From 0c3fa42b762e5018387b0aab1b1655655ca01ca7 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 16:34:13 -0300 Subject: [PATCH 01/23] Exemplos de Pipelines --- .github/workflows/Com traducao.yml | 142 +++++++++++++++++++++++++++++ .github/workflows/Comparativo.yml | 77 ++++++++++++++++ .github/workflows/Default.yml | 59 ------------ .github/workflows/allTools.yml | 133 --------------------------- .github/workflows/main.yml | 111 ---------------------- .github/workflows/restAPI.yml | 78 ---------------- 6 files changed, 219 insertions(+), 381 deletions(-) create mode 100644 .github/workflows/Com traducao.yml create mode 100644 .github/workflows/Comparativo.yml delete mode 100644 .github/workflows/Default.yml delete mode 100644 .github/workflows/allTools.yml delete mode 100644 .github/workflows/main.yml delete mode 100644 .github/workflows/restAPI.yml diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml new file mode 100644 index 0000000..b9d9865 --- /dev/null +++ b/.github/workflows/Com traducao.yml @@ -0,0 +1,142 @@ +name: Pipeline_Ideal +on: + push: + branches: [ master ] + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Use Node.js + uses: actions/setup-node@v2 + with: + node-version: '12.x' + - name: Install dependencies + run: npm install + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SAST: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VID' + vkey: '$VKEY' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Resultados: + runs-on: windows-latest + needs: Veracode_SAST + steps: + - name: Download Wrapper file + run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "VeracodeJavaAPI.jar" + - name: Download XML + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + CaminhoArquivo: './veracode.zip' + numeroVersao: ${{ github.run_id }} + run: | + function Traduzir { + param ( + [parameter(position=0,Mandatory=$True)] + $texto, + [parameter(position=1)] + $idiomaAlvo = "pt" + ) + + # Utiliza a API do Google para traduzir + Try { + $Uri = “https://translate.googleapis.com/translate_a/single?client=gtx&sl=auto&tl=$($idiomaAlvo)&dt=t&q=$texto” + $Response = Invoke-RestMethod -Uri $Uri -Method Get + # Retorna o valor traduzido + $traducao = $Response[0].SyncRoot | foreach { $_[0] } + return $traducao + } + Catch { + # Recebe o erro + $ErrorMessage = $_.Exception.Message # Recebe o erro + # Exibe a mensagem de erro + Write-Host "Erro ao traduzir" + Write-host $ErrorMessage + } + } + + # Recebe as infos + [xml]$INFO = $(VeracodeAPI.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName) + $appID = $INFO.app.app_id + [string]$INFO = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" + [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') + $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']") + $buildID = $buildINFO.build.build_id + # Gera o relatorio + $out = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" + + - name: Resultado do Scan + run: | + # Recebendo informacoes + $securityINFO = [xml](Get-Content "${{ github.run_id }}.xml") + $notaLetra = $securityINFO.detailedreport.'static-analysis'.rating + $notaScore = $securityINFO.detailedreport.'static-analysis'.score + $veracodeAppName = $securityINFO.detailedreport.app_name + $numeroVersao = $securityINFO.detailedreport.version + $appID = $securityINFO.detailedreport.app_id + $quemEnviou = $securityINFO.detailedreport.submitter + $politica = $securityINFO.detailedreport.policy_name + $complicanceStatus = $securityINFO.detailedreport.policy_compliance_status + # Exibe os resultados + Write-Host "Resultado do Scan: $numeroVersao" + Write-Host "Nome App: $veracodeAppName - App ID: $appID" + Write-Host "Enviado por: $quemEnviou" + Write-Host "Politica: $politica" + Write-Host "Nota: $notaLetra - Score: $notaScore - Resultado: $complicanceStatus" + Write-Host "Lista dos problemas encontrados:" + # Recebe os leveis e reordena + $levels = $securityINFO.detailedreport.severity.level + [array]::Reverse($levels) + foreach ($level in $levels) { + Write-Host "Prioridade: $level" + # Recebe as informações + $itensCategoria = $securityINFO.detailedreport.severity[$level].category + foreach ($item in $itensCategoria) { + $idCWE = $item.cwe.cweid + $nomeCategoria = $item.categoryname + $descricao = $item.desc.para.text + $recomendacoes = $item.recommendations.para.text + # Faz a tradução + $descricao = Traduzir $descricao + $recomendacoes = Traduzir $recomendacoes + # Exibe o resultado + Write-Host "Categoria: $nomeCategoria - ID CWE: $idCWE" + Write-Host "Descrição: $descricao" + Write-Host " " + Write-Host "Remediação: $recomendacoes" + Write-Host " " + Write-Host " " + } + Write-Host "..." + } diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml new file mode 100644 index 0000000..4ae0ff8 --- /dev/null +++ b/.github/workflows/Comparativo.yml @@ -0,0 +1,77 @@ +name: Pipeline_Ideal +on: + push: + branches: [ master ] + workflow_dispatch: +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Use Node.js + uses: actions/setup-node@v2 + with: + node-version: '12.x' + - name: Install dependencies + run: npm install + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --allow-dirty + + Veracode_SAST: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VID' + vkey: '$VKEY' + criticality: 'VeryHigh' + appname: '$AppName' + scantimeout: '45' + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VKEY }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true diff --git a/.github/workflows/Default.yml b/.github/workflows/Default.yml deleted file mode 100644 index f7a337a..0000000 --- a/.github/workflows/Default.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Default -on: - push: - branches: [ master ] - workflow_dispatch: -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - - name: Archive Release - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - - uses: actions/setup-java@v1 # Make java accessible on path so the uploadandscan action can run. - with: - java-version: '8' - - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - - - name: Veracode SCA - env: - SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets - run: | - curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s scan --update-advisor - - - name: build - run: npm build - - - name: Veracode Pipeline Scan - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - CaminhoArquivo: 'veracode.zip' - run: | - curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - unzip -o pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true diff --git a/.github/workflows/allTools.yml b/.github/workflows/allTools.yml deleted file mode 100644 index 39b4c2c..0000000 --- a/.github/workflows/allTools.yml +++ /dev/null @@ -1,133 +0,0 @@ -name: All-Tools - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - name: Publicando Artefato - uses: actions/upload-artifact@v2 - with: - name: pacoteVeracode - path: veracode.zip - - Veracode_SCA: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Veracode SCA - env: - SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets - run: | - curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request - - Veracode_REST_API: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" - - Veracode_Wrapper: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - sandboxname: 'HMG' - createsandbox: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - - Veracode_PipelineScan: - runs-on: ubuntu-latest - needs: build - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode Pipeline Scan - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - CaminhoArquivo: './veracode.zip' - run: | - curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip - unzip pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index 7dc2a3b..0000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,111 +0,0 @@ -name: Pipeline-Envs - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - name: Publicando Artefato - uses: actions/upload-artifact@v2 - with: - name: pacoteVeracode - path: veracode.zip - - Veracode_REST_API: - runs-on: ubuntu-latest - environment: - name: REST - needs: build - steps: - - name: Download math result for job 1 - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github Actions - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" - - Veracode_Wrapper: - runs-on: ubuntu-latest - environment: - name: Wrapper - needs: build - steps: - - name: Download math result for job 1 - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - createprofile: true - sandboxname: 'Wrapper' - createsandbox: true - filepath: 'veracode.zip' - deleteIncompleteScan: false - version: ${{ github.run_id }} - scantimeout: 30 diff --git a/.github/workflows/restAPI.yml b/.github/workflows/restAPI.yml deleted file mode 100644 index edee816..0000000 --- a/.github/workflows/restAPI.yml +++ /dev/null @@ -1,78 +0,0 @@ -# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions - -name: NodeJS - -on: - push: - branches: [ master ] - - workflow_dispatch: - -jobs: - build: - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - - name: Veracode REST API - env: - VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VERACODE_KEY: ${{ secrets.VKEY }} - veracodeAppName: Github Actions - ${{ github.repository }} - CaminhoArquivo: './veracode.zip' - run: | - aut_Veracode () { - URLPATH=$1 - METHOD=$2 - - NONCE="$(cat /dev/random | xxd -p | head -c 32)" - TS="$(($(date +%s%N)/1000))" - encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2) - encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2) - signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2) - DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD" - signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2) - VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature" - } - - URLPATH=/api/5.0/getapplist.do - METHOD=GET - aut_Veracode $URLPATH $METHOD - curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml - - while read -r line - do - app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")') - AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")') - if [ "$app_name" = "$veracodeAppName" ]; then - break - fi - done < <(grep $veracodeAppName applist.xml) - - - URLPATH=/api/5.0/uploadfile.