diff --git a/.github/security-config.toml b/.github/security-config.toml new file mode 100644 index 0000000..eab3cf4 --- /dev/null +++ b/.github/security-config.toml @@ -0,0 +1,15 @@ +title = "ScopeGuardian CI Security Scan" + +protected_branches = ["main", "master"] +path = "." + +[kics] +platform = "Dockerfile" + +[grype] +ignore_states = "not-fixed,unknown,wont-fix" +transitive_libraries = false + +[opengrep] +exclude = ["*_test.go", "docker-compose.yml"] +exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"] \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd4547e..f8f63f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,3 +21,11 @@ jobs: - name: Run unit tests run: go test ./... + + security: + name: Security + needs: test + uses: ./.github/workflows/security.yml + permissions: + contents: read + packages: read diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..090cfa2 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,37 @@ +name: Security + +on: + workflow_dispatch: + workflow_call: + +jobs: + security: + name: ScopeGuardian + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Verify security config exists + run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml" + + - name: Run ScopeGuardian + run: | + docker run --rm \ + -v "$GITHUB_WORKSPACE:/tmp/data" \ + -e SCAN_DIR=/tmp/data \ + ghcr.io/paranoihack/scopeguardian:v0.0.1 \ + --projectName ScopeGuardian \ + --branch "${{ github.ref_name }}" \ + --threshold "critical=1,high=1,medium=1,low=1" \ + /tmp/data/.github/security-config.toml \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index f0fa6ff..d4e583d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ ARG KICS_VERSION=v2.1.17 WORKDIR /tmp -RUN apk add --no-cache git make +RUN apk add --no-cache git=2.52.0-r0 make=4.4.1-r3 RUN git clone --depth 1 --branch ${KICS_VERSION} https://github.com/Checkmarx/kics.git @@ -31,7 +31,7 @@ ARG OPENGREP_VERSION=v1.13.1 WORKDIR /tmp -RUN apk add --no-cache git bash curl +RUN apk add --no-cache git=2.52.0-r0 bash=5.3.3-r1 curl=8.17.0-r1 RUN git clone --depth 1 --branch ${OPENGREP_VERSION} https://github.com/opengrep/opengrep.git @@ -53,7 +53,7 @@ ARG GRYPE_VERSION=v0.104.2 WORKDIR /tmp -RUN apk add --no-cache git +RUN apk add --no-cache git=2.52.0-r0 RUN git clone --depth 1 --branch ${GRYPE_VERSION} https://github.com/anchore/grype.git @@ -69,7 +69,7 @@ ARG SYFT_VERSION=v1.38.2 WORKDIR /tmp -RUN apk add --no-cache git +RUN apk add --no-cache git=2.52.0-r0 RUN git clone --depth 1 --branch ${SYFT_VERSION} https://github.com/anchore/syft.git @@ -95,4 +95,10 @@ COPY --from=syft_builder /tmp/syft/bin/syft /opt/syft/bin/syft COPY features/scans/syft/config/syft.yaml /opt/syft/config/syft.yaml COPY features/scans/grype/config/grype.yaml /opt/grype/config/grype.yaml +RUN addgroup -S scopeguardian && adduser -S -G scopeguardian scopeguardian + +USER scopeguardian + +HEALTHCHECK NONE + ENTRYPOINT ["/opt/ScopeGuardian/bin/ScopeGuardian"] \ No newline at end of file