diff --git a/src/cli.py b/src/cli.py index 983c247..137f0a2 100644 --- a/src/cli.py +++ b/src/cli.py @@ -13,10 +13,13 @@ import json from typing import Dict, Any, List from datetime import datetime + import logging + + logging.getLogger().setLevel(level=logging.INFO) except ImportError: import sys - print("Missing dependencies. Please reach @jboursier if needed.") + logging.error("Missing dependencies. Please reach @jboursier if needed.") sys.exit(255) from ghas_cli.utils import repositories, vulns, teams, issues, actions, roles, secrets @@ -417,7 +420,7 @@ def repositories_archivable( # 1. Get list repositories passed as argument res = input_repos_list.readlines() - print(len(res)) + logging.info(len(res)) for repo in res: repo = repo.rstrip("\n") @@ -793,7 +796,7 @@ def secret_alerts_export( output_csv.write( f"{secret['state']}, {secret['resolution']}, {secret['resolved_at']}, {secret['repository_full_name']}, {secret['url']}, {secret['secret_type']}, {secret['secret']}\n" ) - print(f"Retrieved {len(secrets_list)} secrets.") + logging.info(f"Retrieved {len(secrets_list)} secrets.") ############## @@ -921,7 +924,7 @@ def roles_add( name: str, description: str, base_role: str, - permission: List, + permissions: List, organization: str, token: str, ) -> None: @@ -1073,7 +1076,7 @@ def mass_deploy( with open("./templates/codeql.md", "r") as f: template_codeql = f.read() - print( + logging.info( f"Enabling Actions ({actions_enable}), Secret Scanner ({secretscanner}), Push Protection ({pushprotection}), Dependabot ({dependabot}), CodeQL ({codeql}), Dependency Reviewer ({reviewer}) to {len(repos_list)} repositories." ) @@ -1091,7 +1094,7 @@ def mass_deploy( reviewer_res = None mend_res = 0 - print(f"{repo}....", end="") + logging.info(f"{repo}....") if actions_enable: actions_res = actions.set_permissions( @@ -1166,7 +1169,7 @@ def mass_deploy( token=token, ) - print( + logging.info( f"Done: {actions_res},{secretscanner_res}, {pushprotection_res}, {dependabot_res}, {codeql_res}, {reviewer_res}, {issue_secretscanner_res}, {issue_pushprotection_res}, {issue_dependabot_res}, {issue_codeql_res}, {mend_res}" ) # CSV columns @@ -1322,7 +1325,7 @@ def mass_set_developer_role( perms = teams.get_repo_perms(team, repo.name, organization, token) if "write" == perms[-1]: write_perms.append([team, repo.name, perms[-1]]) - print([team, repo.name, perms[-1]]) + logging.info([team, repo.name, perms[-1]]) output_perms_list.write(f"{team}, {repo.name}, {perms[-1]}\n") # Assign the Developer role diff --git a/src/ghas_cli/utils/export.py b/src/ghas_cli/utils/export.py index e470ce8..ccb0298 100644 --- a/src/ghas_cli/utils/export.py +++ b/src/ghas_cli/utils/export.py @@ -2,6 +2,7 @@ #!/usr/bin/env python3 import json +import logging def output_to_csv(alerts_per_repos: Dict, location: str) -> bool: @@ -9,7 +10,7 @@ def output_to_csv(alerts_per_repos: Dict, location: str) -> bool: with open(location, "w") as log_file: log_file.write(json.dumps(alerts_per_repos)) except Exception as e: - print(str(e)) - print(f"Failure to write the output to {location}") + logging.error(str(e)) + logging.error(f"Failure to write the output to {location}") return False return True diff --git a/src/ghas_cli/utils/network.py b/src/ghas_cli/utils/network.py index 611a473..e978e53 100644 --- a/src/ghas_cli/utils/network.py +++ b/src/ghas_cli/utils/network.py @@ -5,6 +5,7 @@ from datetime import datetime import time import requests +import logging # If the rate-limit is reached, sleep X seconds SLEEP_1_MINUTE = 60 @@ -28,7 +29,7 @@ def get_github_headers(token: str) -> Dict: def check_rate_limit(response: Any) -> bool: if "0" == response.headers["x-ratelimit-remaining"]: reset_time = datetime.fromtimestamp(int(response.headers["x-ratelimit-reset"])) - print( + logging.warn( f"Rate limit reached: {response.headers['x-ratelimit-remaining']}/{response.headers['x-ratelimit-limit']} - {reset_time}" ) @@ -37,37 +38,43 @@ def check_rate_limit(response: Any) -> bool: if response.status_code == 403: # This can be secondary rate limit or SSO error - print(response.json()["message"]) + logging.warn(response.json()["message"]) return True time.sleep(SLEEP_BETWEEN_REQUESTS) return False + def check_unauthorized(response: Any): if response.status_code == 401: - print(response.json()["message"]) + logging.error(response.json()["message"]) return False return True + def check_response(response: any): check_rate_limit(response) check_unauthorized(response) + def get(*args, **kwargs): response = requests.get(*args, **kwargs) check_response(response) return response + def post(*args, **kwargs): response = requests.post(*args, **kwargs) check_response(response) return response + def put(*args, **kwargs): response = requests.put(*args, **kwargs) check_response(response) return response + def patch(*args, **kwargs): response = requests.patch(*args, **kwargs) check_response(response) diff --git a/src/ghas_cli/utils/repositories.py b/src/ghas_cli/utils/repositories.py index 4e3e271..b5f160c 100644 --- a/src/ghas_cli/utils/repositories.py +++ b/src/ghas_cli/utils/repositories.py @@ -3,10 +3,10 @@ from typing import List, Any import base64 -import requests from . import network import time import datetime +import logging class Repository: @@ -62,7 +62,7 @@ def load_json(self, obj, token=None): self.url = obj["html_url"] self.description = obj["description"] self.main_language = obj["language"] - self.languages = get_languages(self.orga, token, self.name, False, False) + self.languages = get_languages(self.orga, token, self.name) self.default_branch = obj["default_branch"] try: self.license = obj["license"]["spdx_id"] @@ -172,7 +172,7 @@ def get_org_repositories( if repos.status_code != 200: break - + if [] == repos.json(): break @@ -182,27 +182,27 @@ def get_org_repositories( # repo.load_json(r, token=None) if language != "" and repo.main_language != language: - print( + logging.info( f"{repo.name} ignored because of language: {language} vs. {repo.main_language}" ) continue if default_branch != "" and repo.default_branch != default_branch: - print( + logging.info( f"{repo.name} ignored because of default branch: {default_branch} vs. {repo.default_branch}" ) continue if license != "" and repo.license != license: - print( + logging.info( f"{repo.name} ignored because of license: {license} vs. {repo.license}" ) continue if repo.archived != archived: - print( + logging.info( f"{repo.name} ignored because of archived: {archived} vs. {repo.archived}" ) continue if repo.disabled != disabled: - print( + logging.info( f"{repo.name} ignored because of license: {archived} vs. {repo.archived}" ) continue @@ -362,104 +362,65 @@ def get_languages( organization: str, token: str, repository: str, - only_interpreted: False, - only_codeql: False, + only_codeql: bool = False, ) -> List: """Get the main language for a repository""" - interpreted_languages = {"javascript", "python", "ruby"} - aliased_interpreted_languages = {"typescript": "javascript"} + codeql_languages = ["cpp", "csharp", "go", "java", "javascript", "python", "ruby"] + codeql_aliased_languages = { + "typescript": "javascript", + "kotlin": "java", + "c#": "csharp", + "c++": "cpp", + } headers = network.get_github_headers(token) - languages = network.get( + languages_resp = network.get( url=f"https://api.github.com/repos/{organization}/{repository}/languages", headers=headers, ) - if languages.status_code != 200: + + if languages_resp.status_code != 200: + logging.warn(f"Received status code {languages_resp.status_code} while retrieving repository languages.") return ["default"] - lang = set() - for l in languages.json(): - if only_interpreted: - if l.lower() in interpreted_languages: - lang.add(l.lower()) - else: - if only_codeql: - try: - lang.add(aliased_interpreted_languages[l.lower()]) - except Exception as e: - continue + languages = list() + for language in [l.lower() for l in languages_resp.json()]: + if only_codeql: + if language in codeql_languages: + languages.append(language) + elif language in codeql_aliased_languages: + languages.append(codeql_aliased_languages[language]) else: - lang.add(l.lower()) + languages.append(language) - if not lang: - return ["default"] - else: - return list(lang) + return languages -def load_codeql_base64_template(language: str, default_branch: str = "main") -> tuple: - language = language.lower() - try: - with open(f"./templates/codeql-analysis-{language.lower()}.yml", "r") as f: - # Ugly af but `yaml` transforms `on:` to `True:` which is obviously annoying to parse GitHub Actions files.. - template = f.readlines() - template_new = "" - for l in template: - if l == ' branches: ["main"]\n': - template_new += f" branches: ['{default_branch}']\n" - else: - template_new += l - except Exception as e: - with open(f"./templates/codeql-analysis-default.yml", "r") as