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo "Fazendo o Upload do arquivo: $CaminhoArquivo" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo" - - URLPATH=/api/5.0/beginprescan.do - METHOD=POST - aut_Veracode $URLPATH $METHOD - echo " " - echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID" - curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true" From ecda5a74ea4d95e9f2d1ebb6e7ba0352b9d69146 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 16:35:12 -0300 Subject: [PATCH 02/23] Alt Nomes Pipes --- .github/workflows/Com traducao.yml | 2 +- .github/workflows/Comparativo.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index b9d9865..4aa118f 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -1,4 +1,4 @@ -name: Pipeline_Ideal +name: Resultados_PTBR on: push: branches: [ master ] diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml index 4ae0ff8..94e4e42 100644 --- a/.github/workflows/Comparativo.yml +++ b/.github/workflows/Comparativo.yml @@ -1,4 +1,4 @@ -name: Pipeline_Ideal +name: Comparativo on: push: branches: [ master ] From 58c070825c107f62f38fc213fc440b247d8498d5 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 16:46:09 -0300 Subject: [PATCH 03/23] Tradutor V2 --- .github/workflows/Com traducao.yml | 32 ++++++++++++++++-------------- .github/workflows/Comparativo.yml | 1 + 2 files changed, 18 insertions(+), 15 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 4aa118f..a3cdaff 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -37,14 +37,16 @@ jobs: env: VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} + AppName: Github Actions - ${{ github.repository }} - PTBR with: vid: '$VID' vkey: '$VKEY' criticality: 'VeryHigh' appname: '$AppName' - createsandbox: true + scantimeout: '45' + scanpollinginterval: '60' filepath: 'veracode.zip' + scanallnonfataltoplevelmodules: true deleteIncompleteScan: false version: ${{ github.run_id }} @@ -53,13 +55,25 @@ jobs: needs: Veracode_SAST steps: - name: Download Wrapper file - run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "VeracodeJavaAPI.jar" + run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar" - name: Download XML env: VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VKEY }} CaminhoArquivo: './veracode.zip' numeroVersao: ${{ github.run_id }} + run: | + # Recebe as infos + [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName) + $appID = $INFO.app.app_id + [string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" + [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') + $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']") + $buildID = $buildINFO.build.build_id + # Gera o relatorio + $out = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" + + - name: Resultado do Scan run: | function Traduzir { param ( @@ -86,18 +100,6 @@ jobs: } } - # Recebe as infos - [xml]$INFO = $(VeracodeAPI.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName) - $appID = $INFO.app.app_id - [string]$INFO = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" - [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') - $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']") - $buildID = $buildINFO.build.build_id - # Gera o relatorio - $out = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" - - - name: Resultado do Scan - run: | # Recebendo informacoes $securityINFO = [xml](Get-Content "${{ github.run_id }}.xml") $notaLetra = $securityINFO.detailedreport.'static-analysis'.rating diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml index 94e4e42..3a7a018 100644 --- a/.github/workflows/Comparativo.yml +++ b/.github/workflows/Comparativo.yml @@ -53,6 +53,7 @@ jobs: vkey: '$VKEY' criticality: 'VeryHigh' appname: '$AppName' + scanpollinginterval: '60' scantimeout: '45' filepath: 'veracode.zip' deleteIncompleteScan: false From c73e00853d11ce058e97f6b578c3b8013f89d249 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 16:56:56 -0300 Subject: [PATCH 04/23] V3 --- .github/workflows/Com traducao.yml | 11 +++-------- .github/workflows/Comparativo.yml | 11 +++-------- .github/workflows/PipelineIdeal.yml | 6 ------ 3 files changed, 6 insertions(+), 22 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index a3cdaff..4a8dfe4 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -8,12 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - name: Empacotamento dos arquivos uses: thedoctor0/zip-release@master with: @@ -43,8 +37,9 @@ jobs: vkey: '$VKEY' criticality: 'VeryHigh' appname: '$AppName' - scantimeout: '45' - scanpollinginterval: '60' + scantimeout: 45 + scanpollinginterval: 30 + deleteincompletescan: 1 filepath: 'veracode.zip' scanallnonfataltoplevelmodules: true deleteIncompleteScan: false diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml index 3a7a018..92e1a88 100644 --- a/.github/workflows/Comparativo.yml +++ b/.github/workflows/Comparativo.yml @@ -8,12 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - name: Empacotamento dos arquivos uses: thedoctor0/zip-release@master with: @@ -53,8 +47,9 @@ jobs: vkey: '$VKEY' criticality: 'VeryHigh' appname: '$AppName' - scanpollinginterval: '60' - scantimeout: '45' + scanpollinginterval: 30 + scantimeout: 45 + deleteincompletescan: 1 filepath: 'veracode.zip' deleteIncompleteScan: false version: ${{ github.run_id }} diff --git a/.github/workflows/PipelineIdeal.yml b/.github/workflows/PipelineIdeal.yml index 0879adb..780ef51 100644 --- a/.github/workflows/PipelineIdeal.yml +++ b/.github/workflows/PipelineIdeal.yml @@ -8,12 +8,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - name: Use Node.js - uses: actions/setup-node@v2 - with: - node-version: '12.x' - - name: Install dependencies - run: npm install - name: Empacotamento dos arquivos uses: thedoctor0/zip-release@master with: From 0928fecddad07155acf8e08fb73b32ee0265ef74 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 16:58:32 -0300 Subject: [PATCH 05/23] V3 --- .github/workflows/Com traducao.yml | 1 - .github/workflows/Comparativo.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 4a8dfe4..0f58c52 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -42,7 +42,6 @@ jobs: deleteincompletescan: 1 filepath: 'veracode.zip' scanallnonfataltoplevelmodules: true - deleteIncompleteScan: false version: ${{ github.run_id }} Resultados: diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml index 92e1a88..e614f27 100644 --- a/.github/workflows/Comparativo.yml +++ b/.github/workflows/Comparativo.yml @@ -51,7 +51,6 @@ jobs: scantimeout: 45 deleteincompletescan: 1 filepath: 'veracode.zip' - deleteIncompleteScan: false version: ${{ github.run_id }} Veracode_PipelineScan: From 8fc3ec3493d170458d44b3d2f5c0b283433627d4 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:04:00 -0300 Subject: [PATCH 06/23] V3 --- .github/workflows/Com traducao.yml | 2 +- .github/workflows/Comparativo.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 0f58c52..cb0d940 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -22,6 +22,7 @@ jobs: Veracode_SAST: runs-on: ubuntu-latest needs: build + continue-on-error: true steps: - name: Download Artefato uses: actions/download-artifact@v2 @@ -41,7 +42,6 @@ jobs: scanpollinginterval: 30 deleteincompletescan: 1 filepath: 'veracode.zip' - scanallnonfataltoplevelmodules: true version: ${{ github.run_id }} Resultados: diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml index e614f27..8594efe 100644 --- a/.github/workflows/Comparativo.yml +++ b/.github/workflows/Comparativo.yml @@ -49,7 +49,6 @@ jobs: appname: '$AppName' scanpollinginterval: 30 scantimeout: 45 - deleteincompletescan: 1 filepath: 'veracode.zip' version: ${{ github.run_id }} From 87e536c989e8dc993f1f4835abafffec5eef2889 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:09:58 -0300 Subject: [PATCH 07/23] V3 --- .github/workflows/Com traducao.yml | 44 +----------------------------- 1 file changed, 1 insertion(+), 43 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index cb0d940..51bc3d7 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -4,49 +4,8 @@ on: branches: [ master ] workflow_dispatch: jobs: - build: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Empacotamento dos arquivos - uses: thedoctor0/zip-release@master - with: - filename: 'veracode.zip' - path: . - - name: Publicando Artefato - uses: actions/upload-artifact@v2 - with: - name: pacoteVeracode - path: veracode.zip - - Veracode_SAST: - runs-on: ubuntu-latest - needs: build - continue-on-error: true - steps: - - name: Download Artefato - uses: actions/download-artifact@v2 - with: - name: pacoteVeracode - - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode - env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} - AppName: Github Actions - ${{ github.repository }} - PTBR - with: - vid: '$VID' - vkey: '$VKEY' - criticality: 'VeryHigh' - appname: '$AppName' - scantimeout: 45 - scanpollinginterval: 30 - deleteincompletescan: 1 - filepath: 'veracode.zip' - version: ${{ github.run_id }} - Resultados: runs-on: windows-latest - needs: Veracode_SAST steps: - name: Download Wrapper file run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar" @@ -54,8 +13,7 @@ jobs: env: VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VKEY }} - CaminhoArquivo: './veracode.zip' - numeroVersao: ${{ github.run_id }} + veracodeAppName: 'Github Actions - IGDEXE/NodeGoat-JS' run: | # Recebe as infos [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName) From f5a4ba9b81ccc6ac0594c587962b6dcdd8a308bf Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:13:38 -0300 Subject: [PATCH 08/23] Update Com traducao.yml --- .github/workflows/Com traducao.