From 88e05727dc0fa7b0c36cd057367e582410e886cb Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 6 Oct 2021 14:27:21 -0400 Subject: [PATCH 1/2] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 63 +++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..19430e4 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,63 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: | + pip install --upgrade setuptools wheel + pip install -r requirements.txt + ${GITHUB_WORKSPACE}/sl analyze --wait --app shiftleft-python-example --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + if: + ${{ hashFiles('requirements.txt') != '' }} + - name: Legacy Static Analysis + run: | + echo "Please update your `shiftleft-python-demo` fork!" + ${GITHUB_WORKSPACE}/sl analyze --wait --no-cpg --app shiftleft-python-example --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + if: + ${{ hashFiles('requirements.txt') == '' }} + + ## Uncomment the following section to enable build rule checking and enforcing. + #Build-Rules: + #runs-on: ubuntu-latest + #needs: NextGen-Static-Analysis + #steps: + #- uses: actions/checkout@v2 + #- name: Download ShiftLeft CLI + # run: | + # curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + #- name: Validate Build Rules + # run: | + # ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-python-example \ + # --source 'tag.branch=${{ github.event.pull_request.base.ref }}' \ + # --target "tag.branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + # --report \ + # --github-pr-number=${{github.event.number}} \ + # --github-pr-user=${{ github.repository_owner }} \ + # --github-pr-repo=${{ github.event.repository.name }} \ + # --github-token=${{ secrets.GITHUB_TOKEN }} + # env: + #SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + \ No newline at end of file From 0778d97df426a2f3304ae0b6e926f7ac6dc2b0d7 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Wed, 6 Oct 2021 14:27:21 -0400 Subject: [PATCH 2/2] adding ShiftLeft action workflow config --- shiftleft.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 14f72ce..220d4ba 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -4,8 +4,9 @@ build_rules: - vuln - secret - insight - - extscan + - "*" severity: - SEVERITY_MEDIUM_IMPACT - SEVERITY_HIGH_IMPACT - threshold: 0 + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file