diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..455993f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml new file mode 100644 index 0000000..18159b9 --- /dev/null +++ b/.github/workflows/Com traducao.yml @@ -0,0 +1,125 @@ +name: Resultados_PTBR +on: + push: + branches: [ master ] + workflow_dispatch: +jobs: + Download_Wrapper: + runs-on: ubuntu-latest + steps: + - name: Veracode Pipeline Scan + run: | + curl -sSO https://tools.veracode.com/integrations/API-Wrappers/C%23/bin/VeracodeC%23API.zip + unzip VeracodeC%23API.zip + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: WrapperVeracode + path: VeracodeC#API.exe + + Download_XML: + runs-on: windows-latest + needs: Download_Wrapper + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: WrapperVeracode + - name: Download XML + env: + veracodeID: ${{ secrets.VID }} + veracodeAPIkey: ${{ secrets.VKEY }} + run: | + # Recebe as infos + [xml]$INFO = $(.\VeracodeC#API.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS') + $appID = $INFO.app.app_id + [string]$INFO = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" + [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') + $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']") + $buildID = $buildINFO.build.build_id + # Gera o relatorio + $out = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: WrapperVeracode + path: ${{ github.run_id }}.xml + + Resultados: + runs-on: windows-latest + needs: Download_XML + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + + - name: Resultado do Scan + run: | + function Traduzir { + param ( + [parameter(position=0,Mandatory=$True)] + $texto, + [parameter(position=1)] + $idiomaAlvo = "pt" + ) + + # Utiliza a API do Google para traduzir + Try { + $Uri = “https://translate.googleapis.com/translate_a/single?client=gtx&sl=auto&tl=$($idiomaAlvo)&dt=t&q=$texto” + $Response = Invoke-RestMethod -Uri $Uri -Method Get + # Retorna o valor traduzido + $traducao = $Response[0].SyncRoot | foreach { $_[0] } + return $traducao + } + Catch { + # Recebe o erro + $ErrorMessage = $_.Exception.Message # Recebe o erro + # Exibe a mensagem de erro + Write-Host "Erro ao traduzir" + Write-host $ErrorMessage + } + } + + # Recebendo informacoes + $securityINFO = [xml](Get-Content "${{ github.run_id }}.xml") + $notaLetra = $securityINFO.detailedreport.'static-analysis'.rating + $notaScore = $securityINFO.detailedreport.'static-analysis'.score + $veracodeAppName = $securityINFO.detailedreport.app_name + $numeroVersao = $securityINFO.detailedreport.version + $appID = $securityINFO.detailedreport.app_id + $quemEnviou = $securityINFO.detailedreport.submitter + $politica = $securityINFO.detailedreport.policy_name + $complicanceStatus = $securityINFO.detailedreport.policy_compliance_status + # Exibe os resultados + Write-Host "Resultado do Scan: $numeroVersao" + Write-Host "Nome App: $veracodeAppName - App ID: $appID" + Write-Host "Enviado por: $quemEnviou" + Write-Host "Politica: $politica" + Write-Host "Nota: $notaLetra - Score: $notaScore - Resultado: $complicanceStatus" + Write-Host "Lista dos problemas encontrados:" + # Recebe os leveis e reordena + $levels = $securityINFO.detailedreport.severity.level + [array]::Reverse($levels) + foreach ($level in $levels) { + Write-Host "Prioridade: $level" + # Recebe as informações + $itensCategoria = $securityINFO.detailedreport.severity[$level].category + foreach ($item in $itensCategoria) { + $idCWE = $item.cwe.cweid + $nomeCategoria = $item.categoryname + $descricao = $item.desc.para.text + $recomendacoes = $item.recommendations.para.text + # Faz a tradução + $descricao = Traduzir $descricao + $recomendacoes = Traduzir $recomendacoes + # Exibe o resultado + Write-Host "Categoria: $nomeCategoria - ID CWE: $idCWE" + Write-Host "Descrição: $descricao" + Write-Host " " + Write-Host "Remediação: $recomendacoes" + Write-Host " " + Write-Host " " + } + Write-Host "..." + } diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml new file mode 100644 index 0000000..8594efe --- /dev/null +++ b/.github/workflows/Comparativo.yml @@ -0,0 +1,71 @@ +name: Comparativo +on: + push: + branches: [ master ] + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --allow-dirty + + Veracode_SAST: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VID' + vkey: '$VKEY' + criticality: 'VeryHigh' + appname: '$AppName' + scanpollinginterval: 30 + scantimeout: 45 + filepath: 'veracode.zip' + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true diff --git a/.github/workflows/Default.yml b/.github/workflows/Default.yml deleted file mode 100644 index f7a337a..0000000 --- a/.github/workflows/Default.