ci: add sast

semgr8ns · Feb 1, 2024 · b627a03 · b627a03
1 parent 2648474
commit b627a03
Show file tree

Hide file tree

Showing 6 changed files with 123 additions and 71 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,6 +12,30 @@ updates:
       pip-packages:
         patterns:
           - "*"
+  - package-ecosystem: "pip"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "update"
+    insecure-external-code-execution: "deny"
+    target-branch: "dev"
+    groups:
+      pip-packages:
+        patterns:
+          - "*"
+  - package-ecosystem: "pip"
+    directory: "/tests"
+    schedule:
+      interval: "monthly"
+    commit-message:
+      prefix: "update"
+    insecure-external-code-execution: "deny"
+    target-branch: "dev"
+    groups:
+      pip-packages:
+        patterns:
+          - "*"
   - package-ecosystem: "docker"
     directory: "/docker"
     schedule:

diff --git a/.github/workflows/.reusable-sast.yml b/.github/workflows/.reusable-sast.yml
@@ -16,6 +16,47 @@ on:
 #permissions: {}  #TODO: reactivate for non-private
 
 jobs:
+  bandit:
+    runs-on: ubuntu-latest
+    if: |
+      (github.actor != 'dependabot[bot]') &&
+      inputs.skip != 'all'
+    permissions:
+      security-events: write
+    container:
+      image: python:slim
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install Packages
+        run: pip3 install -r tests/requirements.txt
+      - name: Run Bandit
+        if: inputs.output == 'table'
+        run: bandit -r -f screen semgr8s/
+      - name: Run Bandit
+        if: inputs.output == 'sarif'
+        run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero
+      - name: Upload
+        if: inputs.output == 'sarif'
+        uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+        with:
+          sarif_file: 'bandit-results.sarif'
+
+  black:
+    runs-on: ubuntu-latest
+    if: |
+      (github.actor != 'dependabot[bot]') &&
+      inputs.skip != 'non-required' &&
+      inputs.skip != 'all'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install packages
+        run: pip3 install -r tests/requirements.txt
+      - name: Test formatting
+        run: |
+          python3 -m black . 2>&1 | grep -q "reformatted" && { echo 'Not properly formatted.'; exit 1; } || true
+
   checkov:
     runs-on: ubuntu-latest
     if: |
@@ -32,7 +73,7 @@ jobs:
           rm -rf test # remove 'test' folder from scan #TODO: fix once final
           rm -rf tests # remove 'tests' folder from scan
           mkdir deployment
-          helm template charts/connaisseur > deployment/deployment.yaml
+          helm template charts/semgr8s > deployment/deployment.yaml
         shell: bash
       - name: Scan
         if: inputs.output == 'table'
@@ -58,66 +99,19 @@ jobs:
     if: |
       (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'non-required' &&
-      inputs.skip != 'all' &&
-      inputs.output == 'sarif'
-    #    permissions:  #TODO: reactivate for non-private
-    #      pull-requests: read
-    #      security-events: write
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
-        with:
-          languages: 'go'
-      - name: Analyze
-        uses: github/codeql-action/analyze@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
-
-  golangci-lint:
-    runs-on: ubuntu-latest
-    if: |
-      (github.actor != 'dependabot[bot]') &&
-      inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          cache: false
-          go-version: '1.21'
-      - name: Analyze
-        uses: golangci/golangci-lint-action@3a919529898de77ec3da873e3063ca4b10e7f5cc # v3.7.0
-        with:
-          version: latest
-          args: '--timeout=10m --skip-dirs="test" --tests=false'
-
-  gosec:
-    runs-on: ubuntu-latest
-    if: |
-      (github.actor != 'dependabot[bot]') &&
       inputs.skip != 'all'
-    #    permissions:  #TODO: reactivate for non-private
-    #      security-events: write
+    permissions:
+      security-events: write
+      pull-requests: read
     steps:
-      - name: Checkout code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Analyze
-        uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2
-        if: inputs.output == 'table'
-        with:
-          args: '-fmt text -exclude-dir=test -exclude-dir=tools ./...'
-      - name: Analyze
-        uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2.18.2
-        if: inputs.output == 'sarif'
-        with:
-          args: '-exclude-dir=test -exclude-dir=tools -no-fail -fmt sarif -out gosec-results.sarif ./...'
-      - name: Upload
-        uses: github/codeql-action/upload-sarif@66b90a5db151a8042fa97405c6cf843bbe433f7b # v2.22.7
-        if: inputs.output == 'sarif'
-        with:
-          sarif_file: 'gosec-results.sarif'
+    - name: Checkout repository
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
+      with:
+        languages: 'python'
+    - name: Analyze
+      uses: github/codeql-action/analyze@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
 