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 51bc3d7..7f678e6 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -13,10 +13,9 @@ jobs: env: VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VKEY }} - veracodeAppName: 'Github Actions - IGDEXE/NodeGoat-JS' run: | # Recebe as infos - [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName) + [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS') $appID = $INFO.app.app_id [string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') From 96b9b8e6123486d0ab4f68964a1ea827d31198b0 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:23:33 -0300 Subject: [PATCH 09/23] Update Com traducao.yml --- .github/workflows/Com traducao.yml | 42 +++++++++++++++++++++++++----- 1 file changed, 35 insertions(+), 7 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 7f678e6..8b45dbe 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -4,26 +4,54 @@ on: branches: [ master ] workflow_dispatch: jobs: - Resultados: + Download_Wrapper: + runs-on: ubuntu-latest + steps: + - name: Veracode Pipeline Scan + run: | + curl -sSO https://tools.veracode.com/integrations/API-Wrappers/C%23/bin/VeracodeC%23API.zip + unzip VeracodeC%23API.zip + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: WrapperVeracode + path: VeracodeC#API.exe + + Download_XML: runs-on: windows-latest steps: - - name: Download Wrapper file - run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar" + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: WrapperVeracode - name: Download XML env: VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VKEY }} run: | # Recebe as infos - [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS') + [xml]$INFO = $(.\VeracodeC#API.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS') $appID = $INFO.app.app_id - [string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" + [string]$INFO = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID" [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=') $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']") $buildID = $buildINFO.build.build_id # Gera o relatorio - $out = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" - + $out = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml" + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: WrapperVeracode + path: ${{ github.run_id }}.xml + + Resultados: + runs-on: windows-latest + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Resultado do Scan run: | function Traduzir { From 52a11741e3d72c591c7f28f833ee8358f0c83207 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:24:47 -0300 Subject: [PATCH 10/23] Update Com traducao.yml --- .github/workflows/Com traducao.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 8b45dbe..514a497 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -19,6 +19,7 @@ jobs: Download_XML: runs-on: windows-latest + needs: Download_Wrapper steps: - name: Download Artefato uses: actions/download-artifact@v2 @@ -46,6 +47,7 @@ jobs: Resultados: runs-on: windows-latest + needs: Download_XML steps: - name: Download Artefato uses: actions/download-artifact@v2 From e6a3ab63500b3afc76c65a21d94937ae34178b33 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 21 Jul 2022 17:27:53 -0300 Subject: [PATCH 11/23] Update Com traducao.yml --- .github/workflows/Com traducao.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml index 514a497..18159b9 100644 --- a/.github/workflows/Com traducao.yml +++ b/.github/workflows/Com traducao.yml @@ -27,8 +27,8 @@ jobs: name: WrapperVeracode - name: Download XML env: - VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets - VKEY: ${{ secrets.VKEY }} + veracodeID: ${{ secrets.VID }} + veracodeAPIkey: ${{ secrets.VKEY }} run: | # Recebe as infos [xml]$INFO = $(.\VeracodeC#API.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS') From 22b15b9f85c201910566bc59f21bbac6dec281e5 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Tue, 23 May 2023 16:03:03 -0300 Subject: [PATCH 12/23] Veracode Ex --- .github/workflows/veracode-basic.yml | 44 ++++++++++++++++ .github/workflows/veracode-expert.yml | 72 +++++++++++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 .github/workflows/veracode-basic.yml create mode 100644 .github/workflows/veracode-expert.yml diff --git a/.github/workflows/veracode-basic.yml b/.github/workflows/veracode-basic.yml new file mode 100644 index 0000000..624f14e --- /dev/null +++ b/.github/workflows/veracode-basic.yml @@ -0,0 +1,44 @@ +name: Veracode_Basic +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createprofile: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} \ No newline at end of file diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml new file mode 100644 index 0000000..bc00ceb --- /dev/null +++ b/.github/workflows/veracode-expert.yml @@ -0,0 +1,72 @@ +name: Veracode_Advanced +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true \ No newline at end of file From 086d7c02e94b0de83572d332bd97998d478294ba Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Tue, 23 May 2023 16:15:47 -0300 Subject: [PATCH 13/23] Update veracode-expert.yml --- .github/workflows/veracode-expert.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml index bc00ceb..11ffe6c 100644 --- a/.github/workflows/veracode-expert.yml +++ b/.github/workflows/veracode-expert.yml @@ -42,7 +42,7 @@ jobs: env: VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets VeracodeKey: ${{ secrets.VeracodeKey }} - AppName: Github Actions - ${{ github.repository }} + AppName: ${{ github.repository }} with: vid: '$VeracodeID' vkey: '$VeracodeKey' From 2c58de82fc792595e360d320d2bd94a6bd878b2e Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 22 Jun 2023 15:50:33 -0300 Subject: [PATCH 14/23] Create Veracode-Expert.yml --- .github/workflows/Veracode-Expert.yml | 90 +++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/Veracode-Expert.yml diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml new file mode 100644 index 0000000..48b9541 --- /dev/null +++ b/.github/workflows/Veracode-Expert.yml @@ -0,0 +1,90 @@ +name: Veracode_Expert +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + + results_to_sarif: + needs: Veracode_PipelineScan + runs-on: ubuntu-latest + name: Importando Resultados + steps: + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + + - name: Atualiza os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif From 2d2afa70fbca2d4251873a94354f09630ae0d8c9 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 22 Jun 2023 15:55:43 -0300 Subject: [PATCH 15/23] Update Veracode-Expert.yml --- .github/workflows/Veracode-Expert.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml index 48b9541..a840479 100644 --- a/.github/workflows/Veracode-Expert.yml +++ b/.github/workflows/Veracode-Expert.yml @@ -56,6 +56,7 @@ jobs: Veracode_PipelineScan: runs-on: ubuntu-latest needs: build + continue-on-error: true steps: - name: Download Artefato uses: actions/download-artifact@v2 From 70000ce9b6996900705137c92544c4f15a04d03b Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 22 Jun 2023 16:01:27 -0300 Subject: [PATCH 16/23] Update Veracode-Expert.yml --- .github/workflows/Veracode-Expert.yml | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml index a840479..ca9fbd7 100644 --- a/.github/workflows/Veracode-Expert.yml +++ b/.github/workflows/Veracode-Expert.yml @@ -56,13 +56,13 @@ jobs: Veracode_PipelineScan: runs-on: ubuntu-latest needs: build - continue-on-error: true steps: - name: Download Artefato uses: actions/download-artifact@v2 with: name: pacoteVeracode - name: Veracode Pipeline Scan + continue-on-error: true env: VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VeracodeKey }} @@ -70,13 +70,7 @@ jobs: run: | curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip unzip pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true - - results_to_sarif: - needs: Veracode_PipelineScan - runs-on: ubuntu-latest - name: Importando Resultados - steps: + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true - name: Converte para o formato SARIF id: convert uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 @@ -84,8 +78,7 @@ jobs: pipeline-results-json: results.json output-results-sarif: veracode-results.sarif finding-rule-level: "3:1:0" - - - name: Atualiza os resultados + - name: Publica os resultados uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository sarif_file: veracode-results.sarif From 8ef471d28ba32636a82976628be8fd1414576081 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Thu, 22 Jun 2023 16:49:48 -0300 Subject: [PATCH 17/23] Create dependabot.yml --- .github/dependabot.