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Default -on: - push: - branches: [ master ] - workflow_dispatch: -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - - name: Archive Release - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - - uses: actions/setup-java@v1 # Make java accessible on path so the uploadandscan action can run. - with: - java-version: '8' - - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - - - name: Veracode SCA - env: - SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets - run: | - curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s scan --update-advisor - - - name: build - run: npm build - - - name: Veracode Pipeline Scan - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - CaminhoArquivo: 'veracode.zip' - run: | - curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - unzip -o pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true diff --git a/.github/workflows/PipelineIdeal.yml b/.github/workflows/PipelineIdeal.yml index 0879adb..780ef51 100644 --- a/.github/workflows/PipelineIdeal.yml +++ b/.github/workflows/PipelineIdeal.yml @@ -8,12 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - name: Empacotamento dos arquivos uses: thedoctor0/zip-release@master with: diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml new file mode 100644 index 0000000..a355805 --- /dev/null +++ b/.github/workflows/Veracode-Expert.yml @@ -0,0 +1,104 @@ +name: Veracode_Expert +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode-container_iac_secrets-scan: + runs-on: ubuntu-latest + name: Veracode Container/IaC/Secrets + + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: Verracode Container/IaC/Secrets action step + uses: veracode/container_iac_secrets_scanning@v1.0.0 + with: + vid: ${{ secrets.VeracodeID }} + vkey: ${{ secrets.VeracodeKey }} + command: "scan" + type: "directory" + source: "./" + format: "json" + debug: false + fail_build: true + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + continue-on-error: true + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + - name: Publica os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml new file mode 100644 index 0000000..75e0449 --- /dev/null +++ b/.github/workflows/Veracode-SB.yml @@ -0,0 +1,99 @@ +name: Veracode_SB +on: + push: + +jobs: + Package: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' || github.ref == 'refs/heads/Main' }} + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' }} + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + sandboxname: ${GITHUB_REF#refs/heads/} + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + if: ${{ github.ref == 'refs/heads/Main' }} + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + continue-on-error: true + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + - name: Publica os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif \ No newline at end of file diff --git a/.github/workflows/Veracode-XGH.yml b/.github/workflows/Veracode-XGH.yml new file mode 100644 index 0000000..cc07bb4 --- /dev/null +++ b/.github/workflows/Veracode-XGH.yml @@ -0,0 +1,71 @@ +name: Veracode_GoHorse +on: + push + +jobs: + Package: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + filepath: 'veracode.zip' + deleteIncompleteScan: true + scanallnonfataltoplevelmodules: true + includenewmodules: true + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true \ No newline at end of file diff --git a/.github/workflows/allTools.yml b/.github/workflows/allTools.yml deleted file mode 100644 index 39b4c2c..0000000 --- a/.github/workflows/allTools.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: All-Tools - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - name: Publicando Artefato - uses: actions/upload-artifact@v2 - with: - name: pacoteVeracode - path: veracode.zip - - Veracode_SCA: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Veracode SCA - env: - SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets - run: | - curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request - - Veracode_REST_API: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" - - Veracode_Wrapper: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - sandboxname: 'HMG' - createsandbox: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - - Veracode_PipelineScan: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode Pipeline Scan - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - CaminhoArquivo: './veracode.zip' - run: | - curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - unzip pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 7dc2a3b..