Merge pull request #7 from instriq/develop

Version 0.1.0
instriq · Aug 23, 2024 · 6f5ea99 · 6f5ea99
2 parents 92a121c + 982f943
commit 6f5ea99
Show file tree

Hide file tree

Showing 16 changed files with 273 additions and 106 deletions.
diff --git a/.github/workflows/deploy-image.yml b/.github/workflows/deploy-image.yml
@@ -4,7 +4,6 @@ on:
   push:
     branches:
       - main
-      - develop
 
 jobs:
   build-and-deploy:
@@ -29,4 +28,4 @@ jobs:
           password: ${{ secrets.LESIS_DEPLOY }}
 
       - name: Push Docker image to GitHub Container Registry
-        run: docker push docker.pkg.github.com/${{ github.repository }}/security-gate:latest
+        run: docker push docker.pkg.github.com/${{ github.repository }}/security-gate:latest
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -15,4 +15,4 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - name: Build the Docker image
-      run: docker build . --file Dockerfile --tag security-gate:$(date +%s)
+      run: docker build . --file Dockerfile --tag security-gate:$(date +%s)
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -3,6 +3,7 @@ name: Linter
 on:
   push:
     branches:
+      - main
       - develop
   pull_request:
     branches:
@@ -17,4 +18,4 @@ jobs:
     - name: Run Perl::Critic
       uses: natanlao/[email protected]
       with:
-        files: critic
+        files: critic
diff --git a/.github/workflows/security-gate.yml b/.github/workflows/security-gate.yml
@@ -1,4 +1,4 @@
-name: Security Gate - Instriq
+name: Security Gate - LESIS
 
 on:
   push:
@@ -38,4 +38,7 @@ jobs:
         -c "$MAX_CRITICAL" \
         -h "$MAX_HIGH" \
         -m "$MAX_MEDIUM" \
-        -l "$MAX_LOW"
+        -l "$MAX_LOW" \
+        --dependency-alerts
+        --secrets-alerts
+        --code-alerts
diff --git a/.github/workflows/zarn.yml b/.github/workflows/zarn.yml
@@ -22,4 +22,4 @@ jobs:
     - name: Send result to Github Security
       uses: github/codeql-action/upload-sarif@v3
       with:
-        sarif_file: result.sarif
+        sarif_file: result.sarif
diff --git a/.perlcriticrc b/.perlcriticrc
@@ -1,4 +1,4 @@
-severity = 4
+severity = 3
 
 [-TestingAndDebugging::RequireUseStrict]
-[-TestingAndDebugging::RequireUseWarnings]
+[-TestingAndDebugging::RequireUseWarnings]
diff --git a/LICENSE.md b/LICENSE.md
@@ -2,7 +2,7 @@ License
 ==============
 The MIT License (MIT)
 
-Copyright (c) 2023 | Instriq.io
+Copyright (c) 2023 - 2024 | www.lesis.lat
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
       <img src="https://img.shields.io/badge/license-MIT-blue.svg">
     </a>
      <a href="https://github.com/instriq/security-gate/releases">
-      <img src="https://img.shields.io/badge/version-0.0.3-blue.svg">
+      <img src="https://img.shields.io/badge/version-0.1.0-blue.svg">
     </a>
   </p>
 </p>
@@ -15,7 +15,7 @@
 
 ### Summary
 
-This is a project that allows you to use a Security Gate within Github, using Actions and your project's Security Alerts as an information base. Currently only Dependabot Alerts are supported, soon we will have support for Secrets and Security Advisories Alerts.
+This is a project that allows you to use a Security Gate within Github, using Actions and your project's Security Alerts as an information base. Currently alerts from DependaBot, Code Scanning and Secret Scanning are supported.
 
 You can define a vulnerability policy based on impact i.e. the number of vulnerabilities per threat, and automatically block your CI/CD pipeline if these policies are not met. This ensures that your application has greater protection, preventing codes that contain known threats from being deployed in production.
 
