleft-python-demo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathshiftleft.yml
110 lines (109 loc) · 2.98 KB
/
shiftleft.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
build_rules:
- id: "No critical or high SAST findings"
finding_types:
- vuln
cvss_31_severity_ratings:
- critical
- high
threshold: 0
- id: "Allow 0 secrets"
finding_types:
- secret
threshold: 0
options:
num_findings: 10 # Return 10 sast findings
- id: "No reachable SCA findings"
finding_types:
- oss_vuln
cvss_31_severity_ratings:
- critical
- high
threshold: 0
options:
reachable: true
num_findings: 10 # Return 10 reachable sca findings
- id: "No critical or high container findings"
finding_types:
- container
cvss_31_severity_ratings:
- critical
- high
threshold: 0
options:
num_findings: 10 # Return 10 container findings
# The above rule is perhaps the most common in that it
# is designed to be used with Pull Request and to block
# new vulns from being introduced that aren't already on
# the 'main' branch
#
# Below is enchalada with all the options shown
#
# ID is the name that will be reflected in the PR comments
# - id: build-rule-enchalada
# - vuln
#. - oss_vuln
# - secret
# - insight
# - container
# Do you want to block ALL types by severity?
# cvss_31_severity_ratings:
# - critical
# - high
# - medium
#. - low
# Do you want to focus on just one or more types?
# type:
# - Weak Random
# - Sensitive Data Leak
# - Deserialization
# - Directory Traversal
# - Sensitive Data Exposure
# - Remote Code Execution
# - Command Injection
# - Security Best Practices
# - Unsafe Reflection
# - Regex Injection
# - SQL Injection
# - XML External Entities
# - Template Injection
# - Cross-Site Scripting
# - JSON Injection
# - Potential SQL Injection
# - Potential Regex Injection
# - Header Injection
# - Security Misconfiguration
# - Deprecated Function Use
# - Mail Injection
# - Race Condition
# - Sensitive Data Usage
# - Open Redirect
# - Error Handling
# - HTTP to Database
# - HTTP to Model
# - LDAP Injection
# - Denial of Service
# - CRLF Injection
# - NoSQL Injection
# - Weak Hash
# - Session Injection
# - Server-Side Request Forgery
# - Prototype Pollution
# - Log Forging
# - XPath Injection
# - Insecure Authentication
# - Intent Redirection
# - Authentication Bypass
# - Weak Cipher
# - Crypto
# Focus by OWASP Category?
# owasp_category:
# - a01-2021-broken-access-control
# - a02-2021-cryptographic-failures
# - a03-2021-injection
# - a04-2021-insecure-design
# - a05-2021-security-misconfiguration
# - a06-2021-vulnerable-and-outdated-components
# - a07-2021-identification-and-authentication-failures
# - a08-2021-software-and-data-integrity-failures
# - a09-2021-security-logging-and-monitoring-failures
# - a10-2021-server-side-request-forgery-(ssrf)