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..455993f --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,11 @@ +# To get started with Dependabot version updates, you'll need to specify which +# package ecosystems to update and where the package manifests are located. +# Please see the documentation for all configuration options +# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates + +version: 2 +updates: + - package-ecosystem: "" # See documentation for possible values + directory: "/" # Location of package manifests + schedule: + interval: "weekly" From df2471847b4c995e278183497260573766b38fa9 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Wed, 26 Jul 2023 22:18:01 -0300 Subject: [PATCH 18/23] IAC Example --- .github/workflows/Veracode-Expert.yml | 20 + .github/workflows/veracode-expert.yml | 38 +- terraform/alicloud/bucket.tf | 18 + terraform/alicloud/provider.tf | 12 + terraform/alicloud/rds.tf | 30 ++ terraform/alicloud/trail.tf | 44 ++ terraform/aws/consts.tf | 49 ++ terraform/aws/db-app.tf | 423 ++++++++++++++++++ terraform/aws/ec2.tf | 308 +++++++++++++ terraform/aws/ecr.tf | 34 ++ terraform/aws/eks.tf | 148 ++++++ terraform/aws/elb.tf | 40 ++ terraform/aws/es.tf | 43 ++ terraform/aws/iam.tf | 55 +++ terraform/aws/kms.tf | 21 + terraform/aws/lambda.tf | 58 +++ terraform/aws/neptune.tf | 45 ++ terraform/aws/providers.tf | 18 + terraform/aws/rds.tf | 144 ++++++ terraform/aws/resources/Dockerfile | 1 + terraform/aws/resources/customer-master.xlsx | Bin 0 -> 12878 bytes .../aws/resources/lambda_function_payload.zip | Bin 0 -> 195 bytes terraform/aws/s3.tf | 141 ++++++ terraform/azure/aks.tf | 35 ++ terraform/azure/app_service.tf | 64 +++ terraform/azure/application_gateway.tf | 66 +++ terraform/azure/instance.tf | 77 ++++ terraform/azure/key_vault.tf | 72 +++ terraform/azure/logging.tf | 10 + terraform/azure/mssql.tf | 248 ++++++++++ terraform/azure/networking.tf | 145 ++++++ terraform/azure/policies.tf | 51 +++ terraform/azure/provider.tf | 13 + terraform/azure/random.tf | 4 + terraform/azure/resource_group.tf | 14 + terraform/azure/roles.tf | 16 + terraform/azure/security_center.tf | 9 + terraform/azure/sql.tf | 110 +++++ terraform/azure/storage.tf | 69 +++ terraform/azure/variables.tf | 15 + terraform/gcp/README.md | 1 + terraform/gcp/big_data.tf | 37 ++ terraform/gcp/gcs.tf | 21 + terraform/gcp/gke.tf | 31 ++ terraform/gcp/instances.tf | 48 ++ terraform/gcp/networks.tf | 27 ++ terraform/gcp/provider.tf | 13 + terraform/gcp/variables.tf | 24 + terraform/oracle/bucket.tf | 26 ++ terraform/oracle/compartment.tf | 16 + terraform/oracle/data.tf | 3 + terraform/oracle/provider.tf | 8 + terraform/oracle/variables.tf | 4 + 53 files changed, 2964 insertions(+), 3 deletions(-) create mode 100644 terraform/alicloud/bucket.tf create mode 100644 terraform/alicloud/provider.tf create mode 100644 terraform/alicloud/rds.tf create mode 100644 terraform/alicloud/trail.tf create mode 100644 terraform/aws/consts.tf create mode 100644 terraform/aws/db-app.tf create mode 100644 terraform/aws/ec2.tf create mode 100644 terraform/aws/ecr.tf create mode 100644 terraform/aws/eks.tf create mode 100644 terraform/aws/elb.tf create mode 100644 terraform/aws/es.tf create mode 100644 terraform/aws/iam.tf create mode 100644 terraform/aws/kms.tf create mode 100644 terraform/aws/lambda.tf create mode 100644 terraform/aws/neptune.tf create mode 100644 terraform/aws/providers.tf create mode 100644 terraform/aws/rds.tf create mode 100644 terraform/aws/resources/Dockerfile create mode 100644 terraform/aws/resources/customer-master.xlsx create mode 100644 terraform/aws/resources/lambda_function_payload.zip create mode 100644 terraform/aws/s3.tf create mode 100644 terraform/azure/aks.tf create mode 100644 terraform/azure/app_service.tf create mode 100644 terraform/azure/application_gateway.tf create mode 100644 terraform/azure/instance.tf create mode 100644 terraform/azure/key_vault.tf create mode 100644 terraform/azure/logging.tf create mode 100644 terraform/azure/mssql.tf create mode 100644 terraform/azure/networking.tf create mode 100644 terraform/azure/policies.tf create mode 100644 terraform/azure/provider.tf create mode 100644 terraform/azure/random.tf create mode 100644 terraform/azure/resource_group.tf create mode 100644 terraform/azure/roles.tf create mode 100644 terraform/azure/security_center.tf create mode 100644 terraform/azure/sql.tf create mode 100644 terraform/azure/storage.tf create mode 100644 terraform/azure/variables.tf create mode 100644 terraform/gcp/README.md create mode 100644 terraform/gcp/big_data.tf create mode 100644 terraform/gcp/gcs.tf create mode 100644 terraform/gcp/gke.tf create mode 100644 terraform/gcp/instances.tf create mode 100644 terraform/gcp/networks.tf create mode 100644 terraform/gcp/provider.tf create mode 100644 terraform/gcp/variables.tf create mode 100644 terraform/oracle/bucket.tf create mode 100644 terraform/oracle/compartment.tf create mode 100644 terraform/oracle/data.tf create mode 100644 terraform/oracle/provider.tf create mode 100644 terraform/oracle/variables.tf diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml index ca9fbd7..a355805 100644 --- a/.github/workflows/Veracode-Expert.yml +++ b/.github/workflows/Veracode-Expert.yml @@ -30,6 +30,26 @@ jobs: run: | curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + Veracode-container_iac_secrets-scan: + runs-on: ubuntu-latest + name: Veracode Container/IaC/Secrets + + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: Verracode Container/IaC/Secrets action step + uses: veracode/container_iac_secrets_scanning@v1.0.0 + with: + vid: ${{ secrets.VeracodeID }} + vkey: ${{ secrets.VeracodeKey }} + command: "scan" + type: "directory" + source: "./" + format: "json" + debug: false + fail_build: true + Veracode_UploadAndScan: runs-on: ubuntu-latest needs: build diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml index 11ffe6c..a355805 100644 --- a/.github/workflows/veracode-expert.yml +++ b/.github/workflows/veracode-expert.yml @@ -1,4 +1,4 @@ -name: Veracode_Advanced +name: Veracode_Expert on: push: branches: [ master ] @@ -30,6 +30,26 @@ jobs: run: | curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + Veracode-container_iac_secrets-scan: + runs-on: ubuntu-latest + name: Veracode Container/IaC/Secrets + + steps: + - name: checkout + uses: actions/checkout@v3 + + - name: Verracode Container/IaC/Secrets action step + uses: veracode/container_iac_secrets_scanning@v1.0.0 + with: + vid: ${{ secrets.VeracodeID }} + vkey: ${{ secrets.VeracodeKey }} + command: "scan" + type: "directory" + source: "./" + format: "json" + debug: false + fail_build: true + Veracode_UploadAndScan: runs-on: ubuntu-latest needs: build @@ -42,7 +62,7 @@ jobs: env: VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets VeracodeKey: ${{ secrets.VeracodeKey }} - AppName: ${{ github.repository }} + AppName: Github Actions - ${{ github.repository }} with: vid: '$VeracodeID' vkey: '$VeracodeKey' @@ -62,6 +82,7 @@ jobs: with: name: pacoteVeracode - name: Veracode Pipeline Scan + continue-on-error: true env: VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets VKEY: ${{ secrets.VeracodeKey }} @@ -69,4 +90,15 @@ jobs: run: | curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip unzip pipeline-scan-LATEST.zip - java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true \ No newline at end of file + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + - name: Publica os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif diff --git a/terraform/alicloud/bucket.tf b/terraform/alicloud/bucket.tf new file mode 100644 index 0000000..831f9bc --- /dev/null +++ b/terraform/alicloud/bucket.tf @@ -0,0 +1,18 @@ +resource "alicloud_oss_bucket" "bad_bucket" { + # Public and writeable bucket + # Versioning isn't enabled + # Not Encrypted with a Customer Master Key and no Server side encryption + # Doesn't have access logging enabled" + bucket = "wildwestfreeforall" + acl = "public-read-write" + tags = { + git_commit = "9c114f23d311f787c137723e1f71b27a52f0adec" + git_file = "terraform/alicloud/bucket.tf" + git_last_modified_at = "2022-04-05 15:17:55" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "80373049-248d-4f5e-9d25-740c3e80f2b9" + } +} diff --git a/terraform/alicloud/provider.tf b/terraform/alicloud/provider.tf new file mode 100644 index 0000000..955c266 --- /dev/null +++ b/terraform/alicloud/provider.tf @@ -0,0 +1,12 @@ +terraform { + required_providers { + alicloud = { + source = "aliyun/alicloud" + version = "1.162.0" + } + } +} + +provider "alicloud" { + region = "cn-hangzhou" +} \ No newline at end of file diff --git a/terraform/alicloud/rds.tf b/terraform/alicloud/rds.tf new file mode 100644 index 0000000..70660df --- /dev/null +++ b/terraform/alicloud/rds.tf @@ -0,0 +1,30 @@ +resource "alicloud_db_instance" "seeme" { + # Is public due to Security IPS 0.0.0.0/0 + engine = "MySQL" + engine_version = "5.6" + instance_type = "rds.mysql.t1.small" + instance_storage = "10" + tde_status = "Enabled" + security_ips = [ + "0.0.0.0", + "10.23.12.24/24" + ] + parameters { + name = "innodb_large_prefix" + value = "ON" + } + parameters { + name = "connect_timeout" + value = "50" + } + tags = { + git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c" + git_file = "terraform/alicloud/rds.tf" + git_last_modified_at = "2022-04-05 15:14:28" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7bd1394e-0a79-4288-8f83-5abcca5bf1ba" + } +} diff --git a/terraform/alicloud/trail.tf b/terraform/alicloud/trail.tf new file mode 100644 index 0000000..9e2daf8 --- /dev/null +++ b/terraform/alicloud/trail.tf @@ -0,0 +1,44 @@ +resource "alicloud_actiontrail_trail" "fail" { + # Action Trail not Logging for all regions + # Action Trail not Logging for all events + trail_name = "action-trail" + oss_write_role_arn = alicloud_ram_role.trail.arn + oss_bucket_name = alicloud_oss_bucket.trail.bucket + event_rw = "Read" + trail_region = "cn-hangzhou" +} + +resource "alicloud_oss_bucket" "trail" { + + tags = { + git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c" + git_file = "terraform/alicloud/trail.tf" + git_last_modified_at = "2022-04-05 15:14:28" + git_last_modified_by = "james.woolfenden@gmail.com" + git_modifiers = "james.woolfenden" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "9ce7077b-8195-4e71-aec6-ed1f769555dc" + } +} + +resource "alicloud_ram_role" "trail" { + name = "trail" + document = < /tmp/dbinfo.inc + +EnD +sudo mv /tmp/dbinfo.inc /var/www/inc +sudo chown root:root /var/www/inc/dbinfo.inc + +cat << EnD > /tmp/index.php + + + +

Sample page

+ + + +
+ + + + + + + + + + +
NAMEADDRESS
+ + + + + +
+
+ + + + + + + + + +"; + echo "", + "", + ""; + echo ""; +} +?> + +
IDNAMEADDRESS
",\$query_data[0], "",\$query_data[1], "",\$query_data[2], "
+ + + + + + + + +Error adding employee data.