   hadolint:
     runs-on: ubuntu-latest
@@ -167,14 +161,14 @@ jobs:
         if: inputs.output == 'table'
         with:
           config: .kube-linter/config.yaml
-          directory: charts/connaisseur
+          directory: charts/semgr8s
           format: plain
       - name: Scan
         uses: stackrox/kube-linter-action@ca0d55b925470deb5b04b556e6c4276ea94d03c3 # v1.0.4
         if: inputs.output == 'sarif'
         with:
           config: .kube-linter/config.yaml
-          directory: charts/connaisseur
+          directory: charts/semgr8s
           format: sarif
           output-file: kubelinter-results.sarif
       - name: Upload
@@ -183,6 +177,22 @@ jobs:
         with:
           sarif_file: 'kubelinter-results.sarif'
 
+  pylint:
+    runs-on: ubuntu-latest
+    if: |
+      (github.actor != 'dependabot[bot]') &&
+      inputs.skip != 'all'
+    container:
+      image: python:3.11-slim
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Install
+        run: |
+          pip3 install -r tests/requirements.txt
+      - name: Lint
+        run: pylint --ignore-patterns=tests,coverage semgr8s
+
   semgrep:
     runs-on: ubuntu-latest
     if: |

diff --git a/.github/workflows/.reusable-unit-test.yml b/.github/workflows/.reusable-unit-test.yml
@@ -18,15 +18,12 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Setup
-        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
-        with:
-          go-version: '1.21'
-      - name: Test
-        if: inputs.skip == 'non-required'
-        run: go test ./cmd/... -coverprofile=coverage.out -covermode=atomic
+      - name: Install
+        run: |
+          pip3 install -r tests/requirements.txt && pip3 install .
       - name: Test
-        if: inputs.skip != 'non-required'
-        run: go test ./... -race -coverprofile=coverage.out -covermode=atomic
+        run: pytest --cov=semgr8s --cov-report=xml tests/
       - name: Upload
         uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # v3.1.4
+        with:
+          file: coverage.xml
diff --git a/docs/requirements.txt b/docs/requirements.txt
@@ -0,0 +1,2 @@
+mkdocs-material~=9.4.14
+mike~=2.0.0
diff --git a/semgr8s/app.py b/semgr8s/app.py
@@ -79,7 +79,11 @@ def validate():
                 ["* " + f["check_id"] for f in results["results"]]
             )
             APP.logger.debug("+ %s findings: %s", num_findings, findings)
-            return send_response(False, uid, f"Found {num_findings} violation(s) of the following policies: {findings}")
+            return send_response(
+                False,
+                uid,
+                f"Found {num_findings} violation(s) of the following policies: {findings}",
+            )
     except Exception as err:
         return send_response(False, uid, f"Webhook exception: {err}")
     finally:

diff --git a/tests/requirements.txt b/tests/requirements.txt
@@ -0,0 +1,15 @@
+-r requirements.txt
+aioresponses~=0.7.6
+bandit~=1.7.7
+band-sarif-formatter~=1.1.1
+black~=24.1.1
+freezegun~=1.2.2
+parsedatetime~=2.6
+pylint~=3.0.2
+pytest-asyncio~=0.21.1
+pytest-cov~=4.1.0
+pytest-mock~=3.12.0
+pytest-subprocess~=1.5.0
+requests-mock~=1.11.0
+setuptools~=69.0.2
+wheel~=0.42.0