@@ -27,7 +27,7 @@ You need to create a token with read access to Security Alerts and configure it
 In your repository, create a YAML file at: ```.github/workflows/security-gate.yml``` with this content:
 
 ```yaml
-name: Security Gate - Instriq
+name: Security Gate - LESIS
 
 on:
   push:
@@ -78,17 +78,20 @@ $ sudo cpanm --installdeps .
 # Basic usage
 $ perl security-gate.pl --help
 
-Security Gate v0.0.3
+Security Gate v0.1.0
 Core Commands
-==============
-	Command          Description
-	-------          -----------
-        -t, --token      GitHub token
-        -r, --repo       GitHub repository
-        -c, --critical   Critical severity limit
-        -h, --high       High severity limit
-        -m, --medium     Medium severity limit
-        -l, --low        Low severity limit 
+====================
+        Command                Description
+        -------                -----------
+        -t, --token            GitHub token
+        -r, --repo             GitHub repository
+        -c, --critical         Critical severity limit
+        -h, --high             High severity limit
+        -m, --medium           Medium severity limit
+        -l, --low              Low severity limit
+        --dependency-alerts    Check for dependency alerts
+        --secret-alerts        Check for secret scanning alerts
+        --code-alerts          Check for code scanning alerts
 ```
 
 ---

diff --git a/SECURITY.md b/SECURITY.md
@@ -1,6 +1,6 @@
 # Security Policy
 
-If you find a security issue, please DO NOT submit it via the issue tracker! Instead, please follow responsible disclosure practices and send information about security issues directly to [security@instriq.io](mailto:security@instriq.io) so that a proper assessment can be made and a fix prepared before a wide announcement. You will receive an acknowledgement within 24 hours.
+If you find a security issue, please DO NOT submit it via the issue tracker! Instead, please follow responsible disclosure practices and send information about security issues directly to [security@lesis.lat](mailto:security@lesis.lat) so that a proper assessment can be made and a fix prepared before a wide announcement. You will receive an acknowledgement within 24 hours.
 
 Even in cases where you have limited or incomplete information, or you're not sure whether or not a problem constitutes a security issue, please make contact as soon as possible. We can work together to investigate, debug, and assess.
 