"); +} + +/* Check whether the table exists and, if not, create it. */ +function VerifyEmployeesTable(\$connection, \$dbName) { + if(!TableExists("EMPLOYEES", \$connection, \$dbName)) + { + \$query = "CREATE TABLE EMPLOYEES ( + ID int(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY, + NAME VARCHAR(45), + ADDRESS VARCHAR(90) + )"; + + if(!mysqli_query(\$connection, \$query)) echo("

Error creating table.

"); + } +} + +/* Check for the existence of a table. */ +function TableExists(\$tableName, \$connection, \$dbName) { + \$t = mysqli_real_escape_string(\$connection, \$tableName); + \$d = mysqli_real_escape_string(\$connection, \$dbName); + + \$checktable = mysqli_query(\$connection, + "SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME = '\$t' AND TABLE_SCHEMA = '\$d'"); + + if(mysqli_num_rows(\$checktable) > 0) return true; + + return false; +} +?> +EnD + +sudo mv /tmp/index.php /var/www/html +sudo chown root:root /var/www/html/index.php + + + +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-dbapp" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/db-app.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e" + }) +} + +output "db_app_public_dns" { + description = "DB Public DNS name" + value = aws_instance.db_app.public_dns +} + +output "db_endpoint" { + description = "DB Endpoint" + value = aws_db_instance.default.endpoint +} + diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf new file mode 100644 index 0000000..00e0ba9 --- /dev/null +++ b/terraform/aws/ec2.tf @@ -0,0 +1,308 @@ +resource "aws_instance" "web_host" { + # ec2 have plain text secrets in user data + ami = "${var.ami}" + instance_type = "t2.nano" + + vpc_security_group_ids = [ + "${aws_security_group.web-node.id}"] + subnet_id = "${aws_subnet.web_subnet.id}" + user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html +EOF + tags = merge({ + Name = "${local.resource_prefix.value}-ec2" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6" + }) +} + +resource "aws_ebs_volume" "web_host_storage" { + # unencrypted volume + availability_zone = "${var.region}a" + #encrypted = false # Setting this causes the volume to be recreated on apply + size = 1 + tags = merge({ + Name = "${local.resource_prefix.value}-ebs" + }, { + git_commit = "d3439f0f2af62f6fa3521e14d6c27819ef8f12e1" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:17:26" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c5509daf-10f0-46af-9e03-41989212521d" + }) +} + +resource "aws_ebs_snapshot" "example_snapshot" { + # ebs snapshot without encryption + volume_id = "${aws_ebs_volume.web_host_storage.id}" + description = "${local.resource_prefix.value}-ebs-snapshot" + tags = merge({ + Name = "${local.resource_prefix.value}-ebs-snapshot" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c1008080-ec2f-4512-a0d0-2e9330aa58f0" + }) +} + +resource "aws_volume_attachment" "ebs_att" { + device_name = "/dev/sdh" + volume_id = "${aws_ebs_volume.web_host_storage.id}" + instance_id = "${aws_instance.web_host.id}" +} + +resource "aws_security_group" "web-node" { + # security group is open to the world in SSH port + name = "${local.resource_prefix.value}-sg" + description = "${local.resource_prefix.value} Security Group" + vpc_id = aws_vpc.web_vpc.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0"] + } + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [ + "0.0.0.0/0"] + } + depends_on = [aws_vpc.web_vpc] + tags = { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "b7af1b40-64eb-4519-a1a0-ab198db4b193" + } +} + +resource "aws_vpc" "web_vpc" { + cidr_block = "172.16.0.0/16" + enable_dns_hostnames = true + enable_dns_support = true + tags = merge({ + Name = "${local.resource_prefix.value}-vpc" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "9bf2359b-952e-4570-9595-52eba4c20473" + }) +} + +resource "aws_subnet" "web_subnet" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.10.0/24" + availability_zone = "${var.region}a" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet" + }, { + git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:16:31" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0345f650-d280-4ca8-86c9-c71c38c0eda8" + }) +} + +resource "aws_subnet" "web_subnet2" { + vpc_id = aws_vpc.web_vpc.id + cidr_block = "172.16.11.0/24" + availability_zone = "${var.region}b" + map_public_ip_on_launch = true + + tags = merge({ + Name = "${local.resource_prefix.value}-subnet2" + }, { + git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2021-05-02 11:16:31" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "224af03a-00e0-4981-be30-14965833c2db" + }) +} + + +resource "aws_internet_gateway" "web_igw" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-igw" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "d8e63cb4-2fb5-4726-9c86-5fd05ef03674" + }) +} + +resource "aws_route_table" "web_rtb" { + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-rtb" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "5e4fee6e-a6aa-4b61-a741-47c5efb463e1" + }) +} + +resource "aws_route_table_association" "rtbassoc" { + subnet_id = aws_subnet.web_subnet.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route_table_association" "rtbassoc2" { + subnet_id = aws_subnet.web_subnet2.id + route_table_id = aws_route_table.web_rtb.id +} + +resource "aws_route" "public_internet_gateway" { + route_table_id = aws_route_table.web_rtb.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.web_igw.id + + timeouts { + create = "5m" + } +} + + +resource "aws_network_interface" "web-eni" { + subnet_id = aws_subnet.web_subnet.id + private_ips = ["172.16.10.100"] + + tags = merge({ + Name = "${local.resource_prefix.value}-primary_network_interface" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7e2ffea8-739f-467d-b57b-53cbc0d7ccbe" + }) +} + +# VPC Flow Logs to S3 +resource "aws_flow_log" "vpcflowlogs" { + log_destination = aws_s3_bucket.flowbucket.arn + log_destination_type = "s3" + traffic_type = "ALL" + vpc_id = aws_vpc.web_vpc.id + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6808d4b7-45bc-4d1d-9523-96757a3add3a" + }) +} + +resource "aws_s3_bucket" "flowbucket" { + bucket = "${local.resource_prefix.value}-flowlogs" + force_destroy = true + + tags = merge({ + Name = "${local.resource_prefix.value}-flowlogs" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ec2.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1" + }) +} + +output "ec2_public_dns" { + description = "Web Host Public DNS name" + value = aws_instance.web_host.public_dns +} + +output "vpc_id" { + description = "The ID of the VPC" + value = aws_vpc.web_vpc.id +} + +output "public_subnet" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet.id +} + +output "public_subnet2" { + description = "The ID of the Public subnet" + value = aws_subnet.web_subnet2.id +} diff --git a/terraform/aws/ecr.tf b/terraform/aws/ecr.tf new file mode 100644 index 0000000..e578bac --- /dev/null +++ b/terraform/aws/ecr.tf @@ -0,0 +1,34 @@ +resource aws_ecr_repository "repository" { + name = "${local.resource_prefix.value}-repository" + image_tag_mutability = "MUTABLE" + + tags = merge({ + Name = "${local.resource_prefix.value}-repository" + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/ecr.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2" + }) +} + +locals { + docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" +} + + +resource null_resource "push_image" { + provisioner "local-exec" { + working_dir = "${path.module}/resources" + command = <Yjd-xd3p``~SQC4||{@X-u)76;<+1=1Ke;liXUJ2rTDmzz{mU zicrr$;$Yc(-E0es*X-~|RIxlPOYU0quWMfHmlNi7wl+-xVT0{J#7O_)9(8>JZk8`Y zCsf@ycnOX=+UL2L1R`vB1_se)nSeBh=6>KCiEUB23Vd@cY$3nhtd$`Rw9Ua*#4?={ z-r?2WEk%tDG@jAYS=8NWj5$jSIxqd}T_#z`NOG?=Y*+n4Wil;QI%8m~<3p-^mlJIZ z$GqWt@D0|GxK8Bt$xZ0?E^gwtZ}96%BW}uc2IH(4y1n(hJ-caRB5#x*+PJXH4VZMZ zMf}MEW|jcTR*?0Z{%oST?G&Qrv)IO#y^D1Q09@98ImASeSp^{|Cqa!x;RRp;sil zRqAI&3^|v13LU_2S7uFoIE+HV5NyG8f1Sa%+8f6ARbcaCs;8A9HO<_)M~PoEeHT-T4v~bz zcoj}&(y@k}j6W<_c@JBY-TuT^S2gFgs4>oVyHZq4#H zoVeLJS{d8fS^cVB|G*3wsDy#E{NKJRfN$joSW!C>UP4*jGF`FImYrG1Pt=c5U`HD0 zR;kH2d~P-g=-b|DEy%M#*oAnUPYk)1;xx* z!#BT&Ak~w~fQIH~(hNGYz1LRp)gRC~0UjjN*LZNU0!SW!>4P~khWlR0AFx*)PiAjD zCarq&9}xEl%jJp7I0d~!oJm86rAd705}fuvr?;!0Z##=Uj?#6nUNMf{oSS_c8Jgb& z&GdhU%xIeBfGz|8zzJIYpn%>0h0MPOONIJ7yH7lr9}O&CA+Gp)_X#k86NtIdb80FH zMX|{c)GZKcoYWi^bFW>CE9{{mR{nNB&;9fx&`;FC|x+D;MR1?~6kln&U^BffazCt&DP|8j0?L@?1q>fB1nm z3`24plR9hC-NKZ-)L5RGLSwY)`x9NJJ)#w|fh$}@74;6oQrf{37fTp&ZE>tA63Yz~ z4jo-Wh(%y4u~$8+4GOAT$M%r}xTKWs!1ueXxSJ}lW!)V-UAR;f-+;W@@7%pJnVO9q zamJ|0d|>8Q(ht!-0Zd~0HoZSii3vl$=_Cl+XZ1rc9Cjxr`}SPr^uoT_ya8Xx=s@q^ z@5Gqkx38aGw)jHe+FoBJ`uKuj<5Glg^2S+NdjyLC1G7ijdZ`?a_s3W~ca2<4ptwmE z(TO)*bb`9G^&AqeM@Xp1W~{Z6bO0N6v~gX2M5RP=PpH?s?&DTCFLea_7Kbk{#H}XE zT3akr@Jvj`p4@ssb%K0rbd!(7A|1DR9gilN@}p!5>5t|>$sxR)M5F8iMo@4py7bwLjf#NJTe z8*s=^VKfEKeZ}@qH)3HIKY=z&TWOX3Op3s!NVId0L2(RKcnAq)scPq(cwBv3Dz{a# z@Z2ym99QcTD!?+5H1M-FfD5Wc&rQ`(riSPcwn?1?hV#~t75OGC5+@FSaUgv+-4=J* z?0~PS)lrrII)HH^C3`aV1$^Ljh?nQ5K(;VbhUweFw)h6Eewf1ub$LF&Jl6ofbNM=X z7CmDa+BV*ix2Y0KddwdeZ)Vmm!4s<3S$wI>_cYH1g2k*nGgLUmf{%7S4c6LTKc5)Y zt-L+CzA5{$Q?7RY_;Tor&;fmm#Lv#tEy!+vd$_Z2d^N}dr8NtE>{=JhS-f{b@?UY7 z+0yq#2!ulqH~;|YZ#Z;v_OLc}`jxUfG&W;1c~E_XOMjuz$`Il$FxQ4FQms@|eWh|P z)QioqPU9H@??Y_E(W}pUarC;k)u*=V#9@Nt-r1Ml9EmrkEG=$IE<;J<%I;{Sv7>VH z3byPw+f5hWhmR5CIk)9z5KqlR_4mKN$nn?j-t5N!cfo>A*quKpv=6kDpOuiV2V0f~ zu|&@V;4U2@o$0)lUDu}Qb-;v#!w!;tL&_+5%Rw4&ptQPBon#(vM72A9LWq4O(dbxSd*FY6)!{%wdXm<{=J z;*!_1Oab1)P4@Clo*O#`^zOs7urUD z))KR#4OG=7ayCx&OV6Pv`WZrhr_Pc=P9KPc< zUQboC5?X7;fUP^okafX+8`en_$ncYi08*vA6vX*Dzi93%J2$4a@}N4Bv!TOh5wH9a z=BS-;Fjts;i&AGK8#AT1nX{rv#hbHk8dZyUcDBYWG4At zYJSM9US%YY=OVUO1NL=BBYN`P5Z$yr~G3` z5l{x*`jrN@<13`l%ZE|W9^$_gyj~pCE=3psV373J{{DBtb2c}%F=hFEXZr=W6YYse z0&dK1oCjey##0Nra6}Cn_2o>f(;^Mn(AJ1#&%bCtJPw6y-zJwHmF6Ar1 zPf<&0l(Q+mRy?$Cyp?2p?Y=0s!KFP1<_&B23jKB^pLHv}k&PySY59Vh>td z+&1@>y;Z@`TWi|s>af>xh7>kX$E(l)qC{`#_V`(+yJ@Bv%=}G2a#7O~-*K{SoDq`p z!+c)5=DGS9_QsUKyZTn5ve@9oTs7aC5E8_;ElGrGQ92>L{?IJ5;t$7*xtIpJ{fqLa z`pV5WR>~5xjx8a~!Ht$~tt(h2eFrfZ8;F6Toe6YbRpOA!Pk^clTIAe&I#FlrLI6K- zAf@ci$QMMVDcHJ}NLt>lfmNzmSaiD(bZWyEH990Y_4{fe|Cb_)h$dF{g5-CG;aUX1 zAMVBjBMMDV47u~%q%7HjUN0Ai*P-2lzBdOy`wi+^8|me3VW?D9&*ozdUZ0T`87mWtEU9?Sd@4_M&S0 z{W*1{kw5a|C75v50IS$Qf(Y7yYsuNzFu1-h=~16c&1v5%q1GT&hd{U0avRBID`iZ2 zwNx$C+WRP1TsOY0vW&5d3;S$^^~CGe@b>Vjc&jsJxeCDDcaB`m9pG|wjp;s81bTQ8 zPw$Lscdd97QF*&~*xsTb`;J0Q_{|w=bzs;mmAIoJ6_B|>+&FBk&y+N1E7U&IkUb+9!w{RYCEFRJ4tYy18O2oR|J}t8YjXz`1!6&lULet zRh^>-alM*_oV2ElIL5xWPHU1ICKH{=RWJ-ss^5Mx1T#%2vs$2YOoe4Iy}L}Zsrg{% z5a5nY8;-VF@DpERUG5#v-X}HBtQh3CTb$r~B;O)u=@y|5SQFa2Wsjp_wLheKVxM`x zvuE(Js~<8n*bqGJg2eN-#3TLD{9^)D#VSC+C?Iqr`4tPS8-Xx|fehe3`VS-zEI(;qFKntvt=M*Lv&|Dx4NP z)SdL_?_VFw%x3k4s!b=Y(yw&}Z-3m1TBdh+`;SteUmavCb=2;0kR_dsL49c#bNdL{ zF&zcNTC%FrM$>8uHc5V;!I{RmmPEm{>p(3`!@d$bg{UKLy593CLg7};or5~}eL<)T z16Iyd<)h-Ydu;Tq;)m9Xwv18)sDz*Hbb8U^sd7aJI)djLm2<~F2WoEGsnE2`v$#eI zW&|oOxGDz7Vwn0Lg7lZuwWgi5rj?IU^K_&f_TX7dAVd-K~)+t%QL=oj&AI&<$8i2FS$Ul+t zs6E)09y-Ua)N0&H;K*?lje=$+Nlw$^Pfe{lHNbECv(XZ^nV#Z})lZBA-2O#(=vIn3 zU7XLVEv|U7*|zs?Mk#nWb)gbTe0qtBqtI;eXFj2R zFpy+ApgQvpyR-LFScI(Os$?sY_;0IL*}s&1*(9oZO3rbe6b^9hBqmOf-h3p^>dm@b{}VW)%dg$0|~Cuaz=07 zF|$Bg8N`oHrFCwS`B5imi~SEpU+9nKoD&a2`M)8RUy0Av(HGi2D>6A&SuwXFqtAQD zb!^XljD+ZAWy%?6f2-Z0*dI|}ud>>}!3c|}G{<#s<08c)cv(dwJe)PI<08U%ESGiv zFuK+;ZwBM$FW_nK%To+IP!_XGrJ#M7As9~LGK^eH)Q*PT?BJzgdi9~RhFOPA%y1m>YNl?S`xYK%SC=pDJxqih+*tLP!m9zTHT8BIyLT2v1$GN0}4F--)cMMf$Z zjN>$JKkRhrEqgnhqmgDkHjd_M+qhZ=n>7m3LUtY$=uY`*@@-%<97}Iq_-MFz>ECR!0@&A!fU0_t2BO+v}tw2 zL(8ys@x#!&EH2|_FPrb|xF_8#g>B&lV{}Lf>537I5iSu0F|_I%uUES@Io{=p-`6j1 zjp)xJ4huZjiE~`5b4ZF_AHE;GZIcp&F^i%1)n?%WAl11Gm z-7k3Yy8mX+(W5PRfcQ_4k-WoY=~vP|gu4`%_A92Pf24~@rh zlFhGA*7c{1m)}WDr4E)$ADR$YYPhLh)8zY{n@sE!o<-j`abR!pt^2MEg2slkAvifP z^s`;sV$|(AcBS)L@z{+dbyT>j11kP;^QQl?n5bj>LM>7C_KEeG_H0p6@dL@m5a8ji z>cL0xMWEGM=sAByb5$NHFzk?W;Cu1zrM&VJ7BiON6(Lr@$i$DjM-8U3XJW=cx9_hD zfhDXx6$E6@PW&tMQa785iAtGHjXYQ0)gSeleyY)dht+B0UaVTRx zPU1c_b8Nr=arW{N@(R3$x7$W68ST#Sg#NRiyz(=y^DdF!4W9l(Gs>68Wp4MxRjK!r zoRAAz_DJEJDSF~Y(b83UwSy5>xD~bg_)W8EU|d8Zs9^bE;Oofv(z&vx3GVeW!P#4A zgzjl&Va-j0IHPp=1vP`{_as*8s^ylds27^-auxJ&xQ7>?xg+dhO9i-;MVkBlqd1jJ z6FQnD=?i!uVfYA>Y8UuR8(lxs(jhlm20|E0f}5)c(%~W>UWoIEB*YAYIr9@jdf;8F z(LQcPmNv-*V}@;s!UWlGz@ExgMuPh!DwL}0k`{ah%RBaC{U%ruzY75d#%c2gHFp(4 z6x}Bqo=P?o)Rzb(3Lj|$T^1X1ODqQf8tk)%4M+YBpHRr57$RKOww_cXPJmUiOa z1U356M41mw;Z}<^C0ULRcRI4mHbtxjNOxSph%vM)aIxW05L8Dk!zbw;;>)}KdpVX!UtL$waBKeCm|B3ga(EdqM`h) zkCc?xSvA*$Oo>w(D7l{jmB227`u#=+p`29CL^~xUCDyP6W&j)`&u^|m)k3OwXi71@ zpFhwMhb)0f5m@?p4r6@`Ao^_t|mSQn1 z;*_gkm;iWrt(9$&6Ey~@S)&3#7_)3#RXjo?v3X(j=EJ;fTtybjo_vc*|X{du*j?|gFTJY(f60`vI<#a9RVbUO1)5_S@NYr zKhwiNt#T;2o#+5XV@A4$9`XgtybmJBvJ*O3t9ByHhyjWHI;NunOz(ag)8*MCP@4LY zE|i%b)QVd)7B)8QUf?3GGuLoh-Nra1u&t}7_v-{Y-lZ_TJ20Xv!lcGu{=d~Myw>k6U)?^}&Va*Bq$JVU~ajKOb{G)fU{lAzkaR+p{!2oR~zKAV?n`HMxN z>MSk}2aAe0YL&}b2{j%w(+VfD}0N*IL{m6ZkbOC-$)Yuw|;)@wtY#iIOdh)Mn;69x(<{AR-?1RhV zk-A?S;KS9IqD{GnymtsHm5Ob*&`h?zBf&HdQugTvr3)!gT&siPy5mDkVMWQtQFVxJ zB0hO81Ndx|3pf`O9%)#q7)CH{MUR#>kE(u+6f!bs0 z{tWi$vx^1<`1mvne6rt8N-I-Lrx(m;8v^Qpi~>QK{!?ZBMUGovC`4#M3AFfg!*TAc zlshc#+*}qI`#z=LZ;Q??rV;^Ka*yR&5jjS9od-%9y?D9@S-sSesZ>_joNYFv_Qc@u zY^LVBF420pQE`MtWoWAfpzt_k3@pS%9Z<_-gQTI@8m@G$2?62xq1-+xJxki=vHZpy z($NSs+eKw6u}MEPYk&X2K~^Q9SRibb)@*eG)h=ZLqTlzhqA)263J5m;J_;#8;HX+{ z639=5euhQxk8Xojw3P5ZwXnT3VAdm+AeRcRPw0S30@#RA8UC&0p)BBcvQXk&%Q(4C zkrG!b2>OT*LE{DrU_o^l>05IZ8{{&4Pj~2F)eu>AzJ+e2j2^qb&NH$cdKOMIcsB?P zZK*2&;sp_XTs^vI=&^U{78>B;hb()O7dW{MO2nBTBt%glP}$a7#EiLa$(!Igu`Fc{ z{qnSVOeFImZ`F-7)36poDm}SwV~onFLo1>8AklTSAUD0+BCTd{ zrwbRl>omJp^h-ilhK&=+&tS9&3x$X?L0u@c@G!kUVD{Ggv7|SB$l+Xp;I@tT3M}Eo5_~W@|OSm57%P`%@ecnaQRuq zcYl9Nb!?{Lw!2x^pw*Z=Ux?+cu7p?nEtc(~8D^`gnv}zW-mi8wMw`s9S=|%K46aUB z6LsEJRUn;-c1<>Gp|M`G6^*>hSjhx$YLkUhZv?eEZat1>s9S?7Z_+vX5n9D)~u>2{h!(_+Qt1-PE(p7*3ar?^mbMU_N`$?Uv7&tO}`4?d6KFXIh8J?c2rCY4jGwx8QbxeQj zi(pCeQ#JPPZiEtpCXR;wyOwg8iUG;Zckga8Uxyl1vI&fAynfoRoGi0v5E36*QYm;@ zJv8~l@$DNvUCnSkTid+#@Q2xUUGcWF6F!$W+KM3_%XU$Mn}errq^q&ac`Pfy;AJH0 z49N11$6kfmN8e^+c(aN-qDQL*eBr?Us%Hijfldvs{@4dc?>^IJ5}M+v8dqPtz_>!C zQKIKxGoZ5vNvc66iM7%T)X3oNn1$+`4X;#AIiG~ZNE)#-Ha$#T*FCG0Y^jPypKNp! z&gSg(da7XUcSP03cq{0qsC}&|eGvq4XMoc7$1j(~6jJTU5cSu+T zmBlp|bt=+FdSzIUG1lIcGfDDwTc=y}27+k`mBI(oxAHamk`qfCijy!+msz(XC> zCYP=F-Po2%!v+Ubr2Hmr!Vt7^Wea0Q_(Cqm08-?TZa8+C4%`wG3ApzbTY0D7 z0FyY3rID0YY{G;OtV4R}wn|AC)4Xphvr_|%SO_K9var*YlR_mY>F>2hnK;*+@}kKp zYwz>J>@~OqJOEQ{D!xz-!vUx%gq^1n+D*;qU%iGLVS>*YZ(Ee`r~4k= zU{>F#*yuF1(WhU~ON0evy{{R?^_?Rc=^nz(Iw=~)VJ{JD)O5%pHPPqCP9)+W(@9#; zt8(>@vdEFGyP1fjd=lwA3?tq*Ld(u@5pZ$}gRRVk667a)eV}&FeZVxHMYS=Iw`wJg>aIi+9IgJl9tavB)_Ltw}o@g;(qf4r6luSxd_jE*Bqc4SXF*3 zUFc3xlS-L?>V&jRsMZ-d9Sd{?*Ly=oBy+Sdyr?;nh()6hKHC-<9ec+dw3T)T0c;~k zG7Eh?V+;zy(^^n>0q)u&mYq{NG6bkEAm58~LzlWii^>IYS0Pmul%sTRG|?;pd(9OM z1<(qRTzx4ecKfjMa}M=LJ)M1N0!ti%8}q`9uHH{QVY$Zu@<-p zMFv_TddVe84~ZU)$Oz3B9=WfJ54p?8=;el2Cx$oQtK^e!f?nuDY$OmNp_>VRTs!oONpe>@#f6^TkPknd;3{IUtvEk5Fv`GR*Ow(38cO$cvG+ZFuH6@g1u_VapI zr$zhxD5kfS^5buwWP6%8#R=3A+#E3 zSy&twP>YZR@Yektz^%7rN6{BB&A;o3vo=}7B&-bcC*d&IP`bRBH?`!QWZ8lhJ9r0E zf#{a`Ef66SG7{31A1La6vbvybA&MiRC)M+Wqd%Rx7#2LcQ2becZg90Y^Y1*$~y5F^y1( zaGlG_a($Gg3%$n<#TO}y;934-?Kbb0f2>@HG0h%Td%FRPO8TG$;h=V!esvy5m#cjk!OmgsRzSl&w*71 z%kGG>LQHw~>tX}4*;an)I-8kcW!Jz#1=wWuoYF#pNZ$4iT+}UL2~!s_A|KUv_GI2> z^NobPeCFg&#gXSC;>G1^>=5{)gbNXDSF9|H3%_Q}Ew;m;Wl*0kZY~&%*pu&!1$xzcihL z=y`uo^Zpe6lR@;Cup8oU;lKDqe~SLeiTF!&3&aTo_4_A7;!g#Cp6dLizyRl;hX2PI z&!1ZU+&cWFMTF{aBlvS8@u!A=ucv>>0{}Mk0Kk7#*FVMoJrn+`_!Z;7i2pq=D$7HG TW)}c}2mSm&1-#`~dIkJHn#9Rb literal 0 HcmV?d00001 diff --git a/terraform/aws/resources/lambda_function_payload.zip b/terraform/aws/resources/lambda_function_payload.zip new file mode 100644 index 0000000000000000000000000000000000000000..63baca3283787583716d1e347288a2f128211cb5 GIT binary patch literal 195 zcmWIWW@h1H0D*HmYXV*@Iy_kx$Od5!1{sFTyp+@my{zKU5KabWMM=||iz~pJkx7mjmjx0)?F;RaSRvM-Sry>T$_7%$2!wt>Iv&Jf008)gDNFzW literal 0 HcmV?d00001 diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf new file mode 100644 index 0000000..a2a2ed7 --- /dev/null +++ b/terraform/aws/s3.tf @@ -0,0 +1,141 @@ +resource "aws_s3_bucket" "data" { + # bucket is public + # bucket is not encrypted + # bucket does not have access logs + # bucket does not have versioning + bucket = "${local.resource_prefix.value}-data" + force_destroy = true + tags = merge({ + Name = "${local.resource_prefix.value}-data" + Environment = local.resource_prefix.value + }, { + git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2022-05-18 07:08:06" + git_last_modified_by = "nimrod@bridgecrew.io" + git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243" + }) +} + +resource "aws_s3_bucket_object" "data_object" { + bucket = aws_s3_bucket.data.id + key = "customer-master.xlsx" + source = "resources/customer-master.xlsx" + tags = merge({ + Name = "${local.resource_prefix.value}-customer-master" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "a7f01cc7-63c2-41a8-8555-6665e5e39a64" + }) +} + +resource "aws_s3_bucket" "financials" { + # bucket is not encrypted + # bucket does not have access logs + # bucket does not have versioning + bucket = "${local.resource_prefix.value}-financials" + acl = "private" + force_destroy = true + tags = merge({ + Name = "${local.resource_prefix.value}-financials" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0e012640-b597-4e5d-9378-d4b584aea913" + }) + +} + +resource "aws_s3_bucket" "operations" { + # bucket is not encrypted + # bucket does not have access logs + bucket = "${local.resource_prefix.value}-operations" + acl = "private" + versioning { + enabled = true + } + force_destroy = true + tags = merge({ + Name = "${local.resource_prefix.value}-operations" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "29efcf7b-22a8-4bd6-8e14-1f55b3a2d743" + }) +} + +resource "aws_s3_bucket" "data_science" { + # bucket is not encrypted + bucket = "${local.resource_prefix.value}-data-science" + acl = "private" + versioning { + enabled = true + } + logging { + target_bucket = "${aws_s3_bucket.logs.id}" + target_prefix = "log/" + } + force_destroy = true + tags = { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "9a7c8788-5655-4708-bbc3-64ead9847f64" + } +} + +resource "aws_s3_bucket" "logs" { + bucket = "${local.resource_prefix.value}-logs" + acl = "log-delivery-write" + versioning { + enabled = true + } + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "aws:kms" + kms_master_key_id = "${aws_kms_key.logs_key.arn}" + } + } + } + force_destroy = true + tags = merge({ + Name = "${local.resource_prefix.value}-logs" + Environment = local.resource_prefix.value + }, { + git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0" + git_file = "terraform/aws/s3.tf" + git_last_modified_at = "2020-06-16 14:46:24" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c" + }) +} diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf new file mode 100644 index 0000000..ebb613b --- /dev/null +++ b/terraform/azure/aks.tf @@ -0,0 +1,35 @@ +resource azurerm_kubernetes_cluster "k8s_cluster" { + dns_prefix = "terragoat-${var.environment}" + location = var.location + name = "terragoat-aks-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + identity { + type = "SystemAssigned" + } + default_node_pool { + name = "default" + vm_size = "Standard_D2_v2" + node_count = 2 + } + addon_profile { + oms_agent { + enabled = false + } + kube_dashboard { + enabled = true + } + } + role_based_access_control { + enabled = false + } + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/aks.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6103d111-864e-42e5-899c-1864de281fd1" + } +} \ No newline at end of file diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf new file mode 100644 index 0000000..fa4f23e --- /dev/null +++ b/terraform/azure/app_service.tf @@ -0,0 +1,64 @@ +resource azurerm_app_service_plan "example" { + name = "terragoat-app-service-plan-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + sku { + tier = "Dynamic" + size = "S1" + } + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/app_service.