From 0c3fa42b762e5018387b0aab1b1655655ca01ca7 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 16:34:13 -0300
Subject: [PATCH 01/23] Exemplos de Pipelines
---
.github/workflows/Com traducao.yml | 142 +++++++++++++++++++++++++++++
.github/workflows/Comparativo.yml | 77 ++++++++++++++++
.github/workflows/Default.yml | 59 ------------
.github/workflows/allTools.yml | 133 ---------------------------
.github/workflows/main.yml | 111 ----------------------
.github/workflows/restAPI.yml | 78 ----------------
6 files changed, 219 insertions(+), 381 deletions(-)
create mode 100644 .github/workflows/Com traducao.yml
create mode 100644 .github/workflows/Comparativo.yml
delete mode 100644 .github/workflows/Default.yml
delete mode 100644 .github/workflows/allTools.yml
delete mode 100644 .github/workflows/main.yml
delete mode 100644 .github/workflows/restAPI.yml
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
new file mode 100644
index 0000000..b9d9865
--- /dev/null
+++ b/.github/workflows/Com traducao.yml
@@ -0,0 +1,142 @@
+name: Pipeline_Ideal
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js
+ uses: actions/setup-node@v2
+ with:
+ node-version: '12.x'
+ - name: Install dependencies
+ run: npm install
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SAST:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VKEY }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VID'
+ vkey: '$VKEY'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ createsandbox: true
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+
+ Resultados:
+ runs-on: windows-latest
+ needs: Veracode_SAST
+ steps:
+ - name: Download Wrapper file
+ run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "VeracodeJavaAPI.jar"
+ - name: Download XML
+ env:
+ VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VKEY }}
+ CaminhoArquivo: './veracode.zip'
+ numeroVersao: ${{ github.run_id }}
+ run: |
+ function Traduzir {
+ param (
+ [parameter(position=0,Mandatory=$True)]
+ $texto,
+ [parameter(position=1)]
+ $idiomaAlvo = "pt"
+ )
+
+ # Utiliza a API do Google para traduzir
+ Try {
+ $Uri = “https://translate.googleapis.com/translate_a/single?client=gtx&sl=auto&tl=$($idiomaAlvo)&dt=t&q=$texto”
+ $Response = Invoke-RestMethod -Uri $Uri -Method Get
+ # Retorna o valor traduzido
+ $traducao = $Response[0].SyncRoot | foreach { $_[0] }
+ return $traducao
+ }
+ Catch {
+ # Recebe o erro
+ $ErrorMessage = $_.Exception.Message # Recebe o erro
+ # Exibe a mensagem de erro
+ Write-Host "Erro ao traduzir"
+ Write-host $ErrorMessage
+ }
+ }
+
+ # Recebe as infos
+ [xml]$INFO = $(VeracodeAPI.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName)
+ $appID = $INFO.app.app_id
+ [string]$INFO = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
+ [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=')
+ $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']")
+ $buildID = $buildINFO.build.build_id
+ # Gera o relatorio
+ $out = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml"
+
+ - name: Resultado do Scan
+ run: |
+ # Recebendo informacoes
+ $securityINFO = [xml](Get-Content "${{ github.run_id }}.xml")
+ $notaLetra = $securityINFO.detailedreport.'static-analysis'.rating
+ $notaScore = $securityINFO.detailedreport.'static-analysis'.score
+ $veracodeAppName = $securityINFO.detailedreport.app_name
+ $numeroVersao = $securityINFO.detailedreport.version
+ $appID = $securityINFO.detailedreport.app_id
+ $quemEnviou = $securityINFO.detailedreport.submitter
+ $politica = $securityINFO.detailedreport.policy_name
+ $complicanceStatus = $securityINFO.detailedreport.policy_compliance_status
+ # Exibe os resultados
+ Write-Host "Resultado do Scan: $numeroVersao"
+ Write-Host "Nome App: $veracodeAppName - App ID: $appID"
+ Write-Host "Enviado por: $quemEnviou"
+ Write-Host "Politica: $politica"
+ Write-Host "Nota: $notaLetra - Score: $notaScore - Resultado: $complicanceStatus"
+ Write-Host "Lista dos problemas encontrados:"
+ # Recebe os leveis e reordena
+ $levels = $securityINFO.detailedreport.severity.level
+ [array]::Reverse($levels)
+ foreach ($level in $levels) {
+ Write-Host "Prioridade: $level"
+ # Recebe as informações
+ $itensCategoria = $securityINFO.detailedreport.severity[$level].category
+ foreach ($item in $itensCategoria) {
+ $idCWE = $item.cwe.cweid
+ $nomeCategoria = $item.categoryname
+ $descricao = $item.desc.para.text
+ $recomendacoes = $item.recommendations.para.text
+ # Faz a tradução
+ $descricao = Traduzir $descricao
+ $recomendacoes = Traduzir $recomendacoes
+ # Exibe o resultado
+ Write-Host "Categoria: $nomeCategoria - ID CWE: $idCWE"
+ Write-Host "Descrição: $descricao"
+ Write-Host " "
+ Write-Host "Remediação: $recomendacoes"
+ Write-Host " "
+ Write-Host " "
+ }
+ Write-Host "..."
+ }
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
new file mode 100644
index 0000000..4ae0ff8
--- /dev/null
+++ b/.github/workflows/Comparativo.yml
@@ -0,0 +1,77 @@
+name: Pipeline_Ideal
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js
+ uses: actions/setup-node@v2
+ with:
+ node-version: '12.x'
+ - name: Install dependencies
+ run: npm install
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SCA:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Veracode SCA
+ env:
+ SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
+ run: |
+ curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --allow-dirty
+
+ Veracode_SAST:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VKEY }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VID'
+ vkey: '$VKEY'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ scantimeout: '45'
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+
+ Veracode_PipelineScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - name: Veracode Pipeline Scan
+ env:
+ VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VKEY }}
+ CaminhoArquivo: './veracode.zip'
+ run: |
+ curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ unzip pipeline-scan-LATEST.zip
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
diff --git a/.github/workflows/Default.yml b/.github/workflows/Default.yml
deleted file mode 100644
index f7a337a..0000000
--- a/.github/workflows/Default.yml
+++ /dev/null
@@ -1,59 +0,0 @@
-name: Default
-on:
- push:
- branches: [ master ]
- workflow_dispatch:
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@master
-
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
-
- - name: Archive Release
- uses: thedoctor0/zip-release@master
- with:
- filename: 'veracode.zip'
- path: .
-
- - uses: actions/setup-java@v1 # Make java accessible on path so the uploadandscan action can run.
- with:
- java-version: '8'
-
- - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- AppName: Github Actions - ${{ github.repository }}
- with:
- vid: '$VID'
- vkey: '$VKEY'
- criticality: 'VeryHigh'
- appname: '$AppName'
- createprofile: true
- filepath: 'veracode.zip'
- deleteIncompleteScan: false
- version: ${{ github.run_id }}
-
- - name: Veracode SCA
- env:
- SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
- run: |
- curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s scan --update-advisor
-
- - name: build
- run: npm build
-
- - name: Veracode Pipeline Scan
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- CaminhoArquivo: 'veracode.zip'
- run: |
- curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip -o pipeline-scan-LATEST.zip
- java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
diff --git a/.github/workflows/allTools.yml b/.github/workflows/allTools.yml
deleted file mode 100644
index 39b4c2c..0000000
--- a/.github/workflows/allTools.yml
+++ /dev/null
@@ -1,133 +0,0 @@
-name: All-Tools
-
-on:
- push:
- branches: [ master ]
-
- workflow_dispatch:
-
-jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
- - name: Empacotamento dos arquivos
- uses: thedoctor0/zip-release@master
- with:
- filename: 'veracode.zip'
- path: .
- - name: Publicando Artefato
- uses: actions/upload-artifact@v2
- with:
- name: pacoteVeracode
- path: veracode.zip
-
- Veracode_SCA:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Veracode SCA
- env:
- SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
- run: |
- curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request
-
- Veracode_REST_API:
- runs-on: ubuntu-latest
- needs: build
- steps:
- - name: Download Artefato
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - name: Veracode REST API
- env:
- VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VERACODE_KEY: ${{ secrets.VKEY }}
- veracodeAppName: Github - ${{ github.repository }}
- CaminhoArquivo: './veracode.zip'
- run: |
- aut_Veracode () {
- URLPATH=$1
- METHOD=$2
- NONCE="$(cat /dev/random | xxd -p | head -c 32)"
- TS="$(($(date +%s%N)/1000))"
- encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
- encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
- signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
- DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
- signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
- VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
- }
- URLPATH=/api/5.0/getapplist.do
- METHOD=GET
- aut_Veracode $URLPATH $METHOD
- curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml
- while read -r line
- do
- app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")')
- AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")')
- if [ "$app_name" = "$veracodeAppName" ]; then
- break
- fi
- done < <(grep $veracodeAppName applist.xml)
- URLPATH=/api/5.0/uploadfile.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo "Fazendo o Upload do arquivo: $CaminhoArquivo"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo"
- URLPATH=/api/5.0/beginprescan.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo " "
- echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true"
-
- Veracode_Wrapper:
- runs-on: ubuntu-latest
- needs: build
- steps:
- - name: Download Artefato
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- AppName: Github Actions - ${{ github.repository }}
- with:
- vid: '$VID'
- vkey: '$VKEY'
- criticality: 'VeryHigh'
- appname: '$AppName'
- createprofile: true
- sandboxname: 'HMG'
- createsandbox: true
- filepath: 'veracode.zip'
- deleteIncompleteScan: false
- version: ${{ github.run_id }}
-
- Veracode_PipelineScan:
- runs-on: ubuntu-latest
- needs: build
- steps:
- - name: Download Artefato
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - name: Veracode Pipeline Scan
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- CaminhoArquivo: './veracode.zip'
- run: |
- curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
- unzip pipeline-scan-LATEST.zip
- java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
deleted file mode 100644
index 7dc2a3b..0000000
--- a/.github/workflows/main.yml
+++ /dev/null
@@ -1,111 +0,0 @@
-name: Pipeline-Envs
-
-on:
- push:
- branches: [ master ]
-
- workflow_dispatch:
-
-jobs:
- build:
- runs-on: ubuntu-latest
-
- steps:
- - uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
- - name: Empacotamento dos arquivos
- uses: thedoctor0/zip-release@master
- with:
- filename: 'veracode.zip'
- path: .
- - name: Publicando Artefato
- uses: actions/upload-artifact@v2
- with:
- name: pacoteVeracode
- path: veracode.zip
-
- Veracode_REST_API:
- runs-on: ubuntu-latest
- environment:
- name: REST
- needs: build
- steps:
- - name: Download math result for job 1
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - name: Veracode REST API
- env:
- VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VERACODE_KEY: ${{ secrets.VKEY }}
- veracodeAppName: Github Actions - ${{ github.repository }}
- CaminhoArquivo: './veracode.zip'
- run: |
- aut_Veracode () {
- URLPATH=$1
- METHOD=$2
- NONCE="$(cat /dev/random | xxd -p | head -c 32)"
- TS="$(($(date +%s%N)/1000))"
- encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
- encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
- signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
- DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
- signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
- VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
- }
- URLPATH=/api/5.0/getapplist.do
- METHOD=GET
- aut_Veracode $URLPATH $METHOD
- curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml
- while read -r line
- do
- app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")')
- AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")')
- if [ "$app_name" = "$veracodeAppName" ]; then
- break
- fi
- done < <(grep $veracodeAppName applist.xml)
- URLPATH=/api/5.0/uploadfile.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo "Fazendo o Upload do arquivo: $CaminhoArquivo"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo"
- URLPATH=/api/5.0/beginprescan.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo " "
- echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true"
-
- Veracode_Wrapper:
- runs-on: ubuntu-latest
- environment:
- name: Wrapper
- needs: build
- steps:
- - name: Download math result for job 1
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- AppName: Github Actions - ${{ github.repository }}
- with:
- vid: '$VID'
- vkey: '$VKEY'
- criticality: 'VeryHigh'
- appname: '$AppName'
- createprofile: true
- sandboxname: 'Wrapper'
- createsandbox: true
- filepath: 'veracode.zip'
- deleteIncompleteScan: false
- version: ${{ github.run_id }}
- scantimeout: 30
diff --git a/.github/workflows/restAPI.yml b/.github/workflows/restAPI.yml
deleted file mode 100644
index edee816..0000000
--- a/.github/workflows/restAPI.yml
+++ /dev/null
@@ -1,78 +0,0 @@
-# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node
-# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
-
-name: NodeJS
-
-on:
- push:
- branches: [ master ]
-
- workflow_dispatch:
-
-jobs:
- build:
- runs-on: ubuntu-latest
-
- steps:
- - uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
-
- - name: Empacotamento dos arquivos
- uses: thedoctor0/zip-release@master
- with:
- filename: 'veracode.zip'
- path: .