diff --git a/action.yml b/action.yml
@@ -40,4 +40,4 @@ runs:
           --critical $MAX_CRITICAL \
           --high $MAX_HIGH \
           --medium $MAX_MEDIUM \
-          --low $MAX_LOW
+          --low $MAX_LOW
diff --git a/lib/SecurityGate/Engine/Code.pm b/lib/SecurityGate/Engine/Code.pm
@@ -0,0 +1,59 @@
+package SecurityGate::Engine::Code {
+    use strict;
+    use warnings;
+    use Mojo::UserAgent;
+    use Mojo::JSON;
+
+    sub new {
+      my ($class, $token, $repository, $severity_limits) = @_;
+      my $alerts_endpoint   = "https://api.github.com/repos/$repository/code-scanning/alerts";      
+
+      my $userAgent = Mojo::UserAgent -> new();
+      my $alerts_request = $userAgent -> get($alerts_endpoint, {Authorization => "Bearer $token"}) -> result();
+
+      if ($alerts_request -> code() == 200) {
+        my $alerts_data = $alerts_request -> json();
+        my $open_alerts = 0;
+        my %severity_counts = map {$_ => 0} keys %$severity_limits;
+
+        foreach my $alert (@$alerts_data) {
+          if ($alert -> {state} eq "open") {
+            $open_alerts++;
+
+            my $severity = $alert -> {rule} -> {severity};
+            $severity_counts{$severity}++ if exists $severity_counts{$severity};
+          }
+        }
+
+        print "[!] Total of open code scanning alerts: $open_alerts\n";
+
+        foreach my $severity (keys %severity_counts) {
+          print "[-] $severity: $severity_counts{$severity}\n";
+        }
+
+        my $threshold_exceeded = 0;
+
+        foreach my $severity (keys %severity_counts) {
+          if ($severity_counts{$severity} > $severity_limits -> {$severity}) {
+            print "[+] More than $severity_limits->{$severity} $severity code scanning alerts found.\n";
+
+            $threshold_exceeded = 1;
+          }
+        }
+
+        if ($threshold_exceeded) {
+          return 1;
+        }
+      }
+
+      else {
+        print "Error: Unable to fetch code scanning alerts. HTTP status code: " . $alerts_request -> code() . "\n";
+
+        return 1;
+      }
+
+      return 0;
+    }
+}
+
+1;
diff --git a/lib/SecurityGate/Engine/Dependencies.pm b/lib/SecurityGate/Engine/Dependencies.pm
@@ -0,0 +1,57 @@
+package SecurityGate::Engine::Dependencies {
+    use strict;
+    use warnings;
+    use Mojo::UserAgent;
+    use Mojo::JSON;
+    use Exporter 'import';
+
+    our @EXPORT_OK = qw(@SEVERITIES);
+    our @SEVERITIES = ("critical", "high", "medium", "low");
+
+    sub new {
+        my ($class, $token, $repository, $severity_limits) = @_;
+
+        my %severity_counts = map { $_ => 0 } @SEVERITIES;
+
+        my $endpoint = "https://api.github.com/repos/$repository/dependabot/alerts";
+        my $userAgent = Mojo::UserAgent -> new();
+        my $request = $userAgent -> get($endpoint, {Authorization => "Bearer $token"}) -> result();
+
+        if ($request -> code() == 200) {
+            my $data = $request -> json();
+
+            foreach my $alert (@$data) {
+                if ($alert -> {state} eq "open") {
+                    my $severity = $alert -> {security_vulnerability} -> {severity};
+                    $severity_counts{$severity}++;
+                }
+            }
+
+            print "[!] Total of security alerts:\n\n";
+
+            foreach my $severity (@SEVERITIES) {
+                print "[-] $severity: $severity_counts{$severity}\n";
+            }
+
+            print "\n";
+
+            my $threshold_exceeded = 0;
+
+            foreach my $severity (@SEVERITIES) {
+                if ($severity_counts{$severity} > $severity_limits -> {$severity}) {
+                    print "[+] More than $severity_limits->{$severity} $severity security alerts found.\n";
+                    $threshold_exceeded = 1;
+                }
+            }
+
+            return $threshold_exceeded;
+        }
+
+        else {
+            print "Error: Unable to fetch alerts. HTTP status code: " . $request -> code() . "\n";
+            return 1;
+        }
+    }
+}
+
+1;
diff --git a/lib/SecurityGate/Engine/Secrets.pm b/lib/SecurityGate/Engine/Secrets.pm
@@ -0,0 +1,65 @@
+package SecurityGate::Engine::Secrets {
+    use strict;
+    use warnings;
+    use Mojo::UserAgent;
+    use Mojo::JSON;
+
+    sub new {
+      my ($class, $token, $repository) = @_;
+
+      my $endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts";
+      my $userAgent = Mojo::UserAgent -> new();
+      my $request = $userAgent -> get($endpoint, {Authorization => "Bearer $token"}) -> result();
+
+      if ($request -> code() == 200) {
+        my $data = $request -> json();
+        my $open_alerts = 0;
+        my @alert_details;
+
+        foreach my $alert (@$data) {
+          if ($alert -> {state} eq "open") {
+            $open_alerts++;
+
+            my $locations_endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts/$alert -> {number}/locations";
+            my $locations_request = $userAgent -> get($locations_endpoint, {Authorization => "Bearer $token"}) -> result();
+
+            if ($locations_request -> code() == 200) {
+              my $locations = $locations_request -> json();
+
+              push @alert_details, {
+                alert_number => $alert -> {number},
+                locations    => $locations,
+              };
+            }
+          }
+        }
+
+        if ($open_alerts > 0) {
+          print "[!] Total of open secret scanning alerts: $open_alerts\n";
+
+          foreach my $detail (@alert_details) {
+            print "[-] Alert $detail -> {alert_number} found in the following locations:\n";
+
+            foreach my $location (@{$detail -> {locations}}) {
+              print "    File: $location -> {path}, Start line: $location -> {start_line}\n";
+            }
+          }
+
+          print "[+] Secret scanning alert(s) found. Blocking pipeline.\n";
+          return 1;
+        }
+
+        else {
+          print "[-] No secret scanning alerts found.\n";
+          return 0;
+        }
+      }
+
+      else {
+        print "Error: Unable to fetch secret scanning alerts. HTTP status code: " . $request -> code() . "\n";
+        return 1;
+      }
+  }
+}
+
+1;
diff --git a/lib/SecurityGate/Utils/Helper.pm b/lib/SecurityGate/Utils/Helper.pm
@@ -0,0 +1,24 @@
+package SecurityGate::Utils::Helper {
+    use strict;
+	use warnings;
+
+	sub new {
+	      return "
+                \rSecurity Gate v0.1.0
+                \rCore Commands
+                \r====================
+                \r\tCommand                Description
+                \r\t-------                -----------
+                \r\t-t, --token            GitHub token
+                \r\t-r, --repo             GitHub repository, organization/repository-name
+                \r\t-c, --critical         Critical severity limit
+                \r\t-h, --high             High severity limit
+                \r\t-m, --medium           Medium severity limit
+                \r\t-l, --low              Low severity limit
+                \r\t--dependency-alerts    Check for dependency alerts
+                \r\t--secret-alerts        Check for secret scanning alerts
+                \r\t--code-alerts          Check for code scanning alerts\n\n";
+	}
+}
+
+1;