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Pipeline-Envs - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - name: Publicando Artefato - uses: actions/upload-artifact@v2 - with: - name: pacoteVeracode - path: veracode.zip - - Veracode_REST_API: - runs-on: ubuntu-latest - environment: - name: REST - needs: build - steps: - - name: Download math result for job 1 - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github Actions - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" - - Veracode_Wrapper: - runs-on: ubuntu-latest - environment: - name: Wrapper - needs: build - steps: - - name: Download math result for job 1 - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - sandboxname: 'Wrapper' - createsandbox: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - scantimeout: 30 diff --git a/.github/workflows/restAPI.yml b/.github/workflows/restAPI.yml deleted file mode 100644 index edee816..0000000 --- a/.github/workflows/restAPI.yml +++ /dev/null @@ -1,78 +0,0 @@ -# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions - -name: NodeJS - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github Actions - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - - - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" diff --git a/.github/workflows/veracode-basic.yml b/.github/workflows/veracode-basic.yml new file mode 100644 index 0000000..624f14e --- /dev/null +++ b/.github/workflows/veracode-basic.yml @@ -0,0 +1,44 @@ +name: Veracode_Basic +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createprofile: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} \ No newline at end of file diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml new file mode 100644 index 0000000..a355805 --- /dev/null +++ b/.github/workflows/veracode-expert.yml @@ -0,0 +1,104 @@ +name: Veracode_Expert +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode-container_iac_secrets-scan: + runs-on: ubuntu-latest + name: Veracode Container/IaC/Secrets + + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: Verracode Container/IaC/Secrets action step + uses: veracode/container_iac_secrets_scanning@v1.0.0 + with: + vid: ${{ secrets.VeracodeID }} + vkey: ${{ secrets.VeracodeKey }} + command: "scan" + type: "directory" + source: "./" + format: "json" + debug: false + fail_build: true + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + continue-on-error: true + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + - name: Publica os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/terraform/alicloud/bucket.tf b/terraform/alicloud/bucket.tf new file mode 100644 index 0000000..831f9bc --- /dev/null +++ b/terraform/alicloud/bucket.tf @@ -0,0 +1,18 @@ +resource "alicloud_oss_bucket" "bad_bucket" { + # Public and writeable bucket + # Versioning isn't enabled + # Not Encrypted with a Customer Master Key and no Server side encryption + # Doesn't have access logging enabled" + bucket = "wildwestfreeforall" + acl = "public-read-write" + tags = { + git_commit = "9c114f23d311f787c137723e1f71b27a52f0adec" + git_file = "terraform/alicloud/bucket.tf" + git_last_modified_at = "2022-04-05 15:17:55" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "80373049-248d-4f5e-9d25-740c3e80f2b9" + } +} diff --git a/terraform/alicloud/provider.tf b/terraform/alicloud/provider.tf new file mode 100644 index 0000000..955c266 --- /dev/null +++ b/terraform/alicloud/provider.