f: - language = "default" - template = f.readlines() - template_new = "" - for l in template: - if l == ' branches: ["main"]\n': - template_new += f" branches: ['{default_branch}']\n" - else: - template_new += l - return language, str( - base64.b64encode(template_new.encode(encoding="utf-8")), "utf-8" - ) +def load_codeql_base64_template( + languages: List, branches: List = ["main"] +) -> str: + with open(f"./templates/codeql-analysis-default.yml", "r") as f: + data = "".join(f.readlines()) + data = data.replace("""branches: [ ]""", f"""branches: [{', '.join(f"'branch'" for branch in branches) }]""") + data = data.replace("""language: [ ]""", f"""language: {languages}""") + return base64.b64encode(data.encode("utf-8")).decode("utf-8") -def load_codeql_config_base64_template(language: str) -> tuple: - language = language.lower() - try: - with open(f"./templates/codeql-config-{language.lower()}.yml", "r") as f: - template = f.read() - except Exception as e: - with open(f"./templates/codeql-config-default.yml", "r") as f: - template = f.read() - return language, str(base64.b64encode(template.encode(encoding="utf-8")), "utf-8") - - -def create_codeql_pr( - organization: str, - token: str, - repository: str, - target_branch: str = "appsec-ghas-codeql_enable", -) -> bool: - """ - 1. Retrieve the repository languages. Select the `codeql-analysis.yml` file for that language. - 2. Create a branch - 3. Push a .github/workflows/codeql-analysis.yml to the repository on that branch - 3. Create an associated PR - """ - headers = network.get_github_headers(token) +def load_codeql_config_base64_template() -> str: + with open(f"./templates/codeql-config-default.yml", "r") as f: + template = f.read() + return base64.b64encode(template.encode(encoding="utf-8")).decode("utf-8") - # Get the default branch - default_branch = get_default_branch(organization, token, repository) - if not default_branch: - return False - # Create a branch +def create_branch( + headers, organization: str, repository: str, default_branch: str, target_branch: str +): branch_resp = network.get( url=f"https://api.github.com/repos/{organization}/{repository}/git/refs/heads", headers=headers, ) + if branch_resp.status_code != 200: return False @@ -483,63 +444,132 @@ def create_codeql_pr( json=payload, ) - if branch_resp.status_code != 201: + if branch_resp.status_code == 422: + logging.error("Branch already exists") return False - # Create commit - languages = get_languages( - organization, token, repository, only_interpreted=True, only_codeql=True + if branch_resp.status_code == 201: + return True + + return False + + +def create_codeql_pr( + organization: str, + token: str, + repository: str, + target_branch: str = "appsec-ghas-codeql_enable", +) -> bool: + """ + 1. Retrieve the repository languages. Select the `codeql-analysis.yml` file for that language. + 2. Create a branch + 3. Push a .github/workflows/codeql-analysis.yml to the repository on that branch + 3. Create an associated PR + """ + headers = network.get_github_headers(token) + + # Get the default branch + default_branch = get_default_branch(organization, token, repository) + if not default_branch: + return False + + # Create a branch + new_branch = create_branch( + headers, organization, repository, default_branch, target_branch ) - for language in languages: - # Workflow config - lang, template = load_codeql_base64_template(language, default_branch) - payload = { - "message": f"Enable CodeQL analysis for {language}", - "content": template, - "branch": target_branch, - } + if not new_branch: + logging.error(f"Couldn't create branch {target_branch}") + return False - commit_resp = network.put( - url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/workflows/codeql-analysis-{lang}.yml", - headers=headers, - json=payload, + # Create commit + + languages = get_languages(organization, token, repository, only_codeql=True) + + # Workflow config + template = load_codeql_base64_template(languages, [default_branch]) + workflow_commit_payload = { + "message": f"Create CodeQL analysis workflow", + "content": template, + "branch": target_branch, + "sha": get_file_sha( + organization, repository, headers, ".github/workflows/codeql.yml" + ), + } + + if workflow_commit_payload["sha"]: + workflow_commit_payload["message"] = "Update CodeQL analysis workflow" + + workflow_commit_resp = network.put( + url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/workflows/codeql.yml", + headers=headers, + json=workflow_commit_payload, + ) + + if workflow_commit_resp.status_code not in [200, 201]: + logging.error( + f"Commit response for CodeQL workflow: {workflow_commit_resp.status_code}" ) + return False - if commit_resp.status_code != 201: - return False + # CodeQL config file + template = load_codeql_config_base64_template() + config_commit_payload = { + "message": f"Create CodeQL config file", + "content": template, + "branch": target_branch, + "sha": get_file_sha( + organization, + repository, + headers, + ".github/codeql/codeql-config-default.yml", + ), + } - # CodeQL config file - lang, template = load_codeql_config_base64_template(language) - payload = { - "message": f"Enable CodeQL config file for {language}", - "content": template, - "branch": target_branch, - } + if config_commit_payload["sha"]: + config_commit_payload["message"] = "Update CodeQL config file" - commit_resp = network.put( - url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/codeql/codeql-config-{lang}.yml", - headers=headers, - json=payload, + config_commit_resp = network.put( + url=f"https://api.github.com/repos/{organization}/{repository}/contents/.github/codeql/codeql-config-default.yml", + headers=headers, + json=config_commit_payload, + ) + + if config_commit_resp.status_code not in [200, 201]: + logging.error( + f"Commit response for CodeQL config: {config_commit_resp.status_code}" ) - if commit_resp.status_code != 201: - return False + return False - # Create PR - payload = { - "title": "Security Code Scanning - configuration files", - "body": f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({languages}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team.", + is_config_update = ( + workflow_commit_payload["sha"] != None or config_commit_payload["sha"] != None + ) + + pr_payload = { "head": target_branch, "base": default_branch, } + if is_config_update: + logging.info(f"Updating configuration for {repository}") + pr_payload["title"] = "Security Code Scanning - updated configuration files" + pr_payload[ + "body" + ] = f"This PR updates the Security scanning (CodeQL) configuration files for your repository languages ({', '.join(languages)}).We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team." + else: + logging.info(f"Creating configuration for {repository}") + pr_payload["title"] = "Security Code Scanning - configuration files" + pr_payload[ + "body" + ] = f"This PR creates the Security scanning (CodeQL) configuration files for your repository languages ({', '.join(languages)}).\n\n We also just opened an informative issue in this repository to give you the context and assistance you need. In most cases you will be able to merge this PR as is and start benefiting from security scanning right away, as a check in each PR, and in the [Security tab](https://github.com/{organization}/{repository}/security/code-scanning) of this repository. \nHowever, we encourage you to review the configuration files and tag @{organization}/security-appsec (or `#github-appsec-security` on Slack) if you have any questions.\n\nWe are here to help! :thumbsup:\n\n - Application Security team." + # Retry if rate-limited i = 0 while i < network.RETRIES: pr_resp = network.post( url=f"https://api.github.com/repos/{organization}/{repository}/pulls", headers=headers, - json=payload, + json=pr_payload, ) if pr_resp.status_code == 201: return True @@ -550,6 +580,7 @@ def create_codeql_pr( i += 1 if pr_resp.status_code != 201: + print(pr_resp.json()) return False return True @@ -584,37 +615,15 @@ def create_dependency_enforcement_pr( return False # Create a branch - branch_resp = network.get( - url=f"https://api.github.com/repos/{organization}/{repository}/git/refs/heads", - headers=headers, - ) - if branch_resp.status_code != 200: - return False - - refs = branch_resp.json() - sha1 = "" - for ref in refs: - if ref["ref"] == f"refs/heads/{default_branch}": - sha1 = ref["object"]["sha"] - - if sha1 == "": - return False - payload = { - "ref": f"refs/heads/{target_branch}", - "sha": sha1, - } - - branch_resp = network.post( - url=f"https://api.github.com/repos/{organization}/{repository}/git/refs", - headers=headers, - json=payload, + new_branch = create_branch( + headers, organization, repository, default_branch, target_branch ) - if branch_resp.status_code != 201: + if not new_branch: return False - # Create commit + # # Create commit template = load_dependency_review_base64_template() payload = { "message": f"Enable Dependency reviewer", @@ -659,3 +668,13 @@ def create_dependency_enforcement_pr( return False return True + + +def get_file_sha(organization, repository, headers, file): + file_resp = network.get( + url=f"https://api.github.com/repos/{organization}/{repository}/contents/{file}", + headers=headers, + ) + if file_resp.status_code == 200: + return file_resp.json()["sha"] + return None diff --git a/src/ghas_cli/utils/secrets.py b/src/ghas_cli/utils/secrets.py index e142e60..87db2e3 100644 --- a/src/ghas_cli/utils/secrets.py +++ b/src/ghas_cli/utils/secrets.py @@ -43,7 +43,7 @@ def export_secrets( s["secret_type"] = secret["secret_type"] s["secret"] = secret["secret"] - if secrets_filter is "all" or s["secret_type"] == secrets_filter: + if secrets_filter == "all" or s["secret_type"] == secrets_filter: secret_list.append(s) page += 1 diff --git a/src/ghas_cli/utils/teams.py b/src/ghas_cli/utils/teams.py index 9cddad1..2a2f58b 100644 --- a/src/ghas_cli/utils/teams.py +++ b/src/ghas_cli/utils/teams.py @@ -24,8 +24,8 @@ def get_repositories(team_slug: str, organization: str, token: str) -> List: if network.check_rate_limit(repos): break - # print(repos.status_code) - # print(repos.content) + # logging.debug(repos.status_code) + # logging.debug(repos.content) if repos.status_code != 200: break @@ -87,7 +87,7 @@ def get_repo_perms(team: str, repo: str, organization: str, token: str) -> List: url=f"https://api.github.com/orgs/{organization}/teams/{team}/repos/{organization}/{repo}", headers=headers, ) - # print(teams_res.status_code) + # logging.debug(teams_res.status_code) if network.check_rate_limit(teams_res): return [] if teams_res.status_code != 200: @@ -96,6 +96,6 @@ def get_repo_perms(team: str, repo: str, organization: str, token: str) -> List: if [] == teams_res.json(): return [] - # print(teams_res.json()["role_name"]) + # logging.debug(teams_res.json()["role_name"]) return [teams_res.json()["permissions"], teams_res.json()["role_name"]] diff --git a/templates/codeql-analysis-default.yml b/templates/codeql-analysis-default.yml index 9eb868a..59c0463 100644 --- a/templates/codeql-analysis-default.yml +++ b/templates/codeql-analysis-default.yml @@ -10,16 +10,18 @@ name: "CodeQL - Default" on: push: + branches: [ ] pull_request: - branches: ["main"] + # The branches below must be a subset of the branches above + branches: [ '**' ] schedule: - - cron: "36 4 * * 3" + - cron: '36 4 * * 3' workflow_dispatch: jobs: analyze: name: Analyze - runs-on: ubuntu-latest + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || (matrix.language == 'csharp' && 'windows-latest') || 'ubuntu-latest' }} permissions: actions: read contents: read @@ -28,41 +30,27 @@ jobs: strategy: fail-fast: false matrix: - language: ["ruby"] + language: [ ] # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql/codeql-config-default.yml - languages: ${{ matrix.language }} - queries: security-extended - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - #- name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql/codeql-config-default.yml + queries: security-extended + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/templates/codeql-analysis-go.yml b/templates/codeql-analysis-go.yml deleted file mode 100644 index 7be1b5b..0000000 --- a/templates/codeql-analysis-go.yml +++ /dev/null @@ -1,68 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# Reach out on Slack at '#github-appsec-security' to get help. - -name: "CodeQL - Go" - -on: - push: - pull_request: - branches: ["main"] - schedule: - - cron: "36 4 * * 3" - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["go"] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql/codeql-config-javascript.yml - languages: ${{ matrix.language }} - queries: security-extended - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - #- name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/templates/codeql-analysis-javascript.yml b/templates/codeql-analysis-javascript.yml deleted file mode 100644 index aaf17c7..0000000 --- a/templates/codeql-analysis-javascript.yml +++ /dev/null @@ -1,68 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# Reach out on Slack at '#github-appsec-security' to get help. - -name: "CodeQL - Javascript" - -on: - push: - pull_request: - branches: ["main"] - schedule: - - cron: "36 4 * * 3" - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["javascript"] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql/codeql-config-javascript.yml - languages: ${{ matrix.language }} - queries: security-extended - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - #- name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/templates/codeql-analysis-python.yml b/templates/codeql-analysis-python.yml deleted file mode 100644 index 0d68e5f..0000000 --- a/templates/codeql-analysis-python.yml +++ /dev/null @@ -1,68 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# Reach out on Slack at '#github-appsec-security' to get help. - -name: "CodeQL - Python" - -on: - push: - pull_request: - branches: ["main"] - schedule: - - cron: "36 4 * * 3" - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["python"] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql/codeql-config-python.yml - languages: ${{ matrix.language }} - queries: security-extended - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - #- name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/templates/codeql-analysis-ruby.yml b/templates/codeql-analysis-ruby.yml deleted file mode 100644 index e8f1219..0000000 --- a/templates/codeql-analysis-ruby.yml +++ /dev/null @@ -1,68 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# Reach out on Slack at '#github-appsec-security' to get help. - -name: "CodeQL - Ruby" - -on: - push: - pull_request: - branches: ["main"] - schedule: - - cron: "36 4 * * 3" - workflow_dispatch: - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - - strategy: - fail-fast: false - matrix: - language: ["ruby"] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v2 - with: - config-file: ./.github/codeql/codeql-config-ruby.yml - languages: ${{ matrix.language }} - queries: security-extended - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - - # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-and-quality - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - #- name: Autobuild - # uses: github/codeql-action/autobuild@v2 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - # If the Autobuild fails above, remove it and uncomment the following three lines. - # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. - - # - run: | - # echo "Run, Build Application using script" - # ./location_of_script_within_repo/buildscript.sh - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 diff --git a/templates/codeql-config-go.yml b/templates/codeql-config-go.yml deleted file mode 100644 index e69de29..0000000 diff --git a/templates/codeql-config-javascript.yml b/templates/codeql-config-javascript.yml deleted file mode 100644 index faad891..0000000 --- a/templates/codeql-config-javascript.yml +++ /dev/null @@ -1,11 +0,0 @@ -# Configuration file for CodeQL. -# You can tune the CodeQL analysis (excluding paths from being scanned for instance) -# -# See https://codeql.github.com/docs/codeql-cli/specifying-command-options-in-a-codeql-configuration-file/ -# Reach out on Slack at '#github-appsec-security' to get help. - -paths-ignore: - - "**/*__tests__*/**" - - "*vendor" - - "**/vendor*/**" - - "docs/*" diff --git a/templates/codeql-config-python.yml b/templates/codeql-config-python.yml deleted file mode 100644 index d41cbce..0000000 --- a/templates/codeql-config-python.yml +++ /dev/null @@ -1,10 +0,0 @@ -# Configuration file for CodeQL. -# You can tune the CodeQL analysis (excluding paths from being scanned for instance) -# -# See https://codeql.github.com/docs/codeql-cli/specifying-command-options-in-a-codeql-configuration-file/ -# Reach out on Slack at '#github-appsec-security' to get help. - -paths-ignore: - - "**/*__tests__*/**" - - "*vendor" - - "docs/*" diff --git a/templates/codeql-config-ruby.yml b/templates/codeql-config-ruby.yml deleted file mode 100644 index d3cdd2e..0000000 --- a/templates/codeql-config-ruby.yml +++ /dev/null @@ -1,13 +0,0 @@ -# Configuration file for CodeQL. -# You can tune the CodeQL analysis (excluding paths from being scanned for instance) -# -# See https://codeql.github.com/docs/codeql-cli/specifying-command-options-in-a-codeql-configuration-file/ -# Reach out on Slack at '#github-appsec-security' to get help. - -paths-ignore: - - "**/*__tests__*/**" - - "*vendor" - - "**/vendor*/**" - - "docs/*" - - "**/spec/**" - - "**/*_spec.rb"