diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f59d333..ee596c8 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -* @theztefan @dcodx \ No newline at end of file +* @theztefan @david3107 \ No newline at end of file diff --git a/.github/CONTRIBUTING.md b/.github/CONTRIBUTING.md index da42f6f..0586d7b 100644 --- a/.github/CONTRIBUTING.md +++ b/.github/CONTRIBUTING.md @@ -36,6 +36,6 @@ For any issues or suggestions for improvement, please create an issue on the pro ## 🤝 Code of Conduct -This project adheres to a [Code of Conduct](.github/CODE_OF_CONDUCT.md). Participation in the GitArmor project means you agree to respect the code of conduct and treat all members of the community with kindness and respect. 💖 +This project adheres to a [Code of Conduct](CODE_OF_CONDUCT.md). Participation in the GitArmor project means you agree to respect the code of conduct and treat all members of the community with kindness and respect. 💖 Thank you for your contribution and involvement in making this project better! 🙏 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml deleted file mode 100644 index 6813845..0000000 --- a/.github/workflows/codeql.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ "main" ] - paths-ignore: - - '**/*.md' - - '**/*.txt' - - '**/*.yml' - - '**/*.png' - pull_request: - branches: [ "main" ] - paths-ignore: - - '**/*.md' - - '**/*.txt' - - '**/*.yml' - - '**/*.png' - schedule: - - cron: '29 3 * * 6' - -jobs: - analyze: - name: Analyze (${{ matrix.language }}) - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} - timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} - permissions: - security-events: write - packages: read - actions: read - contents: read - - strategy: - fail-fast: false - matrix: - include: - - language: javascript-typescript - build-mode: none - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - queries: "security-extended" - paths: "src" - paths-ignore: "**/*.test.ts" - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - diff --git a/README.md b/README.md index 1854b09..78f44c9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # GitArmor -gitarmor logo +
+ gitarmor logo +
GitArmor is a handy tool that makes it easy to assess the secure setup of your developer platform. diff --git a/dist/evaluators/repository/WebHooksChecks.js b/dist/evaluators/repository/WebHooksChecks.js index f877a2f..0a4f25d 100644 --- a/dist/evaluators/repository/WebHooksChecks.js +++ b/dist/evaluators/repository/WebHooksChecks.js @@ -12,7 +12,6 @@ class WebHooksChecks { // check whether the repository has self hosted runners enabled async checkWebHooks() { const webhooks = await (0, WebHooks_1.getWebHooks)(this.repository.owner, this.repository.name); - console.log(webhooks); // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; const notAllowedDomains = []; diff --git a/dist/github/Utils.js b/dist/github/Utils.js deleted file mode 100644 index b5defcd..0000000 --- a/dist/github/Utils.js +++ /dev/null @@ -1,15 +0,0 @@ -"use strict"; -Object.defineProperty(exports, "__esModule", { value: true }); -exports.getRepoFile = void 0; -const GitArmorKit_1 = require("./GitArmorKit"); -//Given a certain path in a repository, get the contents of the file -const getRepoFile = async (owner, repo, path) => { - const octokit = new GitArmorKit_1.GitArmorKit(); - const response = await octokit.rest.repos.getContent({ - owner: owner, - repo: repo, - path: path, - }); - return response.data; -}; -exports.getRepoFile = getRepoFile; diff --git a/dist/index.js b/dist/index.js index 6aba795..2ceef20 100644 --- a/dist/index.js +++ b/dist/index.js @@ -48856,7 +48856,6 @@ class WebHooksChecks { // check whether the repository has self hosted runners enabled async checkWebHooks() { const webhooks = await (0, WebHooks_1.getWebHooks)(this.repository.owner, this.repository.name); - console.log(webhooks); // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; const notAllowedDomains = []; @@ -49506,6 +49505,12 @@ const Report_1 = __nccwpck_require__(9382); const policies_1 = __nccwpck_require__(7700); const core = __importStar(__nccwpck_require__(2186)); const run = async () => { + Logger_1.logger.info(` + + GitArmor + by dcodx.com - version 1.0 + + `); try { const startTime = process.hrtime(); const inputs = (0, Input_1.parseInputs)(); @@ -49514,7 +49519,6 @@ const run = async () => { let report = new Report_1.Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { Logger_1.logger.info("Running org level checks"); diff --git a/dist/main.js b/dist/main.js index 987fde7..d2d4db5 100644 --- a/dist/main.js +++ b/dist/main.js @@ -32,6 +32,12 @@ const Report_1 = require("./reporting/Report"); const policies_1 = require("./utils/policies"); const core = __importStar(require("@actions/core")); const run = async () => { + Logger_1.logger.info(` + + GitArmor + by dcodx.com - version 1.0 + + `); try { const startTime = process.hrtime(); const inputs = (0, Input_1.parseInputs)(); @@ -40,7 +46,6 @@ const run = async () => { let report = new Report_1.Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { Logger_1.logger.info("Running org level checks"); diff --git a/policies/organization.threats.md b/policies/organization.threats.md index 2b5847c..1962699 100644 --- a/policies/organization.threats.md +++ b/policies/organization.threats.md @@ -9,3 +9,4 @@ In this section we define the threats that could affect the organization securit An unauthorized actor could gain access to the organization repositories and exfiltrate sensitive data or inject malicious code. + diff --git a/src/evaluators/OrgPolicyEvaluator.ts b/src/evaluators/OrgPolicyEvaluator.ts index 546a50f..d8c50ec 100644 --- a/src/evaluators/OrgPolicyEvaluator.ts +++ b/src/evaluators/OrgPolicyEvaluator.ts @@ -4,7 +4,6 @@ import { OrgGHASChecks } from "./organization/OrgGHASChecks"; import { OrgAuthenticationChecks } from "./organization/OrgAuthenticationChecks"; import { OrgCustomRolesChecks } from "./organization/OrgCustomRolesChecks"; import { getOrganization } from "../github/Organization"; -import { FilesExistChecks } from "./multipurpose/FilesExistChecks"; import { PrivilegesChecks } from "./organization/PrivilegesChecks"; export class OrgPolicyEvaluator { diff --git a/src/evaluators/organization/OrgCustomRolesChecks.ts b/src/evaluators/organization/OrgCustomRolesChecks.ts index 81aa3cc..9220d7a 100644 --- a/src/evaluators/organization/OrgCustomRolesChecks.ts +++ b/src/evaluators/organization/OrgCustomRolesChecks.ts @@ -1,6 +1,5 @@ import { Organization, CheckResult } from "../../types/common/main"; import { getCustomRolesForOrg } from "../../github/Organization"; -import { logger } from "../../utils/Logger"; export class OrgCustomRolesChecks { private policy: any; diff --git a/src/evaluators/organization/OrgGHASChecks.ts b/src/evaluators/organization/OrgGHASChecks.ts index c7fa79d..89e269d 100644 --- a/src/evaluators/organization/OrgGHASChecks.ts +++ b/src/evaluators/organization/OrgGHASChecks.ts @@ -1,6 +1,5 @@ import { Organization, CheckResult } from "../../types/common/main"; import { getSecurityTeamsForOrg } from "../../github/Organization"; -import { logger } from "../../utils/Logger"; export class OrgGHASChecks { private policy: any; diff --git a/src/evaluators/repository/ActionsChecks.ts b/src/evaluators/repository/ActionsChecks.ts index 92f996a..78b5d44 100644 --- a/src/evaluators/repository/ActionsChecks.ts +++ b/src/evaluators/repository/ActionsChecks.ts @@ -2,8 +2,6 @@ import { CheckResult, Repository } from "../../types/common/main"; import { getRepoActionsPermissions, getRepoSelectedActions, - getRepoWorkflows, - getRepoWorkflowActions, } from "../../github/Actions"; import { logger } from "../../utils/Logger"; diff --git a/src/evaluators/repository/WebHooksChecks.ts b/src/evaluators/repository/WebHooksChecks.ts index cc4daf0..6b84053 100644 --- a/src/evaluators/repository/WebHooksChecks.ts +++ b/src/evaluators/repository/WebHooksChecks.ts @@ -1,6 +1,5 @@ import { CheckResult, Repository } from "../../types/common/main"; import { getWebHooks, getWebHookConfig } from "../../github/WebHooks"; -import { logger } from "../../utils/Logger"; export class WebHooksChecks { private policy: any; @@ -18,7 +17,6 @@ export class WebHooksChecks { this.repository.name, ); - console.log(webhooks); // for each webhook in webhooks extract the domain and check if it is in the allowed list in the policy, if not return false const allowedDomains = this.policy.webhooks.allowed_domains; diff --git a/src/github/Actions.ts b/src/github/Actions.ts index d4add4c..c7be3c0 100644 --- a/src/github/Actions.ts +++ b/src/github/Actions.ts @@ -1,7 +1,6 @@ import { Endpoints } from "@octokit/types"; import { GitArmorKit } from "./GitArmorKit"; import { logger } from "../utils/Logger"; -import { getRepoFile } from "./Utils"; //Get GitHub Actions permissions for a repository export const getRepoActionsPermissions = async ( diff --git a/src/github/Issues.ts b/src/github/Issues.ts index c0d948d..b948a69 100644 --- a/src/github/Issues.ts +++ b/src/github/Issues.ts @@ -1,4 +1,3 @@ -import { Issue } from "../types/common/main"; import { GitArmorKit } from "./GitArmorKit"; // export class to Issues class diff --git a/src/github/Repositories.ts b/src/github/Repositories.ts index 8c8a6f4..af7194b 100644 --- a/src/github/Repositories.ts +++ b/src/github/Repositories.ts @@ -28,15 +28,14 @@ export const getRepository = async ( repo: string, ): Promise => { const octokit = new GitArmorKit(); - + const response: Endpoints["GET /repos/{owner}/{repo}"]["response"] = await octokit.rest.repos.get({ owner: owner, repo: repo, }); - - return response.data; + return response.data; }; export const getRepoPullRequests = async ( diff --git a/src/github/Utils.ts b/src/github/Utils.ts index e87e0be..3519a0f 100644 --- a/src/github/Utils.ts +++ b/src/github/Utils.ts @@ -1,6 +1,5 @@ import { Endpoints } from "@octokit/types"; import { GitArmorKit } from "./GitArmorKit"; -import { logger } from "../utils/Logger"; //Given a certain path in a repository, get the contents of the file export const getRepoFile = async ( diff --git a/src/main.ts b/src/main.ts index 270b4de..b525f51 100644 --- a/src/main.ts +++ b/src/main.ts @@ -7,9 +7,15 @@ import { Report } from "./reporting/Report"; import { RepoPolicy, OrgPolicy, Repository } from "./types/common/main"; import { loadPolicy } from "./utils/policies"; import * as core from "@actions/core"; -import { summary } from "@actions/core/lib/summary"; const run = async (): Promise => { + logger.info(` + + GitArmor + by dcodx.com - version 1.0 + + `); + try { const startTime = process.hrtime(); const inputs = parseInputs(); @@ -19,7 +25,6 @@ const run = async (): Promise => { let report = new Report(); report.addInput(inputs); report.addPolicy(policies); - const policyEvaluator = null; // depending on which input.level is provided, run the appropriate checks if (inputs.level === "organization") { logger.info("Running org level checks"); @@ -64,7 +69,7 @@ const run = async (): Promise => { repository, policies.repo as RepoPolicy, ); - + await policyEvaluator.evaluatePolicy(); policyEvaluator.printCheckResults(); report.addOneRepoEvaluator(policyEvaluator); diff --git a/src/reporting/Report.ts b/src/reporting/Report.ts index 19f34ff..a1c1408 100644 --- a/src/reporting/Report.ts +++ b/src/reporting/Report.ts @@ -1,9 +1,8 @@ -import { CheckResult, Policy, Inputs } from "../types/common/main"; +import { Policy, Inputs } from "../types/common/main"; import { OrgPolicyEvaluator } from "../evaluators/OrgPolicyEvaluator"; import { RepoPolicyEvaluator } from "../evaluators/RepoPolicyEvaluator"; import { logger } from "./../utils/Logger"; import fs from "fs"; -import { json } from "stream/consumers"; export class Report { private orgEvaluators: Map;