From b826599b4b2ad5f284b04c085ad2cd7929c51a55 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 13:42:28 +0000 Subject: [PATCH 01/11] Add reusable security workflow using ScopeGuardian v0.0.1 Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/5db5ddb9-0498-4d98-a8f4-4af00e6d1787 Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- .github/security-config.toml | 14 ++++++++++++++ .github/workflows/ci.yml | 7 +++++++ .github/workflows/security.yml | 28 ++++++++++++++++++++++++++++ 3 files changed, 49 insertions(+) create mode 100644 .github/security-config.toml create mode 100644 .github/workflows/security.yml diff --git a/.github/security-config.toml b/.github/security-config.toml new file mode 100644 index 0000000..a598c74 --- /dev/null +++ b/.github/security-config.toml @@ -0,0 +1,14 @@ +title = "ScopeGuardian CI Security Scan" + +protected_branches = ["main", "master"] +path = "." + +[kics] +platform = "Dockerfile" + +[grype] +ignore_states = "not-fixed,unknown,wont-fix" +transitive_libraries = false + +[opengrep] +exclude = [] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bd4547e..7e86056 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -21,3 +21,10 @@ jobs: - name: Run unit tests run: go test ./... + + security: + name: Security + needs: test + uses: ./.github/workflows/security.yml + permissions: + contents: read diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..3caff05 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,28 @@ +name: Security + +on: + workflow_dispatch: + workflow_call: + +jobs: + security: + name: Security Scan + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Verify security config exists + run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml" + + - name: Run ScopeGuardian + run: | + docker run --rm \ + -v "$GITHUB_WORKSPACE:/tmp/data" \ + -e SCAN_DIR=/tmp/data \ + ghcr.io/paranoihack/scopeguardian:0.0.1 \ + --projectName ScopeGuardian \ + --branch "${{ github.ref_name }}" \ + /tmp/data/.github/security-config.toml From b8c7345c368ae1e52fd9f2cacc801e189333f8b4 Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 15:46:29 +0200 Subject: [PATCH 02/11] Add security gate --- .github/workflows/security.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 3caff05..53974f6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -22,7 +22,8 @@ jobs: docker run --rm \ -v "$GITHUB_WORKSPACE:/tmp/data" \ -e SCAN_DIR=/tmp/data \ - ghcr.io/paranoihack/scopeguardian:0.0.1 \ + ghcr.io/paranoihack/scopeguardian:v0.0.1 \ --projectName ScopeGuardian \ --branch "${{ github.ref_name }}" \ + --threshold "critical=1,high=1,medium=1,low=1" /tmp/data/.github/security-config.toml From f25e9d67621f63265425a881b2b2b8d3fbb2056a Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 15:48:06 +0200 Subject: [PATCH 03/11] Update security job name --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 53974f6..355ff4a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -6,7 +6,7 @@ on: jobs: security: - name: Security Scan + name: ScopeGuardian runs-on: ubuntu-latest permissions: contents: read From 4ab57b33e9a42db3e6fb45c17ebb57cc670e05f3 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 13:49:03 +0000 Subject: [PATCH 04/11] fix security workflow: add GHCR login and packages:read permission Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/d7913007-bd65-4ef7-b0e2-139f4b415aa7 Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- .github/workflows/security.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 355ff4a..15dadb7 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -10,10 +10,18 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + packages: read steps: - name: Checkout uses: actions/checkout@v4 + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Verify security config exists run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml" From b923adf7f016deb0022c6e67537ba9ccce70ff07 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 13:52:41 +0000 Subject: [PATCH 05/11] fix ci.yml: grant packages:read to security workflow_call job Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/a4223135-d4e4-4cf3-9c39-23c310d76d0c Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- .github/workflows/ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7e86056..f8f63f3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -28,3 +28,4 @@ jobs: uses: ./.github/workflows/security.yml permissions: contents: read + packages: read From 0d9ad0b9447134de510ed6b3c34efc2ee58201ee Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 15:54:12 +0200 Subject: [PATCH 06/11] Exclude test files from SAST scan --- .github/security-config.