-
- - name: Veracode REST API
- env:
- VERACODE_ID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VERACODE_KEY: ${{ secrets.VKEY }}
- veracodeAppName: Github Actions - ${{ github.repository }}
- CaminhoArquivo: './veracode.zip'
- run: |
- aut_Veracode () {
- URLPATH=$1
- METHOD=$2
-
- NONCE="$(cat /dev/random | xxd -p | head -c 32)"
- TS="$(($(date +%s%N)/1000))"
- encryptedNonce=$(echo "$NONCE" | xxd -r -p | openssl dgst -sha256 -mac HMAC -macopt hexkey:$VERACODE_KEY | cut -d ' ' -f 2)
- encryptedTimestamp=$(echo -n "$TS" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedNonce | cut -d ' ' -f 2)
- signingKey=$(echo -n "vcode_request_version_1" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$encryptedTimestamp | cut -d ' ' -f 2)
- DATA="id=$VERACODE_ID&host=analysiscenter.veracode.com&url=$URLPATH&method=$METHOD"
- signature=$(echo -n "$DATA" | openssl dgst -sha256 -mac HMAC -macopt hexkey:$signingKey | cut -d ' ' -f 2)
- VERACODE_AUTH_HEADER="VERACODE-HMAC-SHA-256 id=$VERACODE_ID,ts=$TS,nonce=$NONCE,sig=$signature"
- }
-
- URLPATH=/api/5.0/getapplist.do
- METHOD=GET
- aut_Veracode $URLPATH $METHOD
- curl -s -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -o applist.xml
-
- while read -r line
- do
- app_name=$(echo $line | grep -Po 'app_name="\K.*?(?=")')
- AppID=$(echo $line | grep -Po 'app_id="\K.*?(?=")')
- if [ "$app_name" = "$veracodeAppName" ]; then
- break
- fi
- done < <(grep $veracodeAppName applist.xml)
-
-
- URLPATH=/api/5.0/uploadfile.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo "Fazendo o Upload do arquivo: $CaminhoArquivo"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "file=@$CaminhoArquivo"
-
- URLPATH=/api/5.0/beginprescan.do
- METHOD=POST
- aut_Veracode $URLPATH $METHOD
- echo " "
- echo "Iniciando o scan no perfil: $veracodeAppName ID: $AppID"
- curl -X $METHOD -H "Authorization: $VERACODE_AUTH_HEADER" "https://analysiscenter.veracode.com$URLPATH" -F "app_id=$AppID" -F "auto_scan=true"
From ecda5a74ea4d95e9f2d1ebb6e7ba0352b9d69146 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 16:35:12 -0300
Subject: [PATCH 02/23] Alt Nomes Pipes
---
.github/workflows/Com traducao.yml | 2 +-
.github/workflows/Comparativo.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index b9d9865..4aa118f 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -1,4 +1,4 @@
-name: Pipeline_Ideal
+name: Resultados_PTBR
on:
push:
branches: [ master ]
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
index 4ae0ff8..94e4e42 100644
--- a/.github/workflows/Comparativo.yml
+++ b/.github/workflows/Comparativo.yml
@@ -1,4 +1,4 @@
-name: Pipeline_Ideal
+name: Comparativo
on:
push:
branches: [ master ]
From 58c070825c107f62f38fc213fc440b247d8498d5 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 16:46:09 -0300
Subject: [PATCH 03/23] Tradutor V2
---
.github/workflows/Com traducao.yml | 32 ++++++++++++++++--------------
.github/workflows/Comparativo.yml | 1 +
2 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 4aa118f..a3cdaff 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -37,14 +37,16 @@ jobs:
env:
VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VKEY }}
- AppName: Github Actions - ${{ github.repository }}
+ AppName: Github Actions - ${{ github.repository }} - PTBR
with:
vid: '$VID'
vkey: '$VKEY'
criticality: 'VeryHigh'
appname: '$AppName'
- createsandbox: true
+ scantimeout: '45'
+ scanpollinginterval: '60'
filepath: 'veracode.zip'
+ scanallnonfataltoplevelmodules: true
deleteIncompleteScan: false
version: ${{ github.run_id }}
@@ -53,13 +55,25 @@ jobs:
needs: Veracode_SAST
steps:
- name: Download Wrapper file
- run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "VeracodeJavaAPI.jar"
+ run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar"
- name: Download XML
env:
VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VKEY }}
CaminhoArquivo: './veracode.zip'
numeroVersao: ${{ github.run_id }}
+ run: |
+ # Recebe as infos
+ [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName)
+ $appID = $INFO.app.app_id
+ [string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
+ [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=')
+ $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']")
+ $buildID = $buildINFO.build.build_id
+ # Gera o relatorio
+ $out = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml"
+
+ - name: Resultado do Scan
run: |
function Traduzir {
param (
@@ -86,18 +100,6 @@ jobs:
}
}
- # Recebe as infos
- [xml]$INFO = $(VeracodeAPI.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName)
- $appID = $INFO.app.app_id
- [string]$INFO = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
- [xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=')
- $buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']")
- $buildID = $buildINFO.build.build_id
- # Gera o relatorio
- $out = VeracodeAPI.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml"
-
- - name: Resultado do Scan
- run: |
# Recebendo informacoes
$securityINFO = [xml](Get-Content "${{ github.run_id }}.xml")
$notaLetra = $securityINFO.detailedreport.'static-analysis'.rating
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
index 94e4e42..3a7a018 100644
--- a/.github/workflows/Comparativo.yml
+++ b/.github/workflows/Comparativo.yml
@@ -53,6 +53,7 @@ jobs:
vkey: '$VKEY'
criticality: 'VeryHigh'
appname: '$AppName'
+ scanpollinginterval: '60'
scantimeout: '45'
filepath: 'veracode.zip'
deleteIncompleteScan: false
From c73e00853d11ce058e97f6b578c3b8013f89d249 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 16:56:56 -0300
Subject: [PATCH 04/23] V3
---
.github/workflows/Com traducao.yml | 11 +++--------
.github/workflows/Comparativo.yml | 11 +++--------
.github/workflows/PipelineIdeal.yml | 6 ------
3 files changed, 6 insertions(+), 22 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index a3cdaff..4a8dfe4 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -8,12 +8,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
- name: Empacotamento dos arquivos
uses: thedoctor0/zip-release@master
with:
@@ -43,8 +37,9 @@ jobs:
vkey: '$VKEY'
criticality: 'VeryHigh'
appname: '$AppName'
- scantimeout: '45'
- scanpollinginterval: '60'
+ scantimeout: 45
+ scanpollinginterval: 30
+ deleteincompletescan: 1
filepath: 'veracode.zip'
scanallnonfataltoplevelmodules: true
deleteIncompleteScan: false
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
index 3a7a018..92e1a88 100644
--- a/.github/workflows/Comparativo.yml
+++ b/.github/workflows/Comparativo.yml
@@ -8,12 +8,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
- name: Empacotamento dos arquivos
uses: thedoctor0/zip-release@master
with:
@@ -53,8 +47,9 @@ jobs:
vkey: '$VKEY'
criticality: 'VeryHigh'
appname: '$AppName'
- scanpollinginterval: '60'
- scantimeout: '45'
+ scanpollinginterval: 30
+ scantimeout: 45
+ deleteincompletescan: 1
filepath: 'veracode.zip'
deleteIncompleteScan: false
version: ${{ github.run_id }}
diff --git a/.github/workflows/PipelineIdeal.yml b/.github/workflows/PipelineIdeal.yml
index 0879adb..780ef51 100644
--- a/.github/workflows/PipelineIdeal.yml
+++ b/.github/workflows/PipelineIdeal.yml
@@ -8,12 +8,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- - name: Use Node.js
- uses: actions/setup-node@v2
- with:
- node-version: '12.x'
- - name: Install dependencies
- run: npm install
- name: Empacotamento dos arquivos
uses: thedoctor0/zip-release@master
with:
From 0928fecddad07155acf8e08fb73b32ee0265ef74 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 16:58:32 -0300
Subject: [PATCH 05/23] V3
---
.github/workflows/Com traducao.yml | 1 -
.github/workflows/Comparativo.yml | 1 -
2 files changed, 2 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 4a8dfe4..0f58c52 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -42,7 +42,6 @@ jobs:
deleteincompletescan: 1
filepath: 'veracode.zip'
scanallnonfataltoplevelmodules: true
- deleteIncompleteScan: false
version: ${{ github.run_id }}
Resultados:
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
index 92e1a88..e614f27 100644
--- a/.github/workflows/Comparativo.yml
+++ b/.github/workflows/Comparativo.yml
@@ -51,7 +51,6 @@ jobs:
scantimeout: 45
deleteincompletescan: 1
filepath: 'veracode.zip'
- deleteIncompleteScan: false
version: ${{ github.run_id }}
Veracode_PipelineScan:
From 8fc3ec3493d170458d44b3d2f5c0b283433627d4 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:04:00 -0300
Subject: [PATCH 06/23] V3
---
.github/workflows/Com traducao.yml | 2 +-
.github/workflows/Comparativo.yml | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 0f58c52..cb0d940 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -22,6 +22,7 @@ jobs:
Veracode_SAST:
runs-on: ubuntu-latest
needs: build
+ continue-on-error: true
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
@@ -41,7 +42,6 @@ jobs:
scanpollinginterval: 30
deleteincompletescan: 1
filepath: 'veracode.zip'
- scanallnonfataltoplevelmodules: true
version: ${{ github.run_id }}
Resultados:
diff --git a/.github/workflows/Comparativo.yml b/.github/workflows/Comparativo.yml
index e614f27..8594efe 100644
--- a/.github/workflows/Comparativo.yml
+++ b/.github/workflows/Comparativo.yml
@@ -49,7 +49,6 @@ jobs:
appname: '$AppName'
scanpollinginterval: 30
scantimeout: 45
- deleteincompletescan: 1
filepath: 'veracode.zip'
version: ${{ github.run_id }}
From 87e536c989e8dc993f1f4835abafffec5eef2889 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:09:58 -0300
Subject: [PATCH 07/23] V3
---
.github/workflows/Com traducao.yml | 44 +-----------------------------
1 file changed, 1 insertion(+), 43 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index cb0d940..51bc3d7 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -4,49 +4,8 @@ on:
branches: [ master ]
workflow_dispatch:
jobs:
- build:
- runs-on: ubuntu-latest
- steps:
- - uses: actions/checkout@v2
- - name: Empacotamento dos arquivos
- uses: thedoctor0/zip-release@master
- with:
- filename: 'veracode.zip'
- path: .