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "6611bf45-fd5b-467e-b119-d533cd7539b8" + } +} + +resource azurerm_app_service "app-service1" { + app_service_plan_id = azurerm_app_service_plan.example.id + location = var.location + name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + https_only = false + site_config { + min_tls_version = "1.1" + } + tags = { + git_commit = "81738b80d571fa3034633690d13ffb460e1e7dea" + git_file = "terraform/azure/app_service.tf" + git_last_modified_at = "2020-06-19 21:14:50" + git_last_modified_by = "Adin.Ermie@outlook.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "13be096d-c599-46e5-bf54-51c6e9732858" + } +} + +resource azurerm_app_service "app-service2" { + app_service_plan_id = azurerm_app_service_plan.example.id + location = var.location + name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + https_only = true + + auth_settings { + enabled = false + } + tags = { + git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" + git_file = "terraform/azure/app_service.tf" + git_last_modified_at = "2021-05-02 10:06:10" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "ec8295ab-af68-4cff-b0f1-b0cf5eaf1b75" + } +} + diff --git a/terraform/azure/application_gateway.tf b/terraform/azure/application_gateway.tf new file mode 100644 index 0000000..e66945b --- /dev/null +++ b/terraform/azure/application_gateway.tf @@ -0,0 +1,66 @@ +resource "azurerm_application_gateway" "network" { + name = "example-appgateway" + resource_group_name = "example-resourceGroup" + location = "example --West-US" + + sku { + name = "Standard_Small" + tier = "Standard" + capacity = 2 + } + + gateway_ip_configuration { + name = "my-gateway-ip-configuration" + subnet_id = "your subnet id" + } + + frontend_port { + name = "name" + port = "port-no" + } + ####Missing WAF block: As per azure best practices, it is important to have a web application firewall enabled at application gateway. + + + frontend_ip_configuration { + name = "name" + public_ip_address_id = "Ip-address" + } + + backend_address_pool { + name = local.backend_address_pool_name + } + + backend_http_settings { + name = local.http_setting_name + cookie_based_affinity = "Disabled" + path = "/path1/" + port = 80 + protocol = "Http" + request_timeout = 60 + } + + http_listener { + name = local.listener_name + frontend_ip_configuration_name = local.frontend_ip_configuration_name + frontend_port_name = local.frontend_port_name + protocol = "Http" + } + + request_routing_rule { + name = local.request_routing_rule_name + rule_type = "Basic" + http_listener_name = local.listener_name + backend_address_pool_name = local.backend_address_pool_name + backend_http_settings_name = local.http_setting_name + } + tags = { + git_commit = "b07a42ebd74b8f0ba647e20b872474b1c29b4814" + git_file = "terraform/azure/application_gateway.tf" + git_last_modified_at = "2021-05-02 10:08:55" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "harkiratbhardwaj/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "3f62753b-3d20-4fa7-b402-b780234a14d8" + } +} diff --git a/terraform/azure/instance.tf b/terraform/azure/instance.tf new file mode 100644 index 0000000..225872b --- /dev/null +++ b/terraform/azure/instance.tf @@ -0,0 +1,77 @@ +resource random_string "password" { + length = 16 + special = false + min_lower = 1 + min_numeric = 1 + min_upper = 1 +} + +resource azurerm_linux_virtual_machine "linux_machine" { + admin_username = "terragoat-linux" + admin_password = random_string.password.result + location = var.location + name = "terragoat-linux" + network_interface_ids = [azurerm_network_interface.ni_linux.id] + resource_group_name = azurerm_resource_group.example.name + size = "Standard_F2" + disable_password_authentication = false + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "16.04-LTS" + version = "latest" + } + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + tags = merge({ + terragoat = true + environment = var.environment + }, { + git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9" + git_file = "terraform/azure/instance.tf" + git_last_modified_at = "2020-06-17 15:48:15" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "736ef713-51b8-4178-ad69-406be81f6ef2" + }) +} + +resource azurerm_windows_virtual_machine "windows_machine" { + admin_password = random_string.password.result + admin_username = "tg-${var.environment}" + location = var.location + name = "tg-win" + network_interface_ids = [azurerm_network_interface.ni_win.id] + resource_group_name = azurerm_resource_group.example.name + size = "Standard_F2" + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2016-Datacenter" + version = "latest" + } + + tags = merge({ + terragoat = true + environment = var.environment + }, { + git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9" + git_file = "terraform/azure/instance.tf" + git_last_modified_at = "2020-06-17 15:48:15" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "41938587-bdfc-4234-b941-560f1ae7d6c0" + }) +} \ No newline at end of file diff --git a/terraform/azure/key_vault.tf b/terraform/azure/key_vault.tf new file mode 100644 index 0000000..7f2be4a --- /dev/null +++ b/terraform/azure/key_vault.tf @@ -0,0 +1,72 @@ +resource "azurerm_key_vault" "example" { + name = "terragoat-key-${var.environment}${random_integer.rnd_int.result}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + key_permissions = [ + "create", + "get", + ] + secret_permissions = [ + "set", + ] + } + tags = merge({ + environment = var.environment + terragoat = true + }, { + git_commit = "81738b80d571fa3034633690d13ffb460e1e7dea" + git_file = "terraform/azure/key_vault.tf" + git_last_modified_at = "2020-06-19 21:14:50" + git_last_modified_by = "Adin.Ermie@outlook.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "79afeacc-248a-4015-a4fa-76a6a57f06e2" + }) +} + +resource "azurerm_key_vault_key" "generated" { + name = "terragoat-generated-certificate-${var.environment}" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/key_vault.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "afbc6e13-63d9-4e6c-8914-d58b7744b5dd" + } +} + +resource "azurerm_key_vault_secret" "secret" { + key_vault_id = azurerm_key_vault.example.id + name = "terragoat-secret-${var.environment}" + value = random_string.password.result + tags = { + git_commit = "f8ff847bb69370bbe03b3d2b70db586ff6c867fc" + git_file = "terraform/azure/key_vault.tf" + git_last_modified_at = "2020-06-19 21:16:08" + git_last_modified_by = "Adin.Ermie@outlook.com" + git_modifiers = "Adin.Ermie/nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "40517524-f05d-485b-bfbe-3fa0dbee511e" + } +} \ No newline at end of file diff --git a/terraform/azure/logging.tf b/terraform/azure/logging.tf new file mode 100644 index 0000000..b7854fb --- /dev/null +++ b/terraform/azure/logging.tf @@ -0,0 +1,10 @@ +resource azurerm_monitor_log_profile "logging_profile" { + storage_account_id = azurerm_storage_account.example.id + categories = ["Action"] + locations = [var.location] + name = "terragoat-${var.environment}" + retention_policy { + enabled = true + days = 30 + } +} \ No newline at end of file diff --git a/terraform/azure/mssql.tf b/terraform/azure/mssql.tf new file mode 100644 index 0000000..1c7f1f9 --- /dev/null +++ b/terraform/azure/mssql.tf @@ -0,0 +1,248 @@ +resource "azurerm_storage_account" "security_storage_account" { + name = "securitystorageaccount-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + account_tier = "Standard" + account_replication_type = "LRS" + enable_https_traffic_only = true + tags = { + git_commit = "a1d1c1ce31a1bde6dafa188846d90eca82abe5fd" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 05:32:41" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "4b504d4d-608c-45fe-ae56-807bde6d969f" + } +} + +resource "azurerm_mssql_server" "mssql1" { + name = "terragoat-mssql1-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "54f6cb23-b30a-4f1d-8064-6f777b9b75db" + } +} + +resource "azurerm_mssql_server" "mssql2" { + name = "mssql2-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "096d2cf2-6d47-41b2-9418-cdedea85e184" + } +} + +resource "azurerm_mssql_server" "mssql3" { + name = "mssql3-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "e71d3fb5-addc-481d-ada6-b7432a768de3" + } +} + +resource "azurerm_mssql_server" "mssql4" { + name = "mssql4-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "c3b85724-4f7e-4c63-a17d-3d04239beae8" + } +} + +resource "azurerm_mssql_server" "mssql5" { + name = "mssql5-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "0240ca84-acc9-47d9-b491-9e7e359787a1" + } +} + +resource "azurerm_mssql_server" "mssql6" { + name = "mssql6-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "042d15fb-edfa-484b-b65e-3d70c50cdee7" + } +} + +resource "azurerm_mssql_server" "mssql7" { + name = "mssql7-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + location = azurerm_resource_group.example.location + version = "12.0" + administrator_login = "missadministrator" + administrator_login_password = "AdminPassword123!" + tags = { + git_commit = "c6f8caa51942284d02465518822685897ad90141" + git_file = "terraform/azure/mssql.tf" + git_last_modified_at = "2022-01-20 18:41:19" + git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com" + git_modifiers = "28880387+tsmithv11" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "3f1118e1-5067-452e-906f-5123cfc93711" + } +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy1" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql1.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy2" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql2.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy3" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql3.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy4" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql4.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy5" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql5.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy6" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql6.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} + +resource "azurerm_mssql_server_security_alert_policy" "alertpolicy7" { + resource_group_name = azurerm_resource_group.example.name + server_name = azurerm_mssql_server.mssql7.name + state = "Enabled" + storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint + storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key + disabled_alerts = [ + "Sql_Injection", + "Data_Exfiltration" + ] + retention_days = 20 + email_addresses = ["securityengineer@bridgecrew.io"] +} diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf new file mode 100644 index 0000000..ab01c60 --- /dev/null +++ b/terraform/azure/networking.tf @@ -0,0 +1,145 @@ +resource "azurerm_virtual_network" "example" { + name = "terragoat-vn-${var.environment}" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "eb19f165-9c21-4a7a-96e5-5bb557a38228" + } +} + +resource "azurerm_subnet" "example" { + name = "terragoat-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.0.0/24"] +} + +resource "azurerm_network_interface" "ni_linux" { + name = "terragoat-linux-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } + tags = { + git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2020-06-17 15:48:15" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "2647f099-dff8-4514-8cef-96159380c02a" + } +} + +resource "azurerm_network_interface" "ni_win" { + name = "terragoat-win-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } + tags = { + git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2020-06-17 15:48:15" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "2b5dbf28-04fb-4151-a637-a731bbe7ed1d" + } +} + +resource azurerm_network_security_group "bad_sg" { + location = var.location + name = "terragoat-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + + security_rule { + access = "Allow" + direction = "Inbound" + name = "AllowSSH" + priority = 200 + protocol = "TCP" + source_address_prefix = "*" + source_port_range = "*" + destination_port_range = "22-22" + destination_address_prefix = "*" + } + + security_rule { + access = "Allow" + direction = "Inbound" + name = "AllowRDP" + priority = 300 + protocol = "TCP" + source_address_prefix = "*" + source_port_range = "*" + destination_port_range = "3389-3389" + destination_address_prefix = "*" + } + tags = { + git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2021-05-02 10:06:10" + git_last_modified_by = "nimrodkor@users.noreply.github.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "1a591ba4-d969-4572-9704-87b5c55c0ba3" + } +} + +resource azurerm_network_watcher "network_watcher" { + location = var.location + name = "terragoat-network-watcher-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "3da368fc-723f-43d2-8e82-08dcc91e5094" + } +} + +resource azurerm_network_watcher_flow_log "flow_log" { + enabled = false + network_security_group_id = azurerm_network_security_group.bad_sg.id + network_watcher_name = azurerm_network_watcher.network_watcher.name + resource_group_name = azurerm_resource_group.example.name + storage_account_id = azurerm_storage_account.example.id + retention_policy { + enabled = false + days = 10 + } + tags = { + git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e" + git_file = "terraform/azure/networking.tf" + git_last_modified_at = "2020-06-17 12:59:55" + git_last_modified_by = "nimrodkor@gmail.com" + git_modifiers = "nimrodkor" + git_org = "bridgecrewio" + git_repo = "terragoat" + yor_trace = "33a7212e-7f1a-49fc-af73-8e525c5546ec" + } +} \ No newline at end of file diff --git a/terraform/azure/policies.tf b/terraform/azure/policies.tf new file mode 100644 index 0000000..76ffd9f --- /dev/null +++ b/terraform/azure/policies.tf @@ -0,0 +1,51 @@ +resource "azurerm_policy_definition" "policy-res" { + name = "terragoat-policy-${var.environment}" + policy_type = "Custom" + mode = "Indexed" + display_name = "acceptance test policy definition" + metadata = < Date: Mon, 28 Aug 2023 17:28:27 -0300 Subject: [PATCH 19/23] Create Veracode-SB.yml --- .github/workflows/Veracode-SB.yml | 101 ++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .github/workflows/Veracode-SB.yml diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml new file mode 100644 index 0000000..a22f214 --- /dev/null +++ b/.github/workflows/Veracode-SB.yml @@ -0,0 +1,101 @@ +name: Veracode_SB +on: + push: + branches: [ master ] + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' || github.ref == 'refs/heads/Main' }} + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' }} + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + createsandbox: true + sandboxname: ${GITHUB_REF#refs/heads/} + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + if: ${{ github.ref == 'refs/heads/Main' }} + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: Github Actions - ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + filepath: 'veracode.zip' + deleteIncompleteScan: false + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: build + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + continue-on-error: true + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true + - name: Converte para o formato SARIF + id: convert + uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5 + with: + pipeline-results-json: results.json + output-results-sarif: veracode-results.sarif + finding-rule-level: "3:1:0" + - name: Publica os resultados + uses: github/codeql-action/upload-sarif@v2 + with: # Path to SARIF file relative to the root of the repository + sarif_file: veracode-results.sarif \ No newline at end of file From 26feea5f57f322183af1e6e82a3aa9daac437363 Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Mon, 28 Aug 2023 17:31:31 -0300 Subject: [PATCH 20/23] Update Veracode-SB.yml --- .github/workflows/Veracode-SB.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml index a22f214..7472294 100644 --- a/.github/workflows/Veracode-SB.yml +++ b/.github/workflows/Veracode-SB.yml @@ -1,8 +1,6 @@ name: Veracode_SB -on: - push: - branches: [ master ] - workflow_dispatch: +on: + workflow_dispatch: jobs: build: From 22fdd14d12d50ec65834a28a051d98971a686c5d Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Mon, 28 Aug 2023 17:35:38 -0300 Subject: [PATCH 21/23] Update Veracode-SB.yml --- .github/workflows/Veracode-SB.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml index 7472294..f4a0477 100644 --- a/.github/workflows/Veracode-SB.yml +++ b/.github/workflows/Veracode-SB.yml @@ -1,6 +1,6 @@ name: Veracode_SB on: - workflow_dispatch: + push: jobs: build: From 9ffb970c755f8f0d06605a27deeab983bf9a959e Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Mon, 28 Aug 2023 17:38:23 -0300 Subject: [PATCH 22/23] Update Veracode-SB.yml --- .github/workflows/Veracode-SB.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml index f4a0477..75e0449 100644 --- a/.github/workflows/Veracode-SB.yml +++ b/.github/workflows/Veracode-SB.yml @@ -3,7 +3,7 @@ on: push: jobs: - build: + Package: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -31,7 +31,7 @@ jobs: Veracode_UploadAndScan: runs-on: ubuntu-latest if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' || github.ref == 'refs/heads/Main' }} - needs: build + needs: Package steps: - name: Download Artefato uses: actions/download-artifact@v2 @@ -70,7 +70,7 @@ jobs: Veracode_PipelineScan: runs-on: ubuntu-latest - needs: build + needs: Package steps: - name: Download Artefato uses: actions/download-artifact@v2 From 4d8b03556028ac2b4712f2e37cb75631d66efbba Mon Sep 17 00:00:00 2001 From: Ivo Dias Date: Mon, 28 Aug 2023 17:57:45 -0300 Subject: [PATCH 23/23] Create Veracode-XGH.yml --- .github/workflows/Veracode-XGH.yml | 71 ++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 .github/workflows/Veracode-XGH.yml diff --git a/.github/workflows/Veracode-XGH.yml b/.github/workflows/Veracode-XGH.yml new file mode 100644 index 0000000..cc07bb4 --- /dev/null +++ b/.github/workflows/Veracode-XGH.yml @@ -0,0 +1,71 @@ +name: Veracode_GoHorse +on: + push + +jobs: + Package: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Empacotamento dos arquivos + uses: thedoctor0/zip-release@master + with: + filename: 'veracode.zip' + path: . + - name: Publicando Artefato + uses: actions/upload-artifact@v2 + with: + name: pacoteVeracode + path: veracode.zip + + Veracode_SCA: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Veracode SCA + env: + SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets + run: | + curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty + + Veracode_UploadAndScan: + runs-on: ubuntu-latest + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode + env: + VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VeracodeKey: ${{ secrets.VeracodeKey }} + AppName: ${{ github.repository }} + with: + vid: '$VeracodeID' + vkey: '$VeracodeKey' + criticality: 'VeryHigh' + appname: '$AppName' + filepath: 'veracode.zip' + deleteIncompleteScan: true + scanallnonfataltoplevelmodules: true + includenewmodules: true + version: ${{ github.run_id }} + + Veracode_PipelineScan: + runs-on: ubuntu-latest + needs: Package + steps: + - name: Download Artefato + uses: actions/download-artifact@v2 + with: + name: pacoteVeracode + - name: Veracode Pipeline Scan + env: + VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets + VKEY: ${{ secrets.VeracodeKey }} + CaminhoArquivo: './veracode.zip' + run: | + curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip + unzip pipeline-scan-LATEST.zip + java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true \ No newline at end of file