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/security-config.toml b/.github/security-config.toml index a598c74..99c5fc5 100644 --- a/.github/security-config.toml +++ b/.github/security-config.toml @@ -11,4 +11,4 @@ ignore_states = "not-fixed,unknown,wont-fix" transitive_libraries = false [opengrep] -exclude = [] +exclude = ["*_test.go"] From a6faecbe6a1fe23d6ffa66cb7eb49d6de76aee6b Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 15:59:56 +0200 Subject: [PATCH 07/11] Fix merge issue --- .github/workflows/security.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 355ff4a..0815067 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -10,10 +10,18 @@ jobs: runs-on: ubuntu-latest permissions: contents: read + packages: read steps: - name: Checkout uses: actions/checkout@v4 + - name: Log in to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Verify security config exists run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml" @@ -26,4 +34,4 @@ jobs: --projectName ScopeGuardian \ --branch "${{ github.ref_name }}" \ --threshold "critical=1,high=1,medium=1,low=1" - /tmp/data/.github/security-config.toml + /tmp/data/.github/security-config.toml \ No newline at end of file From 6f4a603fd314777e92d8c78caedccad61bb2d0c3 Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 16:00:29 +0200 Subject: [PATCH 08/11] Add backslash to chain parameter --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0815067..090cfa2 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,5 +33,5 @@ jobs: ghcr.io/paranoihack/scopeguardian:v0.0.1 \ --projectName ScopeGuardian \ --branch "${{ github.ref_name }}" \ - --threshold "critical=1,high=1,medium=1,low=1" + --threshold "critical=1,high=1,medium=1,low=1" \ /tmp/data/.github/security-config.toml \ No newline at end of file From a6124ab807b342a4e3f3769a1f688f777221cd97 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 11 Apr 2026 14:10:17 +0000 Subject: [PATCH 09/11] fix: address all reported vulnerabilities in Dockerfile, docker-compose.yml and exec.go Agent-Logs-Url: https://github.com/ParanoiHack/ScopeGuardian/sessions/55d1fcc7-b7e0-4b6d-999c-fa338bde1af3 Co-authored-by: Nitr4x <10544300+Nitr4x@users.noreply.github.com> --- Dockerfile | 14 ++++++++++---- docker-compose.yml | 39 +++++++++++++++++++++++++++++++++++++++ exec/exec.go | 5 +++++ 3 files changed, 54 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index f0fa6ff..d4e583d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ ARG KICS_VERSION=v2.1.17 WORKDIR /tmp -RUN apk add --no-cache git make +RUN apk add --no-cache git=2.52.0-r0 make=4.4.1-r3 RUN git clone --depth 1 --branch ${KICS_VERSION} https://github.com/Checkmarx/kics.git @@ -31,7 +31,7 @@ ARG OPENGREP_VERSION=v1.13.1 WORKDIR /tmp -RUN apk add --no-cache git bash curl +RUN apk add --no-cache git=2.52.0-r0 bash=5.3.3-r1 curl=8.17.0-r1 RUN git clone --depth 1 --branch ${OPENGREP_VERSION} https://github.com/opengrep/opengrep.git @@ -53,7 +53,7 @@ ARG GRYPE_VERSION=v0.104.2 WORKDIR /tmp -RUN apk add --no-cache git +RUN apk add --no-cache git=2.52.0-r0 RUN git clone --depth 1 --branch ${GRYPE_VERSION} https://github.com/anchore/grype.git @@ -69,7 +69,7 @@ ARG SYFT_VERSION=v1.38.2 WORKDIR /tmp -RUN apk add --no-cache git +RUN apk add --no-cache git=2.52.0-r0 RUN git clone --depth 1 --branch ${SYFT_VERSION} https://github.com/anchore/syft.git @@ -95,4 +95,10 @@ COPY --from=syft_builder /tmp/syft/bin/syft /opt/syft/bin/syft COPY features/scans/syft/config/syft.yaml /opt/syft/config/syft.yaml COPY features/scans/grype/config/grype.yaml /opt/grype/config/grype.yaml +RUN addgroup -S scopeguardian && adduser -S -G scopeguardian scopeguardian + +USER scopeguardian + +HEALTHCHECK NONE + ENTRYPOINT ["/opt/ScopeGuardian/bin/ScopeGuardian"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index af18028..0e05712 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,6 +18,12 @@ services: volumes: - postgres_data:/var/lib/postgresql/data restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp + - /var/run/postgresql healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-defectdojo}"] interval: 10s @@ -27,6 +33,12 @@ services: redis: image: redis:7-alpine restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp + - /data healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s @@ -52,6 +64,11 @@ services: volumes: - defectdojo_media:/app/media restart: on-failure + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp # Service name must be "uwsgi" – the defectdojo-nginx image resolves # its upstream as "uwsgi:3031" and the name is not configurable. @@ -66,6 +83,11 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp celeryworker: image: defectdojo/defectdojo-django:latest @@ -78,6 +100,11 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp celerybeat: image: defectdojo/defectdojo-django:latest @@ -90,6 +117,11 