Merge pull request #70 from theztefan/main

Secret Scanning and Dependabot alerts support along with a project restruct
advanced-security · Aug 9, 2024 · db44608 · db44608
2 parents 910e4d4 + ef6560b
commit db44608
Show file tree

Hide file tree

Showing 20 changed files with 1,061 additions and 462 deletions.
diff --git a/.gitignore b/.gitignore
@@ -134,3 +134,5 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+.DS_Store
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.11
+FROM python:alpine3.19
 
 ARG user=python
 ARG home=/home/$user
@@ -19,5 +19,5 @@ ENV PYTHONPATH "${PYTHONPATH}:/ghasreview"
 RUN python3 -m pip install pipenv && \
     python3 -m pipenv sync --system 
 
-CMD ["python3", "-m", "ghasreview"]
-#CMD ["gunicorn", "wsgi:app", "--bind", "0.0.0.0:8000", "--workers=2"]
+#CMD ["python3", "-m", "ghasreview"]
+CMD ["pipenv", "run", "production"]
diff --git a/Pipfile b/Pipfile
@@ -9,6 +9,7 @@ ghapi = "*"
 gunicorn = "*"
 ghastoolkit = "*"
 "github3.py" = "*"
+python-dotenv = "*"
 
 [dev-packages]
 black = "*"
@@ -20,6 +21,6 @@ lint = "python -m black --check ."
 # Run flask app
 watch = "gunicorn ghasreview.app:app --reload --bind 0.0.0.0:9000"
 develop = "gunicorn ghasreview.app:app --bind 0.0.0.0:9000 --log-level=debug --workers=4"
-production = "gunicorn wsgi:app --bind 0.0.0.0:9000 --workers=4"
+production = "gunicorn ghasreview.app:app --config gunicorn_config.py"
 # Tests
 test-e2e = "python -m ghasreview --test-mode"
diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/README.md b/README.md
@@ -25,10 +25,11 @@ This allows security experts to provide 4-eyes principle over all security alert
 ## ✨ Features
 
 - Re-open closed alerts if an unapproved users changes the alert
+- Notifies Security Team for vulneraiblities found in PR and assigns them as reviewers. **Requires security team to be repository collaborators.**
 - GitHub Advanced Security Features
   - [x] [Code Scanning][github-codescanning] alerts
-  - [ ] [Secret Scanning][github-secretscanning] alerts
-  - [ ] [Dependabot][github-supplychain] alerts
+  - [x] [Secret Scanning][github-secretscanning] alerts
+  - [x] [Dependabot][github-supplychain] alerts
 
 ## ⚡️ Requirements
 
@@ -49,6 +50,8 @@ Store the App key so the service can read it from the path provided along with t
 
 **Environment Variable:**
 
+Create a `.env` file in the root of the project with the following environment variables.
+
 ```env
 # Application ID
 GITHUB_APP_ID=123456
@@ -58,14 +61,30 @@ GITHUB_APP_KEY_PATH=./config/key.pem
 GITHUB_APP_KEY=-----BEGIN PRIVATE KEY-----\n...
 # Webhook Secret
 GITHUB_APP_SECRET=123456789012345678901234567890
+GITHUB_APP_ENDPOINT=/
+GITHUB_GHAS_TEAM="sec_team"
 ```
 
+You can also use the following CLI arguments to pass the configuration.
+
+If you choose to pass the private key via a file just store the key in a file and pass the path to the file. In our case, we store the key in `./config/key.pem`. You will later mount this file into the container.
+
 #### Permissions
 
 The GitHub App requires the following permissions:
 
 - Repository
-  - [x] Security Events: Read & Write
+
+  - [x] Code scanning alerts: Read & Write
+  - [x] Dependabot alerts: Read & Write
+  - [x] Secrets scanning alerts: Read & Write
+  - [x] Issues: Read & Write
+  - [x] Pull requests: Read & Write
+
+- Webhook events
+  - [x] Code scanning alerts
+  - [x] Dependabot alerts
+  - [x] Secret scanning alerts
 
 ### Container / Docker
 
@@ -81,7 +100,13 @@ docker pull ghcr.io/advanced-security/ghas-reviewer-app:main
 **Or Build From Source:**
 
 ```bash
-docker build -t {org}/ghas-reviewer-app .
+docker build -t advanced-security/ghas-reviewer-app .
+```
+
+or build locally
+
+```bash
+docker build -t advanced-security/ghas-reviewer-app .
 ```
 
 **Run Docker Image:**
@@ -90,10 +115,22 @@ docker build -t {org}/ghas-reviewer-app .
 docker run \
     --env-file=.env \
     -v ./config:/ghasreview/config \
-    -p 8000:8000 \ 
+    -p 9000:9000 \
     ghcr.io/advanced-security/ghas-reviewer-app:main
 ```
 
+or run it locally
+
+```bash
+docker run \
+    --env-file=.env \
+    -v ./config:/ghasreview/config \
+    -p 9000:9000 \
+    advanced-security/ghas-reviewer-app
+```
+
+\*\*Run
+
 ### Docker Compose
 
 If you are testing the GitHub App you can quickly use Docker Compose to spin-up the container.
@@ -103,14 +140,31 @@ docker-compose build
 docker-compose up -d
 ```
 
+## Local Development
+
+If you want to run the application locally you can use the following the same steps as abouve meaning you need to creeate an GitHub App, store the private key and set the environment variables.
+
+After you have set the environment variables you can run the application using the following commands.
+
+```bash
+# We are using Pipenv for dependency management
+pip install pipenv
+
+# Install dependencies
+pipenv install --dev
+
+# Run the application
+pipenv run develop
+```
+
 ## Limitations
 
-- Pull Request require team approval
-- No Dependabot or Secret Scanning support
+- Pull Request require team approval. The security team needs to be repository collaborator.
 
 ## Maintainers / Contributors
 
 - [@GeekMasher](https://github.com/GeekMasher) - Author / Core Maintainer
+- [@theztefan](https://github.com/theztefan) - Contributor
 
 ## Support
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,15 +1,11 @@
-version: "3.2"
-
-
 services:
   ghasreview:
-    image: ghcr.io/geekmasher/ghas-reviewer-app:main
-    container_name: ghasreview
+    build: .
+    container_name: advanced-security/ghas-reviewer-app
     env_file: .env
     ports:
-      - "8000:8000"
+      - "9000:9000"
     volumes:
       - ./config:/ghasreview/config
     security_opt:
-      - no-new-privileges:true
-
+      - no-new-privileges:true
diff --git a/ghasreview/__init__.py b/ghasreview/__init__.py
@@ -1,3 +1,3 @@
-__version__ = "0.4.0"
+__version__ = "0.5.0"
 
-__url__ = "https://github.com/GeekMasher/ghas-reviewer-app"
+__url__ = "https://github.com/advanced-security/ghas-reviewer-app"