-
Notifications
You must be signed in to change notification settings - Fork 307
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into feature/add-kics-e2e-tests
- Loading branch information
Showing
22 changed files
with
455 additions
and
93 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,93 @@ | ||
#!/usr/bin/env zsh | ||
|
||
list_cfn_samples() { | ||
for sample in assets/queries/cloudFormation/**/test/{positive,negative}[0-9].{yaml,json}; do echo $sample; done | ||
} | ||
|
||
list_openapi_samples(){ | ||
for sample in assets/queries/openAPI/**/test/{positive,negative}[0-9]*.{yaml,json}; do echo $sample; done | ||
} | ||
|
||
list_common_samples(){ | ||
for sample in assets/queries/common/**/test/*[0-9].{tf,json,yaml,dockerfile}; do echo $sample; done | ||
} | ||
|
||
list_ansible_samples(){ | ||
for sample in assets/queries/ansible/**/test/*.yaml; do echo $sample; done | ||
} | ||
|
||
list_docker_samples(){ | ||
for sample in assets/queries/**/test/*.dockerfile; do echo $sample; done | ||
} | ||
|
||
list_terraform_samples(){ | ||
for sample in assets/queries/terraform/**/test/*.tf; do echo $sample; done | ||
} | ||
|
||
run_unit_tests_and_filter_subtests(){ | ||
go test ./... -v | grep -v TestQueriesContent/ | grep -v TestQueriesMetadata/ | grep -v TestQueries/ | grep PASS | ||
} | ||
|
||
println(){ | ||
printf "|%-25s| %7d|\n" $@ | ||
} | ||
|
||
print_header(){ | ||
printf "|%-25s| %7s|\n" $@ | ||
} | ||
|
||
print_sep(){ | ||
printf '|' | ||
printf '-%.0s' {1..25} | ||
printf '|' | ||
printf '-%.0s' {1..8} | ||
printf '|' | ||
printf '\n' | ||
} | ||
|
||
echo "#################################" | ||
echo "# TEST METRICS #" | ||
echo "#################################" | ||
|
||
OPENAPI_SAMPLES=$(list_openapi_samples | wc -l) | ||
COMMON_SAMPLES=$(list_common_samples | wc -l) | ||
CFN_SAMPLES=$(list_cfn_samples | wc -l) | ||
ANSIBLE_SAMPLES=$(list_ansible_samples | wc -l) | ||
DKR_SAMPLES=$(list_docker_samples | wc -l) | ||
TF_SAMPLES=$(list_terraform_samples | wc -l) | ||
TOTAL_SAMPLES=$((${TF_SAMPLES} + ${DKR_SAMPLES} + ${ANSIBLE_SAMPLES} + ${CFN_SAMPLES} + ${COMMON_SAMPLES} + ${OPENAPI_SAMPLES})) | ||
|
||
echo "::group::Samples Metrics" | ||
print_sep | ||
print_header "Platform" "Samples" | ||
print_sep | ||
println "Ansible" "${ANSIBLE_SAMPLES}" | ||
println "CloudFormation" "${CFN_SAMPLES}" | ||
println "Common" "${COMMON_SAMPLES}" | ||
println "Docker" "${DKR_SAMPLES}" | ||
println "OpenAPI" "${OPENAPI_SAMPLES}" | ||
println "Terraform" "${TF_SAMPLES}" | ||
print_sep | ||
println "Total" "${TOTAL_SAMPLES}" | ||
print_sep | ||
echo "::endgroup::" | ||
|
||
echo "::set-output name=ansible::${ANSIBLE_SAMPLES}" | ||
echo "::set-output name=cfn::${CFN_SAMPLES}" | ||
echo "::set-output name=common::${COMMON_SAMPLES}" | ||
echo "::set-output name=docker::${DKR_SAMPLES}" | ||
echo "::set-output name=openapi::${OPENAPI_SAMPLES}" | ||
echo "::set-output name=terraform::${TF_SAMPLES}" | ||
echo | ||
echo "Install Test Dependencies" | ||
echo "::group::Install Test Dependencis" | ||
go mod vendor | ||
echo "::endgroup::" | ||
echo | ||
echo "Running Unit Tests..." | ||
echo "::group::Unit Tests Metrics" | ||
TOTAL_TESTS=$(run_unit_tests_and_filter_subtests | wc -l) | ||
echo "Total unit tests: ${TOTAL_TESTS}" | ||
echo "::endgroup::" | ||
echo | ||
echo "::set-output name=total_tests::${TOTAL_TESTS}" |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -60,17 +60,18 @@ jobs: | |
persist-credentials: false | ||
- name: Run Go mod tidy | ||
run: go mod tidy | ||
- name: Get cache paths | ||
id: go-cache-paths | ||
run: | | ||
echo "::set-output name=go-build::$(go env GOCACHE)" | ||
echo "::set-output name=go-mod::$(go env GOMODCACHE)" | ||
- name: Cache dependencies | ||
uses: actions/[email protected] | ||
with: | ||
path: | | ||
~/go/pkg/mod | ||
~/.cache/go-build | ||
~/Library/Caches/go-build | ||
%LocalAppData%\go-build | ||
path: ${{ steps.go-cache-paths.outputs.go-build }} | ||
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | ||
restore-keys: | | ||
${{ runner.OS }}-build-${{ env.cache-name }}- | ||
${{ runner.OS }}-build-${{ env.cache-name }} | ||
${{ runner.OS }}-build- | ||
${{ runner.OS }}- | ||
- name: Get go-junit-report module | ||
|
@@ -91,23 +92,6 @@ jobs: | |
name: unit-tests-report-${{ matrix.os }}-${{ github.event.pull_request.head.sha }} | ||
path: | | ||
test-report*.xml | ||
- name: CodeCov | ||
if: matrix.os == 'ubuntu-latest' | ||
run: | | ||