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp nginx: image: defectdojo/defectdojo-nginx:latest @@ -103,6 +135,13 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped + read_only: true + security_opt: + - no-new-privileges:true + tmpfs: + - /tmp + - /var/cache/nginx + - /var/run volumes: postgres_data: diff --git a/exec/exec.go b/exec/exec.go index 9e0153e..89f8089 100644 --- a/exec/exec.go +++ b/exec/exec.go @@ -1,9 +1,11 @@ package exec import ( + "fmt" "io" "os" "os/exec" + "path/filepath" ) // Wrap executes the binary at binaryPath with the given args inside dirPath. @@ -14,6 +16,9 @@ import ( // Optional extraEnv entries (formatted as "KEY=VALUE") are appended to the // child process environment without affecting the parent process. func Wrap(binaryPath string, dirPath string, args []string, stdout io.Writer, stderr io.Writer, extraEnv ...string) (bool, error) { + if !filepath.IsAbs(binaryPath) { + return false, fmt.Errorf("binaryPath must be an absolute path: %q", binaryPath) + } cmd := exec.Command(binaryPath, args...) cmd.Dir = dirPath From c27b65647ef28e9c67da4bab2ff1a0e62548a14a Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 16:18:11 +0200 Subject: [PATCH 10/11] Rollback exec vulnerability fix and whitelisting the query cause it's working as intended --- .github/security-config.toml | 1 + exec/exec.go | 5 ----- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/security-config.toml b/.github/security-config.toml index 99c5fc5..f7f3ca0 100644 --- a/.github/security-config.toml +++ b/.github/security-config.toml @@ -12,3 +12,4 @@ transitive_libraries = false [opengrep] exclude = ["*_test.go"] +exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"] \ No newline at end of file diff --git a/exec/exec.go b/exec/exec.go index 89f8089..9e0153e 100644 --- a/exec/exec.go +++ b/exec/exec.go @@ -1,11 +1,9 @@ package exec import ( - "fmt" "io" "os" "os/exec" - "path/filepath" ) // Wrap executes the binary at binaryPath with the given args inside dirPath. @@ -16,9 +14,6 @@ import ( // Optional extraEnv entries (formatted as "KEY=VALUE") are appended to the // child process environment without affecting the parent process. func Wrap(binaryPath string, dirPath string, args []string, stdout io.Writer, stderr io.Writer, extraEnv ...string) (bool, error) { - if !filepath.IsAbs(binaryPath) { - return false, fmt.Errorf("binaryPath must be an absolute path: %q", binaryPath) - } cmd := exec.Command(binaryPath, args...) cmd.Dir = dirPath From d6d880c4b655638de337f0f3b73c59df1cddacea Mon Sep 17 00:00:00 2001 From: nitrax Date: Sat, 11 Apr 2026 16:22:30 +0200 Subject: [PATCH 11/11] Rollback docker-compose.yml and exclude it from opengrep scan cause it's main purpose is for test and development for DD interaction --- .github/security-config.toml | 2 +- docker-compose.yml | 39 ------------------------------------ 2 files changed, 1 insertion(+), 40 deletions(-) diff --git a/.github/security-config.toml b/.github/security-config.toml index f7f3ca0..eab3cf4 100644 --- a/.github/security-config.toml +++ b/.github/security-config.toml @@ -11,5 +11,5 @@ ignore_states = "not-fixed,unknown,wont-fix" transitive_libraries = false [opengrep] -exclude = ["*_test.go"] +exclude = ["*_test.go", "docker-compose.yml"] exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"] \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 0e05712..af18028 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -18,12 +18,6 @@ services: volumes: - postgres_data:/var/lib/postgresql/data restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp - - /var/run/postgresql healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-defectdojo}"] interval: 10s @@ -33,12 +27,6 @@ services: redis: image: redis:7-alpine restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp - - /data healthcheck: test: ["CMD", "redis-cli", "ping"] interval: 10s @@ -64,11 +52,6 @@ services: volumes: - defectdojo_media:/app/media restart: on-failure - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp # Service name must be "uwsgi" – the defectdojo-nginx image resolves # its upstream as "uwsgi:3031" and the name is not configurable. @@ -83,11 +66,6 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp celeryworker: image: defectdojo/defectdojo-django:latest @@ -100,11 +78,6 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp celerybeat: image: defectdojo/defectdojo-django:latest @@ -117,11 +90,6 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp nginx: image: defectdojo/defectdojo-nginx:latest @@ -135,13 +103,6 @@ services: volumes: - defectdojo_media:/app/media restart: unless-stopped - read_only: true - security_opt: - - no-new-privileges:true - tmpfs: - - /tmp - - /var/cache/nginx - - /var/run volumes: postgres_data: