From 7861aa57fe49dfbda2e827d442e58beadd283eb2 Mon Sep 17 00:00:00 2001 From: priv <140729444+scriptprivate@users.noreply.github.com> Date: Thu, 29 Aug 2024 13:50:52 -0300 Subject: [PATCH] feat(secrets): add severity threshold and improve output formatting --- lib/SecurityGate/Engine/Secrets.pm | 87 +++++++++++++++--------------- 1 file changed, 44 insertions(+), 43 deletions(-) diff --git a/lib/SecurityGate/Engine/Secrets.pm b/lib/SecurityGate/Engine/Secrets.pm index 77703ab..deb44dd 100644 --- a/lib/SecurityGate/Engine/Secrets.pm +++ b/lib/SecurityGate/Engine/Secrets.pm @@ -5,61 +5,62 @@ package SecurityGate::Engine::Secrets { use Mojo::JSON; sub new { - my ($class, $token, $repository) = @_; + my ($class, $token, $repository, $severity_limits) = @_; - my $endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts"; - my $userAgent = Mojo::UserAgent -> new(); - my $request = $userAgent -> get($endpoint, {Authorization => "Bearer $token"}) -> result(); + my $endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts"; + my $userAgent = Mojo::UserAgent -> new(); + my $request = $userAgent -> get($endpoint, {Authorization => "Bearer $token"}) -> result(); - if ($request -> code() == 200) { - my $data = $request -> json(); - my $open_alerts = 0; - my @alert_details; + if ($request -> code() == 200) { + my $data = $request -> json(); + my $open_alerts = 0; + my @alert_details; - foreach my $alert (@$data) { - if ($alert -> {state} eq "open") { - $open_alerts++; + foreach my $alert (@$data) { + if ($alert -> {state} eq "open") { + $open_alerts++; - my $locations_endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts/$alert -> {number}/locations"; - my $locations_request = $userAgent -> get($locations_endpoint, {Authorization => "Bearer $token"}) -> result(); + my $locations_endpoint = "https://api.github.com/repos/$repository/secret-scanning/alerts/$alert -> {number}/locations"; + my $locations_request = $userAgent -> get($locations_endpoint, {Authorization => "Bearer $token"}) -> result(); - if ($locations_request -> code() == 200) { - my $locations = $locations_request -> json(); - - push @alert_details, { - alert_number => $alert -> {number}, - locations => $locations, - }; + if ($locations_request -> code() == 200) { + my $locations = $locations_request -> json(); + + push @alert_details, { + alert_number => $alert -> {number}, + locations => $locations, + }; + } + } } - } - } - if ($open_alerts > 0) { - print "[!] Total of open secret scanning alerts: $open_alerts\n"; - - foreach my $detail (@alert_details) { - print "[-] Alert $detail -> {alert_number} found in the following locations:\n"; - - foreach my $location (@{$detail -> {locations}}) { - print " File: $location -> {path}, Start line: $location -> {start_line}\n"; + print "[!] Total of open secret scanning alerts: $open_alerts\n"; + + foreach my $detail (@alert_details) { + print "[-] Alert " . $detail -> {alert_number} . " found in the following locations:\n"; + + foreach my $location (@{$detail -> {locations}}) { + print " File: " . $location -> {path} . ", Start line: " . $location -> {start_line} . "\n"; + } } - } - print "[+] Secret scanning alert(s) found. Blocking pipeline.\n"; - return 1; + my $threshold = $severity_limits -> {high}; + if ($open_alerts > $threshold) { + print "[+] More than $threshold secret scanning alerts found. Blocking pipeline.\n"; + return 1; + } + + else { + print "[-] Number of secret scanning alerts ($open_alerts) is within the acceptable limit ($threshold).\n"; + return 0; + } } else { - print "[-] No secret scanning alerts found.\n"; - return 0; + print "Error: Unable to fetch secret scanning alerts. HTTP status code: " . $request -> code() . "\n"; + return 1; } - } - - else { - print "Error: Unable to fetch secret scanning alerts. HTTP status code: " . $request -> code() . "\n"; - return 1; - } - } + } } -1; \ No newline at end of file +1;