- - name: Publicando Artefato
- uses: actions/upload-artifact@v2
- with:
- name: pacoteVeracode
- path: veracode.zip
-
- Veracode_SAST:
- runs-on: ubuntu-latest
- needs: build
- continue-on-error: true
- steps:
- - name: Download Artefato
- uses: actions/download-artifact@v2
- with:
- name: pacoteVeracode
- - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
- env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
- AppName: Github Actions - ${{ github.repository }} - PTBR
- with:
- vid: '$VID'
- vkey: '$VKEY'
- criticality: 'VeryHigh'
- appname: '$AppName'
- scantimeout: 45
- scanpollinginterval: 30
- deleteincompletescan: 1
- filepath: 'veracode.zip'
- version: ${{ github.run_id }}
-
Resultados:
runs-on: windows-latest
- needs: Veracode_SAST
steps:
- name: Download Wrapper file
run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar"
@@ -54,8 +13,7 @@ jobs:
env:
VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VKEY }}
- CaminhoArquivo: './veracode.zip'
- numeroVersao: ${{ github.run_id }}
+ veracodeAppName: 'Github Actions - IGDEXE/NodeGoat-JS'
run: |
# Recebe as infos
[xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName)
From f5a4ba9b81ccc6ac0594c587962b6dcdd8a308bf Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:13:38 -0300
Subject: [PATCH 08/23] Update Com traducao.yml
---
.github/workflows/Com traducao.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 51bc3d7..7f678e6 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -13,10 +13,9 @@ jobs:
env:
VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VKEY }}
- veracodeAppName: 'Github Actions - IGDEXE/NodeGoat-JS'
run: |
# Recebe as infos
- [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern $veracodeAppName)
+ [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS')
$appID = $INFO.app.app_id
[string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
[xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=')
From 96b9b8e6123486d0ab4f68964a1ea827d31198b0 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:23:33 -0300
Subject: [PATCH 09/23] Update Com traducao.yml
---
.github/workflows/Com traducao.yml | 42 +++++++++++++++++++++++++-----
1 file changed, 35 insertions(+), 7 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 7f678e6..8b45dbe 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -4,26 +4,54 @@ on:
branches: [ master ]
workflow_dispatch:
jobs:
- Resultados:
+ Download_Wrapper:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Veracode Pipeline Scan
+ run: |
+ curl -sSO https://tools.veracode.com/integrations/API-Wrappers/C%23/bin/VeracodeC%23API.zip
+ unzip VeracodeC%23API.zip
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: WrapperVeracode
+ path: VeracodeC#API.exe
+
+ Download_XML:
runs-on: windows-latest
steps:
- - name: Download Wrapper file
- run: Invoke-WebRequest -Uri "https://repo1.maven.org/maven2/com/veracode/vosp/api/wrappers/vosp-api-wrappers-java/20.12.7.3/vosp-api-wrappers-java-20.12.7.3.jar" -OutFile "veracode-wrapper.jar"
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: WrapperVeracode
- name: Download XML
env:
VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VKEY }}
run: |
# Recebe as infos
- [xml]$INFO = $(java -jar veracode-wrapper.jar -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS')
+ [xml]$INFO = $(.\VeracodeC#API.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS')
$appID = $INFO.app.app_id
- [string]$INFO = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
+ [string]$INFO = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action GetAppBuilds -appid "$appID"
[xml]$INFO = $INFO.Replace(' xmlns=', ' _xmlns=')
$buildINFO = $INFO.SelectSingleNode("//application[@app_id='$appId']")
$buildID = $buildINFO.build.build_id
# Gera o relatorio
- $out = java -jar veracode-wrapper.jar -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml"
-
+ $out = .\VeracodeC#API.exe -vid $veracodeID -vkey $veracodeAPIkey -action detailedreport -buildid "$buildID" -outputfilepath "${{ github.run_id }}.xml"
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: WrapperVeracode
+ path: ${{ github.run_id }}.xml
+
+ Resultados:
+ runs-on: windows-latest
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+
- name: Resultado do Scan
run: |
function Traduzir {
From 52a11741e3d72c591c7f28f833ee8358f0c83207 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:24:47 -0300
Subject: [PATCH 10/23] Update Com traducao.yml
---
.github/workflows/Com traducao.yml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 8b45dbe..514a497 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -19,6 +19,7 @@ jobs:
Download_XML:
runs-on: windows-latest
+ needs: Download_Wrapper
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
@@ -46,6 +47,7 @@ jobs:
Resultados:
runs-on: windows-latest
+ needs: Download_XML
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
From e6a3ab63500b3afc76c65a21d94937ae34178b33 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 21 Jul 2022 17:27:53 -0300
Subject: [PATCH 11/23] Update Com traducao.yml
---
.github/workflows/Com traducao.yml | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/Com traducao.yml b/.github/workflows/Com traducao.yml
index 514a497..18159b9 100644
--- a/.github/workflows/Com traducao.yml
+++ b/.github/workflows/Com traducao.yml
@@ -27,8 +27,8 @@ jobs:
name: WrapperVeracode
- name: Download XML
env:
- VID: ${{ secrets.VID }} # Lembrar de criar as credenciais no Secrets
- VKEY: ${{ secrets.VKEY }}
+ veracodeID: ${{ secrets.VID }}
+ veracodeAPIkey: ${{ secrets.VKEY }}
run: |
# Recebe as infos
[xml]$INFO = $(.\VeracodeC#API.exe -vid "$veracodeID" -vkey "$veracodeAPIkey" -action GetAppList | Select-String -Pattern 'Github Actions - IGDEXE/NodeGoat-JS')
From 22b15b9f85c201910566bc59f21bbac6dec281e5 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Tue, 23 May 2023 16:03:03 -0300
Subject: [PATCH 12/23] Veracode Ex
---
.github/workflows/veracode-basic.yml | 44 ++++++++++++++++
.github/workflows/veracode-expert.yml | 72 +++++++++++++++++++++++++++
2 files changed, 116 insertions(+)
create mode 100644 .github/workflows/veracode-basic.yml
create mode 100644 .github/workflows/veracode-expert.yml
diff --git a/.github/workflows/veracode-basic.yml b/.github/workflows/veracode-basic.yml
new file mode 100644
index 0000000..624f14e
--- /dev/null
+++ b/.github/workflows/veracode-basic.yml
@@ -0,0 +1,44 @@
+name: Veracode_Basic
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_UploadAndScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ createprofile: true
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
\ No newline at end of file
diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml
new file mode 100644
index 0000000..bc00ceb
--- /dev/null
+++ b/.github/workflows/veracode-expert.yml
@@ -0,0 +1,72 @@
+name: Veracode_Advanced
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SCA:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Veracode SCA
+ env:
+ SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
+ run: |
+ curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+
+ Veracode_UploadAndScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ createsandbox: true
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+
+ Veracode_PipelineScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - name: Veracode Pipeline Scan
+ env:
+ VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VeracodeKey }}
+ CaminhoArquivo: './veracode.zip'
+ run: |
+ curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ unzip pipeline-scan-LATEST.zip
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
\ No newline at end of file
From 086d7c02e94b0de83572d332bd97998d478294ba Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Tue, 23 May 2023 16:15:47 -0300
Subject: [PATCH 13/23] Update veracode-expert.yml
---
.github/workflows/veracode-expert.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml
index bc00ceb..11ffe6c 100644
--- a/.github/workflows/veracode-expert.yml
+++ b/.github/workflows/veracode-expert.yml
@@ -42,7 +42,7 @@ jobs:
env:
VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
VeracodeKey: ${{ secrets.VeracodeKey }}
- AppName: Github Actions - ${{ github.repository }}
+ AppName: ${{ github.repository }}
with:
vid: '$VeracodeID'
vkey: '$VeracodeKey'
From 2c58de82fc792595e360d320d2bd94a6bd878b2e Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 22 Jun 2023 15:50:33 -0300
Subject: [PATCH 14/23] Create Veracode-Expert.yml
---
.github/workflows/Veracode-Expert.yml | 90 +++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
create mode 100644 .github/workflows/Veracode-Expert.yml
diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml
new file mode 100644
index 0000000..48b9541
--- /dev/null
+++ b/.github/workflows/Veracode-Expert.yml
@@ -0,0 +1,90 @@
+name: Veracode_Expert
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SCA:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Veracode SCA
+ env:
+ SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
+ run: |
+ curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+
+ Veracode_UploadAndScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ createsandbox: true
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+
+ Veracode_PipelineScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - name: Veracode Pipeline Scan
+ env:
+ VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VeracodeKey }}
+ CaminhoArquivo: './veracode.zip'
+ run: |
+ curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ unzip pipeline-scan-LATEST.zip
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
+
+ results_to_sarif:
+ needs: Veracode_PipelineScan
+ runs-on: ubuntu-latest
+ name: Importando Resultados
+ steps:
+ - name: Converte para o formato SARIF
+ id: convert
+ uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
+ with:
+ pipeline-results-json: results.json
+ output-results-sarif: veracode-results.sarif
+ finding-rule-level: "3:1:0"
+
+ - name: Atualiza os resultados
+ uses: github/codeql-action/upload-sarif@v2
+ with: # Path to SARIF file relative to the root of the repository
+ sarif_file: veracode-results.sarif
From 2d2afa70fbca2d4251873a94354f09630ae0d8c9 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 22 Jun 2023 15:55:43 -0300
Subject: [PATCH 15/23] Update Veracode-Expert.yml
---
.github/workflows/Veracode-Expert.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml
index 48b9541..a840479 100644
--- a/.github/workflows/Veracode-Expert.yml
+++ b/.github/workflows/Veracode-Expert.yml
@@ -56,6 +56,7 @@ jobs:
Veracode_PipelineScan:
runs-on: ubuntu-latest
needs: build
+ continue-on-error: true
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
From 70000ce9b6996900705137c92544c4f15a04d03b Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 22 Jun 2023 16:01:27 -0300
Subject: [PATCH 16/23] Update Veracode-Expert.yml
---
.github/workflows/Veracode-Expert.yml | 13 +++----------
1 file changed, 3 insertions(+), 10 deletions(-)
diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml
index a840479..ca9fbd7 100644
--- a/.github/workflows/Veracode-Expert.yml
+++ b/.github/workflows/Veracode-Expert.yml
@@ -56,13 +56,13 @@ jobs:
Veracode_PipelineScan:
runs-on: ubuntu-latest
needs: build
- continue-on-error: true
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
with:
name: pacoteVeracode
- name: Veracode Pipeline Scan
+ continue-on-error: true
env:
VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VeracodeKey }}
@@ -70,13 +70,7 @@ jobs:
run: |
curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
unzip pipeline-scan-LATEST.zip
- java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
-
- results_to_sarif:
- needs: Veracode_PipelineScan
- runs-on: ubuntu-latest
- name: Importando Resultados
- steps:
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
- name: Converte para o formato SARIF
id: convert
uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
@@ -84,8 +78,7 @@ jobs:
pipeline-results-json: results.json
output-results-sarif: veracode-results.sarif
finding-rule-level: "3:1:0"
-
- - name: Atualiza os resultados
+ - name: Publica os resultados
uses: github/codeql-action/upload-sarif@v2
with: # Path to SARIF file relative to the root of the repository
sarif_file: veracode-results.sarif
From 8ef471d28ba32636a82976628be8fd1414576081 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Thu, 22 Jun 2023 16:49:48 -0300
Subject: [PATCH 17/23] Create dependabot.yml
---
.github/dependabot.yml | 11 +++++++++++
1 file changed, 11 insertions(+)
create mode 100644 .github/dependabot.yml
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..455993f
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+ - package-ecosystem: "" # See documentation for possible values
+ directory: "/" # Location of package manifests
+ schedule:
+ interval: "weekly"
From df2471847b4c995e278183497260573766b38fa9 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Wed, 26 Jul 2023 22:18:01 -0300
Subject: [PATCH 18/23] IAC Example
---
.github/workflows/Veracode-Expert.yml | 20 +
.github/workflows/veracode-expert.yml | 38 +-
terraform/alicloud/bucket.tf | 18 +
terraform/alicloud/provider.tf | 12 +
terraform/alicloud/rds.tf | 30 ++
terraform/alicloud/trail.tf | 44 ++
terraform/aws/consts.tf | 49 ++
terraform/aws/db-app.tf | 423 ++++++++++++++++++
terraform/aws/ec2.tf | 308 +++++++++++++
terraform/aws/ecr.tf | 34 ++
terraform/aws/eks.tf | 148 ++++++
terraform/aws/elb.tf | 40 ++
terraform/aws/es.tf | 43 ++
terraform/aws/iam.tf | 55 +++
terraform/aws/kms.tf | 21 +
terraform/aws/lambda.tf | 58 +++
terraform/aws/neptune.tf | 45 ++
terraform/aws/providers.tf | 18 +
terraform/aws/rds.tf | 144 ++++++
terraform/aws/resources/Dockerfile | 1 +
terraform/aws/resources/customer-master.xlsx | Bin 0 -> 12878 bytes
.../aws/resources/lambda_function_payload.zip | Bin 0 -> 195 bytes
terraform/aws/s3.tf | 141 ++++++
terraform/azure/aks.tf | 35 ++
terraform/azure/app_service.tf | 64 +++
terraform/azure/application_gateway.tf | 66 +++
terraform/azure/instance.tf | 77 ++++
terraform/azure/key_vault.tf | 72 +++
terraform/azure/logging.tf | 10 +
terraform/azure/mssql.tf | 248 ++++++++++
terraform/azure/networking.tf | 145 ++++++
terraform/azure/policies.tf | 51 +++
terraform/azure/provider.tf | 13 +
terraform/azure/random.tf | 4 +
terraform/azure/resource_group.tf | 14 +
terraform/azure/roles.tf | 16 +
terraform/azure/security_center.tf | 9 +
terraform/azure/sql.tf | 110 +++++
terraform/azure/storage.tf | 69 +++
terraform/azure/variables.tf | 15 +
terraform/gcp/README.md | 1 +
terraform/gcp/big_data.tf | 37 ++
terraform/gcp/gcs.tf | 21 +
terraform/gcp/gke.tf | 31 ++
terraform/gcp/instances.tf | 48 ++
terraform/gcp/networks.tf | 27 ++
terraform/gcp/provider.tf | 13 +
terraform/gcp/variables.tf | 24 +
terraform/oracle/bucket.tf | 26 ++
terraform/oracle/compartment.tf | 16 +
terraform/oracle/data.tf | 3 +
terraform/oracle/provider.tf | 8 +
terraform/oracle/variables.tf | 4 +
53 files changed, 2964 insertions(+), 3 deletions(-)
create mode 100644 terraform/alicloud/bucket.tf
create mode 100644 terraform/alicloud/provider.tf
create mode 100644 terraform/alicloud/rds.tf
create mode 100644 terraform/alicloud/trail.tf
create mode 100644 terraform/aws/consts.tf
create mode 100644 terraform/aws/db-app.tf
create mode 100644 terraform/aws/ec2.tf
create mode 100644 terraform/aws/ecr.tf
create mode 100644 terraform/aws/eks.tf
create mode 100644 terraform/aws/elb.tf
create mode 100644 terraform/aws/es.tf
create mode 100644 terraform/aws/iam.tf
create mode 100644 terraform/aws/kms.tf
create mode 100644 terraform/aws/lambda.tf
create mode 100644 terraform/aws/neptune.tf
create mode 100644 terraform/aws/providers.tf
create mode 100644 terraform/aws/rds.tf
create mode 100644 terraform/aws/resources/Dockerfile
create mode 100644 terraform/aws/resources/customer-master.xlsx
create mode 100644 terraform/aws/resources/lambda_function_payload.zip
create mode 100644 terraform/aws/s3.tf
create mode 100644 terraform/azure/aks.tf
create mode 100644 terraform/azure/app_service.tf
create mode 100644 terraform/azure/application_gateway.tf
create mode 100644 terraform/azure/instance.tf
create mode 100644 terraform/azure/key_vault.tf
create mode 100644 terraform/azure/logging.tf
create mode 100644 terraform/azure/mssql.tf
create mode 100644 terraform/azure/networking.tf
create mode 100644 terraform/azure/policies.tf
create mode 100644 terraform/azure/provider.tf
create mode 100644 terraform/azure/random.tf
create mode 100644 terraform/azure/resource_group.tf
create mode 100644 terraform/azure/roles.tf
create mode 100644 terraform/azure/security_center.tf
create mode 100644 terraform/azure/sql.tf
create mode 100644 terraform/azure/storage.tf
create mode 100644 terraform/azure/variables.tf
create mode 100644 terraform/gcp/README.md
create mode 100644 terraform/gcp/big_data.tf
create mode 100644 terraform/gcp/gcs.tf
create mode 100644 terraform/gcp/gke.tf
create mode 100644 terraform/gcp/instances.tf
create mode 100644 terraform/gcp/networks.tf
create mode 100644 terraform/gcp/provider.tf
create mode 100644 terraform/gcp/variables.tf
create mode 100644 terraform/oracle/bucket.tf
create mode 100644 terraform/oracle/compartment.tf
create mode 100644 terraform/oracle/data.tf
create mode 100644 terraform/oracle/provider.tf
create mode 100644 terraform/oracle/variables.tf
diff --git a/.github/workflows/Veracode-Expert.yml b/.github/workflows/Veracode-Expert.yml
index ca9fbd7..a355805 100644
--- a/.github/workflows/Veracode-Expert.yml
+++ b/.github/workflows/Veracode-Expert.yml
@@ -30,6 +30,26 @@ jobs:
run: |
curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+ Veracode-container_iac_secrets-scan:
+ runs-on: ubuntu-latest
+ name: Veracode Container/IaC/Secrets
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v3
+
+ - name: Verracode Container/IaC/Secrets action step
+ uses: veracode/container_iac_secrets_scanning@v1.0.0
+ with:
+ vid: ${{ secrets.VeracodeID }}
+ vkey: ${{ secrets.VeracodeKey }}
+ command: "scan"
+ type: "directory"
+ source: "./"
+ format: "json"
+ debug: false
+ fail_build: true
+
Veracode_UploadAndScan:
runs-on: ubuntu-latest
needs: build
diff --git a/.github/workflows/veracode-expert.yml b/.github/workflows/veracode-expert.yml
index 11ffe6c..a355805 100644
--- a/.github/workflows/veracode-expert.yml
+++ b/.github/workflows/veracode-expert.yml
@@ -1,4 +1,4 @@
-name: Veracode_Advanced
+name: Veracode_Expert
on:
push:
branches: [ master ]
@@ -30,6 +30,26 @@ jobs:
run: |
curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+ Veracode-container_iac_secrets-scan:
+ runs-on: ubuntu-latest
+ name: Veracode Container/IaC/Secrets
+
+ steps:
+ - name: checkout
+ uses: actions/checkout@v3
+
+ - name: Verracode Container/IaC/Secrets action step
+ uses: veracode/container_iac_secrets_scanning@v1.0.0
+ with:
+ vid: ${{ secrets.VeracodeID }}
+ vkey: ${{ secrets.VeracodeKey }}
+ command: "scan"
+ type: "directory"
+ source: "./"
+ format: "json"
+ debug: false
+ fail_build: true
+
Veracode_UploadAndScan:
runs-on: ubuntu-latest
needs: build
@@ -42,7 +62,7 @@ jobs:
env:
VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
VeracodeKey: ${{ secrets.VeracodeKey }}
- AppName: ${{ github.repository }}
+ AppName: Github Actions - ${{ github.repository }}
with:
vid: '$VeracodeID'
vkey: '$VeracodeKey'
@@ -62,6 +82,7 @@ jobs:
with:
name: pacoteVeracode
- name: Veracode Pipeline Scan
+ continue-on-error: true
env:
VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
VKEY: ${{ secrets.VeracodeKey }}
@@ -69,4 +90,15 @@ jobs:
run: |
curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
unzip pipeline-scan-LATEST.zip
- java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
\ No newline at end of file
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
+ - name: Converte para o formato SARIF
+ id: convert
+ uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
+ with:
+ pipeline-results-json: results.json
+ output-results-sarif: veracode-results.sarif
+ finding-rule-level: "3:1:0"
+ - name: Publica os resultados
+ uses: github/codeql-action/upload-sarif@v2
+ with: # Path to SARIF file relative to the root of the repository
+ sarif_file: veracode-results.sarif
diff --git a/terraform/alicloud/bucket.tf b/terraform/alicloud/bucket.tf
new file mode 100644
index 0000000..831f9bc
--- /dev/null
+++ b/terraform/alicloud/bucket.tf
@@ -0,0 +1,18 @@
+resource "alicloud_oss_bucket" "bad_bucket" {
+ # Public and writeable bucket
+ # Versioning isn't enabled
+ # Not Encrypted with a Customer Master Key and no Server side encryption
+ # Doesn't have access logging enabled"
+ bucket = "wildwestfreeforall"
+ acl = "public-read-write"
+ tags = {
+ git_commit = "9c114f23d311f787c137723e1f71b27a52f0adec"
+ git_file = "terraform/alicloud/bucket.tf"
+ git_last_modified_at = "2022-04-05 15:17:55"
+ git_last_modified_by = "james.woolfenden@gmail.com"
+ git_modifiers = "james.woolfenden"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "80373049-248d-4f5e-9d25-740c3e80f2b9"
+ }
+}
diff --git a/terraform/alicloud/provider.tf b/terraform/alicloud/provider.tf
new file mode 100644
index 0000000..955c266
--- /dev/null
+++ b/terraform/alicloud/provider.tf
@@ -0,0 +1,12 @@
+terraform {
+ required_providers {
+ alicloud = {
+ source = "aliyun/alicloud"
+ version = "1.162.0"
+ }
+ }
+}
+
+provider "alicloud" {
+ region = "cn-hangzhou"
+}
\ No newline at end of file
diff --git a/terraform/alicloud/rds.tf b/terraform/alicloud/rds.tf
new file mode 100644
index 0000000..70660df
--- /dev/null
+++ b/terraform/alicloud/rds.tf
@@ -0,0 +1,30 @@
+resource "alicloud_db_instance" "seeme" {
+ # Is public due to Security IPS 0.0.0.0/0
+ engine = "MySQL"
+ engine_version = "5.6"
+ instance_type = "rds.mysql.t1.small"
+ instance_storage = "10"
+ tde_status = "Enabled"
+ security_ips = [
+ "0.0.0.0",
+ "10.23.12.24/24"
+ ]
+ parameters {
+ name = "innodb_large_prefix"
+ value = "ON"
+ }
+ parameters {
+ name = "connect_timeout"
+ value = "50"
+ }
+ tags = {
+ git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c"
+ git_file = "terraform/alicloud/rds.tf"
+ git_last_modified_at = "2022-04-05 15:14:28"
+ git_last_modified_by = "james.woolfenden@gmail.com"
+ git_modifiers = "james.woolfenden"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "7bd1394e-0a79-4288-8f83-5abcca5bf1ba"
+ }
+}
diff --git a/terraform/alicloud/trail.tf b/terraform/alicloud/trail.tf
new file mode 100644
index 0000000..9e2daf8
--- /dev/null
+++ b/terraform/alicloud/trail.tf
@@ -0,0 +1,44 @@
+resource "alicloud_actiontrail_trail" "fail" {
+ # Action Trail not Logging for all regions
+ # Action Trail not Logging for all events
+ trail_name = "action-trail"
+ oss_write_role_arn = alicloud_ram_role.trail.arn
+ oss_bucket_name = alicloud_oss_bucket.trail.bucket
+ event_rw = "Read"
+ trail_region = "cn-hangzhou"
+}
+
+resource "alicloud_oss_bucket" "trail" {
+
+ tags = {
+ git_commit = "c2ff052009d49c65e6af551eb1506abc73b5976c"
+ git_file = "terraform/alicloud/trail.tf"
+ git_last_modified_at = "2022-04-05 15:14:28"
+ git_last_modified_by = "james.woolfenden@gmail.com"
+ git_modifiers = "james.woolfenden"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "9ce7077b-8195-4e71-aec6-ed1f769555dc"
+ }
+}
+
+resource "alicloud_ram_role" "trail" {
+ name = "trail"
+ document = < /tmp/dbinfo.inc
+
+EnD
+sudo mv /tmp/dbinfo.inc /var/www/inc
+sudo chown root:root /var/www/inc/dbinfo.inc
+
+cat << EnD > /tmp/index.php
+
+
+
+Sample page
+
+
+
+
+
+
+
+
+ | ID |
+ NAME |
+ ADDRESS |
+
+
+";
+ echo "",\$query_data[0], " | ",
+ "",\$query_data[1], " | ",
+ "",\$query_data[2], " | ";
+ echo "";
+}
+?>
+
+
+
+
+
+
+
+
+
+
+Error adding employee data.
");
+}
+
+/* Check whether the table exists and, if not, create it. */
+function VerifyEmployeesTable(\$connection, \$dbName) {
+ if(!TableExists("EMPLOYEES", \$connection, \$dbName))
+ {
+ \$query = "CREATE TABLE EMPLOYEES (
+ ID int(11) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
+ NAME VARCHAR(45),
+ ADDRESS VARCHAR(90)
+ )";
+
+ if(!mysqli_query(\$connection, \$query)) echo("Error creating table.
");
+ }
+}
+
+/* Check for the existence of a table. */
+function TableExists(\$tableName, \$connection, \$dbName) {
+ \$t = mysqli_real_escape_string(\$connection, \$tableName);
+ \$d = mysqli_real_escape_string(\$connection, \$dbName);
+
+ \$checktable = mysqli_query(\$connection,
+ "SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_NAME = '\$t' AND TABLE_SCHEMA = '\$d'");
+
+ if(mysqli_num_rows(\$checktable) > 0) return true;
+
+ return false;
+}
+?>
+EnD
+
+sudo mv /tmp/index.php /var/www/html
+sudo chown root:root /var/www/html/index.php
+
+
+
+EOF
+ tags = merge({
+ Name = "${local.resource_prefix.value}-dbapp"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/db-app.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "f7999d4e-c983-43ee-bd88-7903a6f8483e"
+ })
+}
+
+output "db_app_public_dns" {
+ description = "DB Public DNS name"
+ value = aws_instance.db_app.public_dns
+}
+
+output "db_endpoint" {
+ description = "DB Endpoint"
+ value = aws_db_instance.default.endpoint
+}
+
diff --git a/terraform/aws/ec2.tf b/terraform/aws/ec2.tf
new file mode 100644
index 0000000..00e0ba9
--- /dev/null
+++ b/terraform/aws/ec2.tf
@@ -0,0 +1,308 @@
+resource "aws_instance" "web_host" {
+ # ec2 have plain text secrets in user data
+ ami = "${var.ami}"
+ instance_type = "t2.nano"
+
+ vpc_security_group_ids = [
+ "${aws_security_group.web-node.id}"]
+ subnet_id = "${aws_subnet.web_subnet.id}"
+ user_data = <Deployed via Terraform" | sudo tee /var/www/html/index.html
+EOF
+ tags = merge({
+ Name = "${local.resource_prefix.value}-ec2"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "347af3cd-4f70-4632-aca3-4d5e30ffc0b6"
+ })
+}
+
+resource "aws_ebs_volume" "web_host_storage" {
+ # unencrypted volume
+ availability_zone = "${var.region}a"
+ #encrypted = false # Setting this causes the volume to be recreated on apply
+ size = 1
+ tags = merge({
+ Name = "${local.resource_prefix.value}-ebs"
+ }, {
+ git_commit = "d3439f0f2af62f6fa3521e14d6c27819ef8f12e1"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2021-05-02 11:17:26"
+ git_last_modified_by = "nimrodkor@users.noreply.github.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "c5509daf-10f0-46af-9e03-41989212521d"
+ })
+}
+
+resource "aws_ebs_snapshot" "example_snapshot" {
+ # ebs snapshot without encryption
+ volume_id = "${aws_ebs_volume.web_host_storage.id}"
+ description = "${local.resource_prefix.value}-ebs-snapshot"
+ tags = merge({
+ Name = "${local.resource_prefix.value}-ebs-snapshot"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "c1008080-ec2f-4512-a0d0-2e9330aa58f0"
+ })
+}
+
+resource "aws_volume_attachment" "ebs_att" {
+ device_name = "/dev/sdh"
+ volume_id = "${aws_ebs_volume.web_host_storage.id}"
+ instance_id = "${aws_instance.web_host.id}"
+}
+
+resource "aws_security_group" "web-node" {
+ # security group is open to the world in SSH port
+ name = "${local.resource_prefix.value}-sg"
+ description = "${local.resource_prefix.value} Security Group"
+ vpc_id = aws_vpc.web_vpc.id
+
+ ingress {
+ from_port = 80
+ to_port = 80
+ protocol = "tcp"
+ cidr_blocks = [
+ "0.0.0.0/0"]
+ }
+ ingress {
+ from_port = 22
+ to_port = 22
+ protocol = "tcp"
+ cidr_blocks = [
+ "0.0.0.0/0"]
+ }
+ egress {
+ from_port = 0
+ to_port = 0
+ protocol = "-1"
+ cidr_blocks = [
+ "0.0.0.0/0"]
+ }
+ depends_on = [aws_vpc.web_vpc]
+ tags = {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "b7af1b40-64eb-4519-a1a0-ab198db4b193"
+ }
+}
+
+resource "aws_vpc" "web_vpc" {
+ cidr_block = "172.16.0.0/16"
+ enable_dns_hostnames = true
+ enable_dns_support = true
+ tags = merge({
+ Name = "${local.resource_prefix.value}-vpc"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "9bf2359b-952e-4570-9595-52eba4c20473"
+ })
+}
+
+resource "aws_subnet" "web_subnet" {
+ vpc_id = aws_vpc.web_vpc.id
+ cidr_block = "172.16.10.0/24"
+ availability_zone = "${var.region}a"
+ map_public_ip_on_launch = true
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-subnet"
+ }, {
+ git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2021-05-02 11:16:31"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "0345f650-d280-4ca8-86c9-c71c38c0eda8"
+ })
+}
+
+resource "aws_subnet" "web_subnet2" {
+ vpc_id = aws_vpc.web_vpc.id
+ cidr_block = "172.16.11.0/24"
+ availability_zone = "${var.region}b"
+ map_public_ip_on_launch = true
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-subnet2"
+ }, {
+ git_commit = "6e62522d2ab8f63740e53752b84a6e99cd65696a"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2021-05-02 11:16:31"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "224af03a-00e0-4981-be30-14965833c2db"
+ })
+}
+
+
+resource "aws_internet_gateway" "web_igw" {
+ vpc_id = aws_vpc.web_vpc.id
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-igw"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "d8e63cb4-2fb5-4726-9c86-5fd05ef03674"
+ })
+}
+
+resource "aws_route_table" "web_rtb" {
+ vpc_id = aws_vpc.web_vpc.id
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-rtb"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "5e4fee6e-a6aa-4b61-a741-47c5efb463e1"
+ })
+}
+
+resource "aws_route_table_association" "rtbassoc" {
+ subnet_id = aws_subnet.web_subnet.id
+ route_table_id = aws_route_table.web_rtb.id
+}
+
+resource "aws_route_table_association" "rtbassoc2" {
+ subnet_id = aws_subnet.web_subnet2.id
+ route_table_id = aws_route_table.web_rtb.id
+}
+
+resource "aws_route" "public_internet_gateway" {
+ route_table_id = aws_route_table.web_rtb.id
+ destination_cidr_block = "0.0.0.0/0"
+ gateway_id = aws_internet_gateway.web_igw.id
+
+ timeouts {
+ create = "5m"
+ }
+}
+
+
+resource "aws_network_interface" "web-eni" {
+ subnet_id = aws_subnet.web_subnet.id
+ private_ips = ["172.16.10.100"]
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-primary_network_interface"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "7e2ffea8-739f-467d-b57b-53cbc0d7ccbe"
+ })
+}
+
+# VPC Flow Logs to S3
+resource "aws_flow_log" "vpcflowlogs" {
+ log_destination = aws_s3_bucket.flowbucket.arn
+ log_destination_type = "s3"
+ traffic_type = "ALL"
+ vpc_id = aws_vpc.web_vpc.id
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-flowlogs"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "6808d4b7-45bc-4d1d-9523-96757a3add3a"
+ })
+}
+
+resource "aws_s3_bucket" "flowbucket" {
+ bucket = "${local.resource_prefix.value}-flowlogs"
+ force_destroy = true
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-flowlogs"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ec2.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "f058838a-b1e0-4383-b965-7e06e987ffb1"
+ })
+}
+
+output "ec2_public_dns" {
+ description = "Web Host Public DNS name"
+ value = aws_instance.web_host.public_dns
+}
+
+output "vpc_id" {
+ description = "The ID of the VPC"
+ value = aws_vpc.web_vpc.id
+}
+
+output "public_subnet" {
+ description = "The ID of the Public subnet"
+ value = aws_subnet.web_subnet.id
+}
+
+output "public_subnet2" {
+ description = "The ID of the Public subnet"
+ value = aws_subnet.web_subnet2.id
+}
diff --git a/terraform/aws/ecr.tf b/terraform/aws/ecr.tf
new file mode 100644
index 0000000..e578bac
--- /dev/null
+++ b/terraform/aws/ecr.tf
@@ -0,0 +1,34 @@
+resource aws_ecr_repository "repository" {
+ name = "${local.resource_prefix.value}-repository"
+ image_tag_mutability = "MUTABLE"
+
+ tags = merge({
+ Name = "${local.resource_prefix.value}-repository"
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/ecr.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "7a3ec657-fa54-4aa2-8467-5d08d6c90bc2"
+ })
+}
+
+locals {
+ docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}"
+}
+
+
+resource null_resource "push_image" {
+ provisioner "local-exec" {
+ working_dir = "${path.module}/resources"
+ command = <Yjd-xd3p``~SQC4||{@X-u)76;<+1=1Ke;liXUJ2rTDmzz{mU
zicrr$;$Yc(-E0es*X-~|RIxlPOYU0quWMfHmlNi7wl+-xVT0{J#7O_)9(8>JZk8`Y
zCsf@ycnOX=+UL2L1R`vB1_se)nSeBh=6>KCiEUB23Vd@cY$3nhtd$`Rw9Ua*#4?={
z-r?2WEk%tDG@jAYS=8NWj5$jSIxqd}T_#z`NOG?=Y*+n4Wil;QI%8m~<3p-^mlJIZ
z$GqWt@D0|GxK8Bt$xZ0?E^gwtZ}96%BW}uc2IH(4y1n(hJ-caRB5#x*+PJXH4VZMZ
zMf}MEW|jcTR*?0Z{%oST?G&Qrv)IO#y^D1Q09@98ImASeSp^{|Cqa!x;RRp;sil
zRqAI&3^|v13LU_2S7uFoIE+HV5NyG8f1Sa%+8f6ARbcaCs;8A9HO<_)M~PoEeHT-T4v~bz
zcoj}&(y@k}j6W<_c@JBY-TuT^S2gFgs4>oVyHZq4#H
zoVeLJS{d8fS^cVB|G*3wsDy#E{NKJRfN$joSW!C>UP4*jGF`FImYrG1Pt=c5U`HD0
zR;kH2d~P-g=-b|DEy%M#*oAnUPYk)1;xx*
z!#BT&Ak~w~fQIH~(hNGYz1LRp)gRC~0UjjN*LZNU0!SW!>4P~khWlR0AFx*)PiAjD
zCarq&9}xEl%jJp7I0d~!oJm86rAd705}fuvr?;!0Z##=Uj?#6nUNMf{oSS_c8Jgb&
z&GdhU%xIeBfGz|8zzJIYpn%>0h0MPOONIJ7yH7lr9}O&CA+Gp)_X#k86NtIdb80FH
zMX|{c)GZKcoYWi^bFW>CE9{{mR{nNB&;9fx&`;FC|x+D;MR1?~6kln&U^BffazCt&DP|8j0?L@?1q>fB1nm
z3`24plR9hC-NKZ-)L5RGLSwY)`x9NJJ)#w|fh$}@74;6oQrf{37fTp&ZE>tA63Yz~
z4jo-Wh(%y4u~$8+4GOAT$M%r}xTKWs!1ueXxSJ}lW!)V-UAR;f-+;W@@7%pJnVO9q
zamJ|0d|>8Q(ht!-0Zd~0HoZSii3vl$=_Cl+XZ1rc9Cjxr`}SPr^uoT_ya8Xx=s@q^
z@5Gqkx38aGw)jHe+FoBJ`uKuj<5Glg^2S+NdjyLC1G7ijdZ`?a_s3W~ca2<4ptwmE
z(TO)*bb`9G^&AqeM@Xp1W~{Z6bO0N6v~gX2M5RP=PpH?s?&DTCFLea_7Kbk{#H}XE
zT3akr@Jvj`p4@ssb%K0rbd!(7A|1DR9gilN@}p!5>5t|>$sxR)M5F8iMo@4py7bwLjf#NJTe
z8*s=^VKfEKeZ}@qH)3HIKY=z&TWOX3Op3s!NVId0L2(RKcnAq)scPq(cwBv3Dz{a#
z@Z2ym99QcTD!?+5H1M-FfD5Wc&rQ`(riSPcwn?1?hV#~t75OGC5+@FSaUgv+-4=J*
z?0~PS)lrrII)HH^C3`aV1$^Ljh?nQ5K(;VbhUweFw)h6Eewf1ub$LF&Jl6ofbNM=X
z7CmDa+BV*ix2Y0KddwdeZ)Vmm!4s<3S$wI>_cYH1g2k*nGgLUmf{%7S4c6LTKc5)Y
zt-L+CzA5{$Q?7RY_;Tor&;fmm#Lv#tEy!+vd$_Z2d^N}dr8NtE>{=JhS-f{b@?UY7
z+0yq#2!ulqH~;|YZ#Z;v_OLc}`jxUfG&W;1c~E_XOMjuz$`Il$FxQ4FQms@|eWh|P
z)QioqPU9H@??Y_E(W}pUarC;k)u*=V#9@Nt-r1Ml9EmrkEG=$IE<;J<%I;{Sv7>VH
z3byPw+f5hWhmR5CIk)9z5KqlR_4mKN$nn?j-t5N!cfo>A*quKpv=6kDpOuiV2V0f~
zu|&@V;4U2@o$0)lUDu}Qb-;v#!w!;tL&_+5%Rw4&ptQPBon#(vM72A9LWq4O(dbxSd*FY6)!{%wdXm<{=J
z;*!_1Oab1)P4@Clo*O#`^zOs7urUD
z))KR#4OG=7ayCx&OV6Pv`WZrhr_Pc=P9KPc<
zUQboC5?X7;fUP^okafX+8`en_$ncYi08*vA6vX*Dzi93%J2$4a@}N4Bv!TOh5wH9a
z=BS-;Fjts;i&AGK8#AT1nX{rv#hbHk8dZyUcDBYWG4At
zYJSM9US%YY=OVUO1NL=BBYN`P5Z$yr~G3`
z5l{x*`jrN@<13`l%ZE|W9^$_gyj~pCE=3psV373J{{DBtb2c}%F=hFEXZr=W6YYse
z0&dK1oCjey##0Nra6}Cn_2o>f(;^Mn(AJ1#&%bCtJPw6y-zJwHmF6Ar1
zPf<&0l(Q+mRy?$Cyp?2p?Y=0s!KFP1<_&B23jKB^pLHv}k&PySY59Vh>td
z+&1@>y;Z@`TWi|s>af>xh7>kX$E(l)qC{`#_V`(+yJ@Bv%=}G2a#7O~-*K{SoDq`p
z!+c)5=DGS9_QsUKyZTn5ve@9oTs7aC5E8_;ElGrGQ92>L{?IJ5;t$7*xtIpJ{fqLa
z`pV5WR>~5xjx8a~!Ht$~tt(h2eFrfZ8;F6Toe6YbRpOA!Pk^clTIAe&I#FlrLI6K-
zAf@ci$QMMVDcHJ}NLt>lfmNzmSaiD(bZWyEH990Y_4{fe|Cb_)h$dF{g5-CG;aUX1
zAMVBjBMMDV47u~%q%7HjUN0Ai*P-2lzBdOy`wi+^8|me3VW?D9&*ozdUZ0T`87mWtEU9?Sd@4_M&S0
z{W*1{kw5a|C75v50IS$Qf(Y7yYsuNzFu1-h=~16c&1v5%q1GT&hd{U0avRBID`iZ2
zwNx$C+WRP1TsOY0vW&5d3;S$^^~CGe@b>Vjc&jsJxeCDDcaB`m9pG|wjp;s81bTQ8
zPw$Lscdd97QF*&~*xsTb`;J0Q_{|w=bzs;mmAIoJ6_B|>+&FBk&y+N1E7U&IkUb+9!w{RYCEFRJ4tYy18O2oR|J}t8YjXz`1!6&lULet
zRh^>-alM*_oV2ElIL5xWPHU1ICKH{=RWJ-ss^5Mx1T#%2vs$2YOoe4Iy}L}Zsrg{%
z5a5nY8;-VF@DpERUG5#v-X}HBtQh3CTb$r~B;O)u=@y|5SQFa2Wsjp_wLheKVxM`x
zvuE(Js~<8n*bqGJg2eN-#3TLD{9^)D#VSC+C?Iqr`4tPS8-Xx|fehe3`VS-zEI(;qFKntvt=M*Lv&|Dx4NP
z)SdL_?_VFw%x3k4s!b=Y(yw&}Z-3m1TBdh+`;SteUmavCb=2;0kR_dsL49c#bNdL{
zF&zcNTC%FrM$>8uHc5V;!I{RmmPEm{>p(3`!@d$bg{UKLy593CLg7};or5~}eL<)T
z16Iyd<)h-Ydu;Tq;)m9Xwv18)sDz*Hbb8U^sd7aJI)djLm2<~F2WoEGsnE2`v$#eI
zW&|oOxGDz7Vwn0Lg7lZuwWgi5rj?IU^K_&f_TX7dAVd-K~)+t%QL=oj&AI&<$8i2FS$Ul+t
zs6E)09y-Ua)N0&H;K*?lje=$+Nlw$^Pfe{lHNbECv(XZ^nV#Z})lZBA-2O#(=vIn3
zU7XLVEv|U7*|zs?Mk#nWb)gbTe0qtBqtI;eXFj2R
zFpy+ApgQvpyR-LFScI(Os$?sY_;0IL*}s&1*(9oZO3rbe6b^9hBqmOf-h3p^>dm@b{}VW)%dg$0|~Cuaz=07
zF|$Bg8N`oHrFCwS`B5imi~SEpU+9nKoD&a2`M)8RUy0Av(HGi2D>6A&SuwXFqtAQD
zb!^XljD+ZAWy%?6f2-Z0*dI|}ud>>}!3c|}G{<#s<08c)cv(dwJe)PI<08U%ESGiv
zFuK+;ZwBM$FW_nK%To+IP!_XGrJ#M7As9~LGK^eH)Q*PT?BJzgdi9~RhFOPA%y1m>YNl?S`xYK%SC=pDJxqih+*tLP!m9zTHT8BIyLT2v1$GN0}4F--)cMMf$Z
zjN>$JKkRhrEqgnhqmgDkHjd_M+qhZ=n>7m3LUtY$=uY`*@@-%<97}Iq_-MFz>ECR!0@&A!fU0_t2BO+v}tw2
zL(8ys@x#!&EH2|_FPrb|xF_8#g>B&lV{}Lf>537I5iSu0F|_I%uUES@Io{=p-`6j1
zjp)xJ4huZjiE~`5b4ZF_AHE;GZIcp&F^i%1)n?%WAl11Gm
z-7k3Yy8mX+(W5PRfcQ_4k-WoY=~vP|gu4`%_A92Pf24~@rh
zlFhGA*7c{1m)}WDr4E)$ADR$YYPhLh)8zY{n@sE!o<-j`abR!pt^2MEg2slkAvifP
z^s`;sV$|(AcBS)L@z{+dbyT>j11kP;^QQl?n5bj>LM>7C_KEeG_H0p6@dL@m5a8ji
z>cL0xMWEGM=sAByb5$NHFzk?W;Cu1zrM&VJ7BiON6(Lr@$i$DjM-8U3XJW=cx9_hD
zfhDXx6$E6@PW&tMQa785iAtGHjXYQ0)gSeleyY)dht+B0UaVTRx
zPU1c_b8Nr=arW{N@(R3$x7$W68ST#Sg#NRiyz(=y^DdF!4W9l(Gs>68Wp4MxRjK!r
zoRAAz_DJEJDSF~Y(b83UwSy5>xD~bg_)W8EU|d8Zs9^bE;Oofv(z&vx3GVeW!P#4A
zgzjl&Va-j0IHPp=1vP`{_as*8s^ylds27^-auxJ&xQ7>?xg+dhO9i-;MVkBlqd1jJ
z6FQnD=?i!uVfYA>Y8UuR8(lxs(jhlm20|E0f}5)c(%~W>UWoIEB*YAYIr9@jdf;8F
z(LQcPmNv-*V}@;s!UWlGz@ExgMuPh!DwL}0k`{ah%RBaC{U%ruzY75d#%c2gHFp(4
z6x}Bqo=P?o)Rzb(3Lj|$T^1X1ODqQf8tk)%4M+YBpHRr57$RKOww_cXPJmUiOa
z1U356M41mw;Z}<^C0ULRcRI4mHbtxjNOxSph%vM)aIxW05L8Dk!zbw;;>)}KdpVX!UtL$waBKeCm|B3ga(EdqM`h)
zkCc?xSvA*$Oo>w(D7l{jmB227`u#=+p`29CL^~xUCDyP6W&j)`&u^|m)k3OwXi71@
zpFhwMhb)0f5m@?p4r6@`Ao^_t|mSQn1
z;*_gkm;iWrt(9$&6Ey~@S)&3#7_)3#RXjo?v3X(j=EJ;fTtybjo_vc*|X{du*j?|gFTJY(f60`vI<#a9RVbUO1)5_S@NYr
zKhwiNt#T;2o#+5XV@A4$9`XgtybmJBvJ*O3t9ByHhyjWHI;NunOz(ag)8*MCP@4LY
zE|i%b)QVd)7B)8QUf?3GGuLoh-Nra1u&t}7_v-{Y-lZ_TJ20Xv!lcGu{=d~Myw>k6U)?^}&Va*Bq$JVU~ajKOb{G)fU{lAzkaR+p{!2oR~zKAV?n`HMxN
z>MSk}2aAe0YL&}b2{j%w(+VfD}0N*IL{m6ZkbOC-$)Yuw|;)@wtY#iIOdh)Mn;69x(<{AR-?1RhV
zk-A?S;KS9IqD{GnymtsHm5Ob*&`h?zBf&HdQugTvr3)!gT&siPy5mDkVMWQtQFVxJ
zB0hO81Ndx|3pf`O9%)#q7)CH{MUR#>kE(u+6f!bs0
z{tWi$vx^1<`1mvne6rt8N-I-Lrx(m;8v^Qpi~>QK{!?ZBMUGovC`4#M3AFfg!*TAc
zlshc#+*}qI`#z=LZ;Q??rV;^Ka*yR&5jjS9od-%9y?D9@S-sSesZ>_joNYFv_Qc@u
zY^LVBF420pQE`MtWoWAfpzt_k3@pS%9Z<_-gQTI@8m@G$2?62xq1-+xJxki=vHZpy
z($NSs+eKw6u}MEPYk&X2K~^Q9SRibb)@*eG)h=ZLqTlzhqA)263J5m;J_;#8;HX+{
z639=5euhQxk8Xojw3P5ZwXnT3VAdm+AeRcRPw0S30@#RA8UC&0p)BBcvQXk&%Q(4C
zkrG!b2>OT*LE{DrU_o^l>05IZ8{{&4Pj~2F)eu>AzJ+e2j2^qb&NH$cdKOMIcsB?P
zZK*2&;sp_XTs^vI=&^U{78>B;hb()O7dW{MO2nBTBt%glP}$a7#EiLa$(!Igu`Fc{
z{qnSVOeFImZ`F-7)36poDm}SwV~onFLo1>8AklTSAUD0+BCTd{
zrwbRl>omJp^h-ilhK&=+&tS9&3x$X?L0u@c@G!kUVD{Ggv7|SB$l+Xp;I@tT3M}Eo5_~W@|OSm57%P`%@ecnaQRuq
zcYl9Nb!?{Lw!2x^pw*Z=Ux?+cu7p?nEtc(~8D^`gnv}zW-mi8wMw`s9S=|%K46aUB
z6LsEJRUn;-c1<>Gp|M`G6^*>hSjhx$YLkUhZv?eEZat1>s9S?7Z_+vX5n9D)~u>2{h!(_+Qt1-PE(p7*3ar?^mbMU_N`$?Uv7&tO}`4?d6KFXIh8J?c2rCY4jGwx8QbxeQj
zi(pCeQ#JPPZiEtpCXR;wyOwg8iUG;Zckga8Uxyl1vI&fAynfoRoGi0v5E36*QYm;@
zJv8~l@$DNvUCnSkTid+#@Q2xUUGcWF6F!$W+KM3_%XU$Mn}errq^q&ac`Pfy;AJH0
z49N11$6kfmN8e^+c(aN-qDQL*eBr?Us%Hijfldvs{@4dc?>^IJ5}M+v8dqPtz_>!C
zQKIKxGoZ5vNvc66iM7%T)X3oNn1$+`4X;#AIiG~ZNE)#-Ha$#T*FCG0Y^jPypKNp!
z&gSg(da7XUcSP03cq{0qsC}&|eGvq4XMoc7$1j(~6jJTU5cSu+T
zmBlp|bt=+FdSzIUG1lIcGfDDwTc=y}27+k`mBI(oxAHamk`qfCijy!+msz(XC>
zCYP=F-Po2%!v+Ubr2Hmr!Vt7^Wea0Q_(Cqm08-?TZa8+C4%`wG3ApzbTY0D7
z0FyY3rID0YY{G;OtV4R}wn|AC)4Xphvr_|%SO_K9var*YlR_mY>F>2hnK;*+@}kKp
zYwz>J>@~OqJOEQ{D!xz-!vUx%gq^1n+D*;qU%iGLVS>*YZ(Ee`r~4k=
zU{>F#*yuF1(WhU~ON0evy{{R?^_?Rc=^nz(Iw=~)VJ{JD)O5%pHPPqCP9)+W(@9#;
zt8(>@vdEFGyP1fjd=lwA3?tq*Ld(u@5pZ$}gRRVk667a)eV}&FeZVxHMYS=Iw`wJg>aIi+9IgJl9tavB)_Ltw}o@g;(qf4r6luSxd_jE*Bqc4SXF*3
zUFc3xlS-L?>V&jRsMZ-d9Sd{?*Ly=oBy+Sdyr?;nh()6hKHC-<9ec+dw3T)T0c;~k
zG7Eh?V+;zy(^^n>0q)u&mYq{NG6bkEAm58~LzlWii^>IYS0Pmul%sTRG|?;pd(9OM
z1<(qRTzx4ecKfjMa}M=LJ)M1N0!ti%8}q`9uHH{QVY$Zu@<-p
zMFv_TddVe84~ZU)$Oz3B9=WfJ54p?8=;el2Cx$oQtK^e!f?nuDY$OmNp_>VRTs!oONpe>@#f6^TkPknd;3{IUtvEk5Fv`GR*Ow(38cO$cvG+ZFuH6@g1u_VapI
zr$zhxD5kfS^5buwWP6%8#R=3A+#E3
zSy&twP>YZR@Yektz^%7rN6{BB&A;o3vo=}7B&-bcC*d&IP`bRBH?`!QWZ8lhJ9r0E
zf#{a`Ef66SG7{31A1La6vbvybA&MiRC)M+Wqd%Rx7#2LcQ2becZg90Y^Y1*$~y5F^y1(
zaGlG_a($Gg3%$n<#TO}y;934-?Kbb0f2>@HG0h%Td%FRPO8TG$;h=V!esvy5m#cjk!OmgsRzSl&w*71
z%kGG>LQHw~>tX}4*;an)I-8kcW!Jz#1=wWuoYF#pNZ$4iT+}UL2~!s_A|KUv_GI2>
z^NobPeCFggXSC;>G1^>=5{)gbNXDSF9|H3%_Q}Ew;m;Wl*0kZY~&%*pu&!1$xzcihL
z=y`uo^Zpe6lR@;Cup8oU;lKDqe~SLeiTF!&3&aTo_4_A7;!g#Cp6dLizyRl;hX2PI
z&!1ZU+&cWFMTF{aBlvS8@u!A=ucv>>0{}Mk0Kk7#*FVMoJrn+`_!Z;7i2pq=D$7HG
TW)}c}2mSm&1-#`~dIkJHn#9Rb
literal 0
HcmV?d00001
diff --git a/terraform/aws/resources/lambda_function_payload.zip b/terraform/aws/resources/lambda_function_payload.zip
new file mode 100644
index 0000000000000000000000000000000000000000..63baca3283787583716d1e347288a2f128211cb5
GIT binary patch
literal 195
zcmWIWW@h1H0D*HmYXV*@Iy_kx$Od5!1{sFTyp+@my{zKU5KabWMM=||iz~pJkx7mjmjx0)?F;RaSRvM-Sry>T$_7%$2!wt>Iv&Jf008)gDNFzW
literal 0
HcmV?d00001
diff --git a/terraform/aws/s3.tf b/terraform/aws/s3.tf
new file mode 100644
index 0000000..a2a2ed7
--- /dev/null
+++ b/terraform/aws/s3.tf
@@ -0,0 +1,141 @@
+resource "aws_s3_bucket" "data" {
+ # bucket is public
+ # bucket is not encrypted
+ # bucket does not have access logs
+ # bucket does not have versioning
+ bucket = "${local.resource_prefix.value}-data"
+ force_destroy = true
+ tags = merge({
+ Name = "${local.resource_prefix.value}-data"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "4d57f83ca4d3a78a44fb36d1dcf0d23983fa44f5"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2022-05-18 07:08:06"
+ git_last_modified_by = "nimrod@bridgecrew.io"
+ git_modifiers = "34870196+LironElbaz/nimrod/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "0874007d-903a-4b4c-945f-c9c233e13243"
+ })
+}
+
+resource "aws_s3_bucket_object" "data_object" {
+ bucket = aws_s3_bucket.data.id
+ key = "customer-master.xlsx"
+ source = "resources/customer-master.xlsx"
+ tags = merge({
+ Name = "${local.resource_prefix.value}-customer-master"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "a7f01cc7-63c2-41a8-8555-6665e5e39a64"
+ })
+}
+
+resource "aws_s3_bucket" "financials" {
+ # bucket is not encrypted
+ # bucket does not have access logs
+ # bucket does not have versioning
+ bucket = "${local.resource_prefix.value}-financials"
+ acl = "private"
+ force_destroy = true
+ tags = merge({
+ Name = "${local.resource_prefix.value}-financials"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "0e012640-b597-4e5d-9378-d4b584aea913"
+ })
+
+}
+
+resource "aws_s3_bucket" "operations" {
+ # bucket is not encrypted
+ # bucket does not have access logs
+ bucket = "${local.resource_prefix.value}-operations"
+ acl = "private"
+ versioning {
+ enabled = true
+ }
+ force_destroy = true
+ tags = merge({
+ Name = "${local.resource_prefix.value}-operations"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "29efcf7b-22a8-4bd6-8e14-1f55b3a2d743"
+ })
+}
+
+resource "aws_s3_bucket" "data_science" {
+ # bucket is not encrypted
+ bucket = "${local.resource_prefix.value}-data-science"
+ acl = "private"
+ versioning {
+ enabled = true
+ }
+ logging {
+ target_bucket = "${aws_s3_bucket.logs.id}"
+ target_prefix = "log/"
+ }
+ force_destroy = true
+ tags = {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "9a7c8788-5655-4708-bbc3-64ead9847f64"
+ }
+}
+
+resource "aws_s3_bucket" "logs" {
+ bucket = "${local.resource_prefix.value}-logs"
+ acl = "log-delivery-write"
+ versioning {
+ enabled = true
+ }
+ server_side_encryption_configuration {
+ rule {
+ apply_server_side_encryption_by_default {
+ sse_algorithm = "aws:kms"
+ kms_master_key_id = "${aws_kms_key.logs_key.arn}"
+ }
+ }
+ }
+ force_destroy = true
+ tags = merge({
+ Name = "${local.resource_prefix.value}-logs"
+ Environment = local.resource_prefix.value
+ }, {
+ git_commit = "d68d2897add9bc2203a5ed0632a5cdd8ff8cefb0"
+ git_file = "terraform/aws/s3.tf"
+ git_last_modified_at = "2020-06-16 14:46:24"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "01946fe9-aae2-4c99-a975-e9b0d3a4696c"
+ })
+}
diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf
new file mode 100644
index 0000000..ebb613b
--- /dev/null
+++ b/terraform/azure/aks.tf
@@ -0,0 +1,35 @@
+resource azurerm_kubernetes_cluster "k8s_cluster" {
+ dns_prefix = "terragoat-${var.environment}"
+ location = var.location
+ name = "terragoat-aks-${var.environment}"
+ resource_group_name = azurerm_resource_group.example.name
+ identity {
+ type = "SystemAssigned"
+ }
+ default_node_pool {
+ name = "default"
+ vm_size = "Standard_D2_v2"
+ node_count = 2
+ }
+ addon_profile {
+ oms_agent {
+ enabled = false
+ }
+ kube_dashboard {
+ enabled = true
+ }
+ }
+ role_based_access_control {
+ enabled = false
+ }
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/aks.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "6103d111-864e-42e5-899c-1864de281fd1"
+ }
+}
\ No newline at end of file
diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf
new file mode 100644
index 0000000..fa4f23e
--- /dev/null
+++ b/terraform/azure/app_service.tf
@@ -0,0 +1,64 @@
+resource azurerm_app_service_plan "example" {
+ name = "terragoat-app-service-plan-${var.environment}"
+ location = azurerm_resource_group.example.location
+ resource_group_name = azurerm_resource_group.example.name
+
+ sku {
+ tier = "Dynamic"
+ size = "S1"
+ }
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/app_service.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "6611bf45-fd5b-467e-b119-d533cd7539b8"
+ }
+}
+
+resource azurerm_app_service "app-service1" {
+ app_service_plan_id = azurerm_app_service_plan.example.id
+ location = var.location
+ name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ https_only = false
+ site_config {
+ min_tls_version = "1.1"
+ }
+ tags = {
+ git_commit = "81738b80d571fa3034633690d13ffb460e1e7dea"
+ git_file = "terraform/azure/app_service.tf"
+ git_last_modified_at = "2020-06-19 21:14:50"
+ git_last_modified_by = "Adin.Ermie@outlook.com"
+ git_modifiers = "Adin.Ermie/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "13be096d-c599-46e5-bf54-51c6e9732858"
+ }
+}
+
+resource azurerm_app_service "app-service2" {
+ app_service_plan_id = azurerm_app_service_plan.example.id
+ location = var.location
+ name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ https_only = true
+
+ auth_settings {
+ enabled = false
+ }
+ tags = {
+ git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542"
+ git_file = "terraform/azure/app_service.tf"
+ git_last_modified_at = "2021-05-02 10:06:10"
+ git_last_modified_by = "nimrodkor@users.noreply.github.com"
+ git_modifiers = "Adin.Ermie/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "ec8295ab-af68-4cff-b0f1-b0cf5eaf1b75"
+ }
+}
+
diff --git a/terraform/azure/application_gateway.tf b/terraform/azure/application_gateway.tf
new file mode 100644
index 0000000..e66945b
--- /dev/null
+++ b/terraform/azure/application_gateway.tf
@@ -0,0 +1,66 @@
+resource "azurerm_application_gateway" "network" {
+ name = "example-appgateway"
+ resource_group_name = "example-resourceGroup"
+ location = "example --West-US"
+
+ sku {
+ name = "Standard_Small"
+ tier = "Standard"
+ capacity = 2
+ }
+
+ gateway_ip_configuration {
+ name = "my-gateway-ip-configuration"
+ subnet_id = "your subnet id"
+ }
+
+ frontend_port {
+ name = "name"
+ port = "port-no"
+ }
+ ####Missing WAF block: As per azure best practices, it is important to have a web application firewall enabled at application gateway.
+
+
+ frontend_ip_configuration {
+ name = "name"
+ public_ip_address_id = "Ip-address"
+ }
+
+ backend_address_pool {
+ name = local.backend_address_pool_name
+ }
+
+ backend_http_settings {
+ name = local.http_setting_name
+ cookie_based_affinity = "Disabled"
+ path = "/path1/"
+ port = 80
+ protocol = "Http"
+ request_timeout = 60
+ }
+
+ http_listener {
+ name = local.listener_name
+ frontend_ip_configuration_name = local.frontend_ip_configuration_name
+ frontend_port_name = local.frontend_port_name
+ protocol = "Http"
+ }
+
+ request_routing_rule {
+ name = local.request_routing_rule_name
+ rule_type = "Basic"
+ http_listener_name = local.listener_name
+ backend_address_pool_name = local.backend_address_pool_name
+ backend_http_settings_name = local.http_setting_name
+ }
+ tags = {
+ git_commit = "b07a42ebd74b8f0ba647e20b872474b1c29b4814"
+ git_file = "terraform/azure/application_gateway.tf"
+ git_last_modified_at = "2021-05-02 10:08:55"
+ git_last_modified_by = "nimrodkor@users.noreply.github.com"
+ git_modifiers = "harkiratbhardwaj/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "3f62753b-3d20-4fa7-b402-b780234a14d8"
+ }
+}
diff --git a/terraform/azure/instance.tf b/terraform/azure/instance.tf
new file mode 100644
index 0000000..225872b
--- /dev/null
+++ b/terraform/azure/instance.tf
@@ -0,0 +1,77 @@
+resource random_string "password" {
+ length = 16
+ special = false
+ min_lower = 1
+ min_numeric = 1
+ min_upper = 1
+}
+
+resource azurerm_linux_virtual_machine "linux_machine" {
+ admin_username = "terragoat-linux"
+ admin_password = random_string.password.result
+ location = var.location
+ name = "terragoat-linux"
+ network_interface_ids = [azurerm_network_interface.ni_linux.id]
+ resource_group_name = azurerm_resource_group.example.name
+ size = "Standard_F2"
+ disable_password_authentication = false
+ source_image_reference {
+ publisher = "Canonical"
+ offer = "UbuntuServer"
+ sku = "16.04-LTS"
+ version = "latest"
+ }
+ os_disk {
+ caching = "ReadWrite"
+ storage_account_type = "Standard_LRS"
+ }
+
+ tags = merge({
+ terragoat = true
+ environment = var.environment
+ }, {
+ git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9"
+ git_file = "terraform/azure/instance.tf"
+ git_last_modified_at = "2020-06-17 15:48:15"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "736ef713-51b8-4178-ad69-406be81f6ef2"
+ })
+}
+
+resource azurerm_windows_virtual_machine "windows_machine" {
+ admin_password = random_string.password.result
+ admin_username = "tg-${var.environment}"
+ location = var.location
+ name = "tg-win"
+ network_interface_ids = [azurerm_network_interface.ni_win.id]
+ resource_group_name = azurerm_resource_group.example.name
+ size = "Standard_F2"
+ os_disk {
+ caching = "ReadWrite"
+ storage_account_type = "Standard_LRS"
+ }
+
+ source_image_reference {
+ publisher = "MicrosoftWindowsServer"
+ offer = "WindowsServer"
+ sku = "2016-Datacenter"
+ version = "latest"
+ }
+
+ tags = merge({
+ terragoat = true
+ environment = var.environment
+ }, {
+ git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9"
+ git_file = "terraform/azure/instance.tf"
+ git_last_modified_at = "2020-06-17 15:48:15"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "41938587-bdfc-4234-b941-560f1ae7d6c0"
+ })
+}
\ No newline at end of file
diff --git a/terraform/azure/key_vault.tf b/terraform/azure/key_vault.tf
new file mode 100644
index 0000000..7f2be4a
--- /dev/null
+++ b/terraform/azure/key_vault.tf
@@ -0,0 +1,72 @@
+resource "azurerm_key_vault" "example" {
+ name = "terragoat-key-${var.environment}${random_integer.rnd_int.result}"
+ location = azurerm_resource_group.example.location
+ resource_group_name = azurerm_resource_group.example.name
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ sku_name = "premium"
+ access_policy {
+ tenant_id = data.azurerm_client_config.current.tenant_id
+ object_id = data.azurerm_client_config.current.object_id
+ key_permissions = [
+ "create",
+ "get",
+ ]
+ secret_permissions = [
+ "set",
+ ]
+ }
+ tags = merge({
+ environment = var.environment
+ terragoat = true
+ }, {
+ git_commit = "81738b80d571fa3034633690d13ffb460e1e7dea"
+ git_file = "terraform/azure/key_vault.tf"
+ git_last_modified_at = "2020-06-19 21:14:50"
+ git_last_modified_by = "Adin.Ermie@outlook.com"
+ git_modifiers = "Adin.Ermie/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "79afeacc-248a-4015-a4fa-76a6a57f06e2"
+ })
+}
+
+resource "azurerm_key_vault_key" "generated" {
+ name = "terragoat-generated-certificate-${var.environment}"
+ key_vault_id = azurerm_key_vault.example.id
+ key_type = "RSA"
+ key_size = 2048
+ key_opts = [
+ "decrypt",
+ "encrypt",
+ "sign",
+ "unwrapKey",
+ "verify",
+ "wrapKey",
+ ]
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/key_vault.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "afbc6e13-63d9-4e6c-8914-d58b7744b5dd"
+ }
+}
+
+resource "azurerm_key_vault_secret" "secret" {
+ key_vault_id = azurerm_key_vault.example.id
+ name = "terragoat-secret-${var.environment}"
+ value = random_string.password.result
+ tags = {
+ git_commit = "f8ff847bb69370bbe03b3d2b70db586ff6c867fc"
+ git_file = "terraform/azure/key_vault.tf"
+ git_last_modified_at = "2020-06-19 21:16:08"
+ git_last_modified_by = "Adin.Ermie@outlook.com"
+ git_modifiers = "Adin.Ermie/nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "40517524-f05d-485b-bfbe-3fa0dbee511e"
+ }
+}
\ No newline at end of file
diff --git a/terraform/azure/logging.tf b/terraform/azure/logging.tf
new file mode 100644
index 0000000..b7854fb
--- /dev/null
+++ b/terraform/azure/logging.tf
@@ -0,0 +1,10 @@
+resource azurerm_monitor_log_profile "logging_profile" {
+ storage_account_id = azurerm_storage_account.example.id
+ categories = ["Action"]
+ locations = [var.location]
+ name = "terragoat-${var.environment}"
+ retention_policy {
+ enabled = true
+ days = 30
+ }
+}
\ No newline at end of file
diff --git a/terraform/azure/mssql.tf b/terraform/azure/mssql.tf
new file mode 100644
index 0000000..1c7f1f9
--- /dev/null
+++ b/terraform/azure/mssql.tf
@@ -0,0 +1,248 @@
+resource "azurerm_storage_account" "security_storage_account" {
+ name = "securitystorageaccount-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ account_tier = "Standard"
+ account_replication_type = "LRS"
+ enable_https_traffic_only = true
+ tags = {
+ git_commit = "a1d1c1ce31a1bde6dafa188846d90eca82abe5fd"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 05:32:41"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "4b504d4d-608c-45fe-ae56-807bde6d969f"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql1" {
+ name = "terragoat-mssql1-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "54f6cb23-b30a-4f1d-8064-6f777b9b75db"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql2" {
+ name = "mssql2-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "096d2cf2-6d47-41b2-9418-cdedea85e184"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql3" {
+ name = "mssql3-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "e71d3fb5-addc-481d-ada6-b7432a768de3"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql4" {
+ name = "mssql4-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "c3b85724-4f7e-4c63-a17d-3d04239beae8"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql5" {
+ name = "mssql5-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "0240ca84-acc9-47d9-b491-9e7e359787a1"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql6" {
+ name = "mssql6-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "042d15fb-edfa-484b-b65e-3d70c50cdee7"
+ }
+}
+
+resource "azurerm_mssql_server" "mssql7" {
+ name = "mssql7-${var.environment}${random_integer.rnd_int.result}"
+ resource_group_name = azurerm_resource_group.example.name
+ location = azurerm_resource_group.example.location
+ version = "12.0"
+ administrator_login = "missadministrator"
+ administrator_login_password = "AdminPassword123!"
+ tags = {
+ git_commit = "c6f8caa51942284d02465518822685897ad90141"
+ git_file = "terraform/azure/mssql.tf"
+ git_last_modified_at = "2022-01-20 18:41:19"
+ git_last_modified_by = "28880387+tsmithv11@users.noreply.github.com"
+ git_modifiers = "28880387+tsmithv11"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "3f1118e1-5067-452e-906f-5123cfc93711"
+ }
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy1" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql1.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy2" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql2.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy3" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql3.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy4" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql4.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy5" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql5.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy6" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql6.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
+
+resource "azurerm_mssql_server_security_alert_policy" "alertpolicy7" {
+ resource_group_name = azurerm_resource_group.example.name
+ server_name = azurerm_mssql_server.mssql7.name
+ state = "Enabled"
+ storage_endpoint = azurerm_storage_account.security_storage_account.primary_blob_endpoint
+ storage_account_access_key = azurerm_storage_account.security_storage_account.primary_access_key
+ disabled_alerts = [
+ "Sql_Injection",
+ "Data_Exfiltration"
+ ]
+ retention_days = 20
+ email_addresses = ["securityengineer@bridgecrew.io"]
+}
diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf
new file mode 100644
index 0000000..ab01c60
--- /dev/null
+++ b/terraform/azure/networking.tf
@@ -0,0 +1,145 @@
+resource "azurerm_virtual_network" "example" {
+ name = "terragoat-vn-${var.environment}"
+ address_space = ["10.0.0.0/16"]
+ location = azurerm_resource_group.example.location
+ resource_group_name = azurerm_resource_group.example.name
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "eb19f165-9c21-4a7a-96e5-5bb557a38228"
+ }
+}
+
+resource "azurerm_subnet" "example" {
+ name = "terragoat-${var.environment}"
+ resource_group_name = azurerm_resource_group.example.name
+ virtual_network_name = azurerm_virtual_network.example.name
+ address_prefixes = ["10.0.0.0/24"]
+}
+
+resource "azurerm_network_interface" "ni_linux" {
+ name = "terragoat-linux-${var.environment}"
+ location = azurerm_resource_group.example.location
+ resource_group_name = azurerm_resource_group.example.name
+
+ ip_configuration {
+ name = "internal"
+ subnet_id = azurerm_subnet.example.id
+ private_ip_address_allocation = "Dynamic"
+ }
+ tags = {
+ git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2020-06-17 15:48:15"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "2647f099-dff8-4514-8cef-96159380c02a"
+ }
+}
+
+resource "azurerm_network_interface" "ni_win" {
+ name = "terragoat-win-${var.environment}"
+ location = azurerm_resource_group.example.location
+ resource_group_name = azurerm_resource_group.example.name
+
+ ip_configuration {
+ name = "internal"
+ subnet_id = azurerm_subnet.example.id
+ private_ip_address_allocation = "Dynamic"
+ }
+ tags = {
+ git_commit = "de3bb777f967989c2c3332faea16cb614c55ccc9"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2020-06-17 15:48:15"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "2b5dbf28-04fb-4151-a637-a731bbe7ed1d"
+ }
+}
+
+resource azurerm_network_security_group "bad_sg" {
+ location = var.location
+ name = "terragoat-${var.environment}"
+ resource_group_name = azurerm_resource_group.example.name
+
+ security_rule {
+ access = "Allow"
+ direction = "Inbound"
+ name = "AllowSSH"
+ priority = 200
+ protocol = "TCP"
+ source_address_prefix = "*"
+ source_port_range = "*"
+ destination_port_range = "22-22"
+ destination_address_prefix = "*"
+ }
+
+ security_rule {
+ access = "Allow"
+ direction = "Inbound"
+ name = "AllowRDP"
+ priority = 300
+ protocol = "TCP"
+ source_address_prefix = "*"
+ source_port_range = "*"
+ destination_port_range = "3389-3389"
+ destination_address_prefix = "*"
+ }
+ tags = {
+ git_commit = "5c6b5d60a8aa63a5d37e60f15185d13a967f0542"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2021-05-02 10:06:10"
+ git_last_modified_by = "nimrodkor@users.noreply.github.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "1a591ba4-d969-4572-9704-87b5c55c0ba3"
+ }
+}
+
+resource azurerm_network_watcher "network_watcher" {
+ location = var.location
+ name = "terragoat-network-watcher-${var.environment}"
+ resource_group_name = azurerm_resource_group.example.name
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "3da368fc-723f-43d2-8e82-08dcc91e5094"
+ }
+}
+
+resource azurerm_network_watcher_flow_log "flow_log" {
+ enabled = false
+ network_security_group_id = azurerm_network_security_group.bad_sg.id
+ network_watcher_name = azurerm_network_watcher.network_watcher.name
+ resource_group_name = azurerm_resource_group.example.name
+ storage_account_id = azurerm_storage_account.example.id
+ retention_policy {
+ enabled = false
+ days = 10
+ }
+ tags = {
+ git_commit = "898d5beaec7ffdef6df0d7abecff407362e2a74e"
+ git_file = "terraform/azure/networking.tf"
+ git_last_modified_at = "2020-06-17 12:59:55"
+ git_last_modified_by = "nimrodkor@gmail.com"
+ git_modifiers = "nimrodkor"
+ git_org = "bridgecrewio"
+ git_repo = "terragoat"
+ yor_trace = "33a7212e-7f1a-49fc-af73-8e525c5546ec"
+ }
+}
\ No newline at end of file
diff --git a/terraform/azure/policies.tf b/terraform/azure/policies.tf
new file mode 100644
index 0000000..76ffd9f
--- /dev/null
+++ b/terraform/azure/policies.tf
@@ -0,0 +1,51 @@
+resource "azurerm_policy_definition" "policy-res" {
+ name = "terragoat-policy-${var.environment}"
+ policy_type = "Custom"
+ mode = "Indexed"
+ display_name = "acceptance test policy definition"
+ metadata = <
Date: Mon, 28 Aug 2023 17:28:27 -0300
Subject: [PATCH 19/23] Create Veracode-SB.yml
---
.github/workflows/Veracode-SB.yml | 101 ++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
create mode 100644 .github/workflows/Veracode-SB.yml
diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml
new file mode 100644
index 0000000..a22f214
--- /dev/null
+++ b/.github/workflows/Veracode-SB.yml
@@ -0,0 +1,101 @@
+name: Veracode_SB
+on:
+ push:
+ branches: [ master ]
+ workflow_dispatch:
+
+jobs:
+ build:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SCA:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Veracode SCA
+ env:
+ SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
+ run: |
+ curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+
+ Veracode_UploadAndScan:
+ runs-on: ubuntu-latest
+ if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' || github.ref == 'refs/heads/Main' }}
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' }}
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ createsandbox: true
+ sandboxname: ${GITHUB_REF#refs/heads/}
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ if: ${{ github.ref == 'refs/heads/Main' }}
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: Github Actions - ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: false
+ version: ${{ github.run_id }}
+
+ Veracode_PipelineScan:
+ runs-on: ubuntu-latest
+ needs: build
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - name: Veracode Pipeline Scan
+ continue-on-error: true
+ env:
+ VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VeracodeKey }}
+ CaminhoArquivo: './veracode.zip'
+ run: |
+ curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ unzip pipeline-scan-LATEST.zip
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
+ - name: Converte para o formato SARIF
+ id: convert
+ uses: Veracode/veracode-pipeline-scan-results-to-sarif@v1.0.5
+ with:
+ pipeline-results-json: results.json
+ output-results-sarif: veracode-results.sarif
+ finding-rule-level: "3:1:0"
+ - name: Publica os resultados
+ uses: github/codeql-action/upload-sarif@v2
+ with: # Path to SARIF file relative to the root of the repository
+ sarif_file: veracode-results.sarif
\ No newline at end of file
From 26feea5f57f322183af1e6e82a3aa9daac437363 Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Mon, 28 Aug 2023 17:31:31 -0300
Subject: [PATCH 20/23] Update Veracode-SB.yml
---
.github/workflows/Veracode-SB.yml | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml
index a22f214..7472294 100644
--- a/.github/workflows/Veracode-SB.yml
+++ b/.github/workflows/Veracode-SB.yml
@@ -1,8 +1,6 @@
name: Veracode_SB
-on:
- push:
- branches: [ master ]
- workflow_dispatch:
+on:
+ workflow_dispatch:
jobs:
build:
From 22fdd14d12d50ec65834a28a051d98971a686c5d Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Mon, 28 Aug 2023 17:35:38 -0300
Subject: [PATCH 21/23] Update Veracode-SB.yml
---
.github/workflows/Veracode-SB.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml
index 7472294..f4a0477 100644
--- a/.github/workflows/Veracode-SB.yml
+++ b/.github/workflows/Veracode-SB.yml
@@ -1,6 +1,6 @@
name: Veracode_SB
on:
- workflow_dispatch:
+ push:
jobs:
build:
From 9ffb970c755f8f0d06605a27deeab983bf9a959e Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Mon, 28 Aug 2023 17:38:23 -0300
Subject: [PATCH 22/23] Update Veracode-SB.yml
---
.github/workflows/Veracode-SB.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/.github/workflows/Veracode-SB.yml b/.github/workflows/Veracode-SB.yml
index f4a0477..75e0449 100644
--- a/.github/workflows/Veracode-SB.yml
+++ b/.github/workflows/Veracode-SB.yml
@@ -3,7 +3,7 @@ on:
push:
jobs:
- build:
+ Package:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
@@ -31,7 +31,7 @@ jobs:
Veracode_UploadAndScan:
runs-on: ubuntu-latest
if: ${{ github.ref == 'refs/heads/DEV' || github.ref == 'refs/heads/HMG' || github.ref == 'refs/heads/Main' }}
- needs: build
+ needs: Package
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
@@ -70,7 +70,7 @@ jobs:
Veracode_PipelineScan:
runs-on: ubuntu-latest
- needs: build
+ needs: Package
steps:
- name: Download Artefato
uses: actions/download-artifact@v2
From 4d8b03556028ac2b4712f2e37cb75631d66efbba Mon Sep 17 00:00:00 2001
From: Ivo Dias
Date: Mon, 28 Aug 2023 17:57:45 -0300
Subject: [PATCH 23/23] Create Veracode-XGH.yml
---
.github/workflows/Veracode-XGH.yml | 71 ++++++++++++++++++++++++++++++
1 file changed, 71 insertions(+)
create mode 100644 .github/workflows/Veracode-XGH.yml
diff --git a/.github/workflows/Veracode-XGH.yml b/.github/workflows/Veracode-XGH.yml
new file mode 100644
index 0000000..cc07bb4
--- /dev/null
+++ b/.github/workflows/Veracode-XGH.yml
@@ -0,0 +1,71 @@
+name: Veracode_GoHorse
+on:
+ push
+
+jobs:
+ Package:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Empacotamento dos arquivos
+ uses: thedoctor0/zip-release@master
+ with:
+ filename: 'veracode.zip'
+ path: .
+ - name: Publicando Artefato
+ uses: actions/upload-artifact@v2
+ with:
+ name: pacoteVeracode
+ path: veracode.zip
+
+ Veracode_SCA:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v2
+ - name: Veracode SCA
+ env:
+ SRCCLR_API_TOKEN: ${{ secrets.SCA }} # Lembrar de criar as credenciais no Secrets
+ run: |
+ curl -sSL 'https://download.sourceclear.com/ci.sh' | bash -s – scan --update-advisor --pull-request --allow-dirty
+
+ Veracode_UploadAndScan:
+ runs-on: ubuntu-latest
+ needs: Package
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - uses: veracode/veracode-uploadandscan-action@master # Faz a analise da Veracode
+ env:
+ VeracodeID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VeracodeKey: ${{ secrets.VeracodeKey }}
+ AppName: ${{ github.repository }}
+ with:
+ vid: '$VeracodeID'
+ vkey: '$VeracodeKey'
+ criticality: 'VeryHigh'
+ appname: '$AppName'
+ filepath: 'veracode.zip'
+ deleteIncompleteScan: true
+ scanallnonfataltoplevelmodules: true
+ includenewmodules: true
+ version: ${{ github.run_id }}
+
+ Veracode_PipelineScan:
+ runs-on: ubuntu-latest
+ needs: Package
+ steps:
+ - name: Download Artefato
+ uses: actions/download-artifact@v2
+ with:
+ name: pacoteVeracode
+ - name: Veracode Pipeline Scan
+ env:
+ VID: ${{ secrets.VeracodeID }} # Lembrar de criar as credenciais no Secrets
+ VKEY: ${{ secrets.VeracodeKey }}
+ CaminhoArquivo: './veracode.zip'
+ run: |
+ curl -sSO https://downloads.veracode.com/securityscan/pipeline-scan-LATEST.zip
+ unzip pipeline-scan-LATEST.zip
+ java -jar pipeline-scan.jar -vid $VID -vkey $VKEY -f $CaminhoArquivo --issue_details true
\ No newline at end of file