bash <(curl -s https://codecov.io/bash) | ||
- name: Check if total coverage is greater then 0 | ||
if: matrix.os == 'ubuntu-latest' | ||
run: | | ||
CODE_COV=$(go tool cover -func cover.out | grep total | awk '{print substr($3, 1, length($3)-1)}') | ||
EXPECTED_CODE_COV=0 | ||
var=$(awk 'BEGIN{ print "'$CODE_COV'"<"'$EXPECTED_CODE_COV'" }') | ||
if [ "$var" -eq 1 ];then | ||
echo "Your code coverage is too low. Coverage precentage is: $CODE_COV" | ||
exit 1 | ||
else | ||
echo "Your code coverage test passed! Coverage precentage is: $CODE_COV" | ||
exit 0 | ||
fi | ||
security-scan: | ||
name: security-scan | ||
runs-on: ubuntu-latest | ||
|
@@ -124,3 +108,17 @@ jobs: | |
uses: github/codeql-action/upload-sarif@v1 | ||
with: | ||
sarif_file: results.sarif | ||
metrics: | ||
name: test-metrics | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout Source | ||
uses: actions/checkout@v2 | ||
- name: Set up Go 1.x | ||
uses: actions/setup-go@v2 | ||
with: | ||
go-version: 1.16.x | ||
- name: Install zsh | ||
run: sudo apt install zsh | ||
- name: Run test metrics script | ||
run: zsh .github/scripts/get-test-metrics.sh |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
name: release-manual-docker-tag | ||
|
||
on: | ||
workflow_dispatch: | ||
inputs: | ||
tag: | ||
description: 'Git Tag' | ||
required: true | ||
|
||
jobs: | ||
push_to_registry: | ||
name: Push Docker image to Docker Hub | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Check out the repo | ||
uses: actions/checkout@v2 | ||
with: | ||
ref: ${{ github.event.inputs.tag }} | ||
- uses: toko-bifrost/ms-teams-deploy-card@master | ||
if: always() | ||
with: | ||
github-token: ${{ secrets.KICS_BOT_PAT }} | ||
webhook-uri: ${{ secrets.MSTEAMS_WEBHOOK_URL }} | ||
card-layout-start: cozy | ||
card-layout-exit: complete | ||
show-on-start: true | ||
show-on-exit: true | ||
custom-actions: | | ||
- name: View CI Logs | ||
value: https://github.com/Checkmarx/kics/actions/runs/${{ github.run_id }} | ||
- name: View HEAD Commit | ||
value: https://github.com/Checkmarx/kics/commit/${{ github.sha }} | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
- name: Login to DockerHub | ||
uses: docker/login-action@v1 | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
- name: Push scratch to Docker Hub | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
push: true | ||
tags: checkmarx/kics:latest,checkmarx/kics:${{ github.event.inputs.tag }} | ||
build-args: | | ||
VERSION=${{ github.event.inputs.tag }} | ||
COMMIT=${{ github.sha }} | ||
- name: Push alpine to Docker Hub | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
file: ./Dockerfile.integration | ||
push: true | ||
tags: checkmarx/kics:latest-alpine,checkmarx/kics:${{ github.event.inputs.tag }}-alpine | ||
build-args: | | ||
VERSION=${{ github.event.inputs.tag }} | ||
COMMIT=${{ github.sha }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
{ | ||
"id": "2d8c175a-6d90-412b-8b0e-e034ea49a1fe", | ||
"queryName": "Global Server Object Uses HTTP", | ||
"severity": "MEDIUM", | ||
"category": "Encryption", | ||
"descriptionText": "Global server object URL should use 'https' protocol instead of 'http'", | ||
"descriptionUrl": "https://swagger.io/specification/#server-object", | ||
"platform": "OpenAPI" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
package Cx | ||
|
||
import data.generic.openapi as openAPILib | ||
|
||
CxPolicy[result] { | ||
doc := input.document[i] | ||
openAPILib.check_openapi(doc) != "undefined" | ||
object.get(doc, "servers", "undefined") == "undefined" | ||
|
||
result := { | ||
"documentId": doc.id, | ||
"searchKey": "openapi", | ||
"issueType": "MissingAttribute", | ||
"keyExpectedValue": "Global servers array should be defined", | ||
"keyActualValue": "Global servers array is not defined", | ||
} | ||
} | ||
|
||
CxPolicy[result] { | ||
doc := input.document[i] | ||
openAPILib.check_openapi(doc) != "undefined" | ||
object.get(doc, "servers", "undefined") != "undefined" | ||
|
||
count(doc.servers) > 0 | ||
object.get(doc.servers[j], "url", "undefined") != "undefined" | ||
serverObj := doc.servers[j] | ||
not startswith(serverObj.url, "https") | ||
|
||
result := { | ||
"documentId": doc.id, | ||
"searchKey": sprintf("servers.url.%s", [serverObj.url]), | ||
"issueType": "IncorrectValue", | ||
"keyExpectedValue": "Global servers' URL should use HTTPS protocol", | ||
"keyActualValue": "Global servers' URL are not using HTTPS protocol", | ||
} | ||
} |
Oops, something went wrong.