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.162.0" + } + } +} + +provider "alicloud" { + region = "cn-hangzhou" +} \ No newline at end of file diff --git a/terraform/alicloud/rds.tf b/terraform/alicloud/rds.tf new file mode 100644 index 0000000..70660df --- /dev/null +++ b/terraform/alicloud/rds.tf @@ -0,0 +1,30 @@ +resource "alicloud_db_instance" "seeme" { + # Is public due to Security IPS 0.0.0.0/0 + engine = "MySQL" + engine_version = "5.6" + instance_type = "rds.mysql.t1.small" + instance_storage = "10" + tde_status = "Enabled" + security_ips = [ + "0.0.0.0", + "10.23.12.24/24" + ] + parameters { + name = "innodb_large_prefix" + value = "ON" + } + parameters { + name = "connect_timeout" + value = "50" + } + tags = { + git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c" + git_file = "terraform/alicloud/rds.tf" + git_last_modified_at = "2022-04-05 15:14:28" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7bd1394e-0a79-4288-8f83-5abcca5bf1ba" + } +} diff --git a/terraform/alicloud/trail.tf b/terraform/alicloud/trail.tf new file mode 100644 index 0000000..9e2daf8 --- /dev/null +++ b/terraform/alicloud/trail.tf @@ -0,0 +1,44 @@ +resource "alicloud_actiontrail_trail" "fail" { + # Action Trail not Logging for all regions + # Action Trail not Logging for all events + trail_name = "action-trail" + oss_write_role_arn = alicloud_ram_role.trail.arn + oss_bucket_name = alicloud_oss_bucket.trail.bucket + event_rw = "Read" + trail_region = "cn-hangzhou" +} + +resource "alicloud_oss_bucket" "trail" { + + tags = { + git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c" + git_file = "terraform/alicloud/trail.tf" + git_last_modified_at = "2022-04-05 15:14:28" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "9ce7077b-8195-4e71-aec6-ed1f769555dc" + } +} + +resource "alicloud_ram_role" "trail" { + name = "trail" + document = < /tmp/dbinfo.inc + +EnD +sudo mv /tmp/dbinfo.inc /var/www/inc +sudo chown root:root /var/www/inc/dbinfo.inc + +cat << EnD > /tmp/index.php + + + +

Sample page

+ + + +
+ + + + + + + + + + +
NAMEADDRESS
+ + + + + +
+
+ + + + + + + + + +"; + echo "", + "", + ""; + echo ""; +} +?> + +
IDNAMEADDRESS
",\$query_data[0], "",\$query_data[1], "",\$query_data[2], "
+ + + + + + + + +Error adding employee data.

"); +} + +/* Check whether the table exists and, if not, create it. */ +function VerifyEmployeesTable(\$connection, \$dbName) { + if(!TableExists("EMPLOYEES", \$connection, \$dbName)) + { + \$query = "CREATE TABLE EMPLOYEES ( + ID int(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY, + NAME VARCHAR(45), + ADDRESS VARCHAR(90) + )"; + + if(!mysqli_query(\$connection, \$query)) echo("

Error creating table.

"); + } +} + +/* Check for the existence of a table. */ +function TableExists(\$tableName, \$connection, \$dbName) { + \$t = mysqli_real_escape_string(\$connection, \$tableName); + \$d = mysqli_real_escape_string(\$connection, \$dbName); + + \$checktable = mysqli_query(\$connection, + "SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME = '\$t' AND TABLE_SCHEMA = '\$d'"); + + if(mysqli_num_rows(\$checktable) > 0) return true; + + return false; +} +?> +EnD + +sudo mv /tmp/index.php /var/www/html +sudo chown root:root /var/www/html/index.php + + + +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-dbapp" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" + }) +} + +output "db_app_public_dns" { + description = "DB Public DNS name" + value = aws_instance.db_app.public_dns +} + +output "db_endpoint" { + description = "DB Endpoint" + value = aws_db_instance.default.endpoint +} + diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf new file mode 100644 index 0000000..00e0ba9 --- /dev/null +++ b/terraform/aws/ec2.tf @@ -0,0 +1,308 @@ +resource "aws_instance" "web_host" { + # ec2 have plain text secrets in user data + ami = "${var.ami}" + instance_type = "t2.nano" + + vpc_security_group_ids = [ + "${aws_security_group.web-node.id}"] + subnet_id = "${aws_subnet.web_subnet.id}" + user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-ec2" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" + }) +} + +resource "aws_ebs_volume" "web_host_storage" { + # unencrypted volume + availability_zone = "${var.region}a" + #encrypted = false # Setting this causes the volume to be recreated on apply + size = 1 + tags = merge({ + Name = "${local.resource_prefix.value}-ebs" + }, { + git_commit = "d3439f0f2af62f6fa3521e14d6c27819ef8f12e1" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:17:26" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" + }) +} + +resource "aws_ebs_snapshot" "example_snapshot" { + # ebs snapshot without encryption + volume_id = "${aws_ebs_volume.web_host_storage.id}" + description = "${local.resource_prefix.value}-ebs-snapshot" + tags = merge({ + Name = "${local.resource_prefix.value}-ebs-snapshot" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c1008080-ec2f-4512-a0d0-2e9330aa58f0" + }) +} + +resource "aws_volume_attachment" "ebs_att" { + device_name = "/dev/sdh" + volume_id = "${aws_ebs_volume.web_host_storage.id}" + instance_id = "${aws_instance.web_host.id}" +} + +resource "aws_security_group" "web-node" { + # security group is open to the world in SSH port + name = "${local.resource_prefix.value}-sg" + description = "${local.resource_prefix.value} Security Group" + vpc_id = aws_vpc.web_vpc.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [ + "0.0.0.0/0"] + } + depends_on = [aws_vpc.web_vpc] + tags = { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "b7af1b40-64eb-4519-a1a0-ab198db4b193" + } +} + +resource "aws_vpc" "web_vpc" { + cidr_block = "172.16.0.0/16" + enable_dns_hostnames = true + enable_dns_support = true + tags = merge({ + Name = "${local.resource_prefix.value}-vpc" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "9bf2359b-952e-4570-9595-52eba4c20473" + }) +} + +resource "aws_subnet" "web_subnet" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.10.0/24" + availability_zone = "${var.region}a" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet" + }, { + git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:16:31" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0345f650-d280-4ca8-86c9-c71c38c0eda8" + }) +} + +resource "aws_subnet" "web_subnet2" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.11.0/24" + availability_zone = "${var.region}b" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet2" + }, { + git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:16:31" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "224af03a-00e0-4981-be30-14965833c2db" + }) +} + + +resource "aws_internet_gateway" "web_igw" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-igw" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "d8e63cb4-2fb5-4726-9c86-5fd05ef03674" + }) +} + +resource "aws_route_table" "web_rtb" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-rtb" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "5e4fee6e-a6aa-4b61-a741-47c5efb463e1" + }) +} + +resource "aws_route_table_association" "rtbassoc" { + subnet_id = aws_subnet.web_subnet.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route_table_association" "rtbassoc2" { + subnet_id = aws_subnet.web_subnet2.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.web_rtb.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.web_igw.id + + timeouts { + create = "5m" + } +} + + +resource "aws_network_interface" "web-eni" { + subnet_id = aws_subnet.web_subnet.id + private_ips = ["172.16.10.100"] + + tags = merge({ + Name = "${local.resource_prefix.value}-primary_network_interface" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7e2ffea8-739f-467d-b57b-53cbc0d7ccbe" + }) +} + +# VPC Flow Logs to S3 +resource "aws_flow_log" "vpcflowlogs" { + log_destination = aws_s3_bucket.flowbucket.arn + log_destination_type = "s3" + traffic_type = "ALL" + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6808d4b7-45bc-4d1d-9523-96757a3add3a" + }) +} + +resource "aws_s3_bucket" "flowbucket" { + bucket = "${local.resource_prefix.value}-flowlogs" + force_destroy = true + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1" + }) +} + +output "ec2_public_dns" { + description = "Web Host Public DNS name" + value = aws_instance.web_host.public_dns +} + +output "vpc_id" { + description = "The ID of the VPC" + value = aws_vpc.web_vpc.id +} + +output "public_subnet" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet.id +} + +output "public_subnet2" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet2.id +} diff --git a/terraform/aws/ecr.tf b/terraform/aws/ecr.tf new file mode 100644 index 0000000..e578bac --- /dev/null +++ b/terraform/aws/ecr.tf @@ -0,0 +1,34 @@ +resource aws_ecr_repository "repository" { + name = "${local.resource_prefix.value}-repository" + image_tag_mutability = "MUTABLE" + + tags = merge({ + Name = "${local.resource_prefix.value}-repository" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ecr.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" + }) +} + +locals { + docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" +} + + +resource null_resource "push_image" { + provisioner "local-exec" { + working_dir = "${path.module}/resources" + command = <