Add NG SAST workflow examples (#6)

Author: ursachec

.github/workflows/ngsast-docker.yml

@@ -0,0 +1,42 @@
+# This workflow integrates ShiftLeft Inspect with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft NG SAST Docker
+
+on:
+ pull_request:
+ workflow_dispatch:
+
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-20.04
+ steps:
+ - uses: actions/checkout@v2
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: Analyze code inside Docker context
+ run: |
+ docker build --build-arg BRANCH="${{ github.head_ref || steps.extract_branch.outputs.branch }}" --build-arg SHIFTLEFT_ACCESS_TOKEN=$SHIFTLEFT_ACCESS_TOKEN .
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+ Build-Rules:
+ runs-on: ubuntu-20.04
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v2
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: Validate Build Rules
+ run: ${GITHUB_WORKSPACE}/sl check-analysis --app flask-webgoat-docker --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

.github/workflows/ngsast.yml

@@ -0,0 +1,49 @@
+# This workflow integrates ShiftLeft Inspect with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft NG SAST
+
+on:
+ pull_request:
+ workflow_dispatch:
+
+jobs:
+ NextGen-Static-Analysis:
+ runs-on: ubuntu-20.04
+ steps:
+ - uses: actions/checkout@v2
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - uses: actions/setup-python@v2
+ with:
+ python-version: '3.8.5'
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: Analyze codebase
+ run: |
+ python3 -m venv .venv
+ . .venv/bin/activate
+ pip install --upgrade setuptools wheel
+ pip install -r requirements.txt
+ ${GITHUB_WORKSPACE}/sl analyze --app flask-webgoat --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python --cpg --godmodeon .
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+ Build-Rules:
+ runs-on: ubuntu-20.04
+ needs: NextGen-Static-Analysis
+ steps:
+ - uses: actions/checkout@v2
+ - name: Download ShiftLeft CLI
+ run: |
+ curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+ - name: Extract branch name
+ shell: bash
+ run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+ id: extract_branch
+ - name: Validate Build Rules
+ run: ${GITHUB_WORKSPACE}/sl check-analysis --app flask-webgoat --branch "${{ github.head_ref || steps.extract_branch.outputs.branch }}" --report --github-pr-number=${{github.event.number}} --github-pr-user=${{ github.repository_owner }} --github-pr-repo=${{ github.event.repository.name }} --github-token=${{ secrets.GITHUB_TOKEN }}
+ env:
+ SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

Dockerfile

@@ -0,0 +1,20 @@
+FROM python:3.8.5-buster
+
+# docker build --build-arg SHIFTLEFT_ACCESS_TOKEN=$SHIFTLEFT_ACCESS_TOKEN
+ARG SHIFTLEFT_ACCESS_TOKEN
+ARG BRANCH=master
+
+WORKDIR /app
+COPY . /app/
+
+# Download ShiftLeft
+RUN curl https://cdn.shiftleft.io/download/sl > sl && chmod a+rx sl
+
+# Create virtual env
+RUN python3 -m venv .venv \
+ && . .venv/bin/activate \
+ && pip install --upgrade setuptools wheel \
+ && pip install -r requirements.txt
+
+# Perform sl analysis
+RUN ./sl analyze --app flask-webgoat-docker --tag branch=$BRANCH --python --cpg --beta .

shiftleft.yml

@@ -0,0 +1,12 @@
+build_rules:
+ - id: allow-ten-findings
+ finding_types:
+ - vuln
+ - secret
+ - insight
+ - extscan
+ severity:
+ - SEVERITY_MEDIUM_IMPACT
+ - SEVERITY_HIGH_IMPACT
+ - SEVERITY_LOW_IMPACT
+ threshold: 10