Merge branch 'main' into checkTest

Checkmarx · Nov 4, 2024 · 42eae0e · 42eae0e
2 parents 96c37a2 + bc61b24
commit 42eae0e
Show file tree

Hide file tree

Showing 71 changed files with 2,052 additions and 786 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,11 +18,11 @@ jobs:
         run: |
           sudo chmod +x ./internal/commands/.scripts/up.sh
           ./internal/commands/.scripts/up.sh
-      - name: Check if total coverage is greater then 80
+      - name: Check if total coverage is greater then 79.9
         shell: bash
         run: |
           CODE_COV=$(go tool cover -func cover.out | grep total | awk '{print substr($3, 1, length($3)-1)}')
-          EXPECTED_CODE_COV=80
+          EXPECTED_CODE_COV=79.9
           var=$(awk 'BEGIN{ print "'$CODE_COV'"<"'$EXPECTED_CODE_COV'" }')
           if [ "$var" -eq 1 ];then
             echo "Your code coverage is too low. Coverage precentage is: $CODE_COV"
@@ -91,11 +91,11 @@ jobs:
           name: ${{ runner.os }}-coverage-latest
           path: coverage.html
 
-      - name: Check if total coverage is greater then 80
+      - name: Check if total coverage is greater then 79.9
         shell: bash
         run: |
           CODE_COV=$(go tool cover -func cover.out | grep total | awk '{print substr($3, 1, length($3)-1)}')
-          EXPECTED_CODE_COV=80
+          EXPECTED_CODE_COV=79.9
           var=$(awk 'BEGIN{ print "'$CODE_COV'"<"'$EXPECTED_CODE_COV'" }')
           if [ "$var" -eq 1 ];then
             echo "Your code coverage is too low. Coverage precentage is: $CODE_COV"
@@ -153,15 +153,22 @@ jobs:
         run:  go build -o ./cx ./cmd
       - name: Build Docker image
         run: docker build -t ast-cli:${{ github.sha }} .
-
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561  #0.20.0
+      - name: Run Trivy scanner without downloading DBs
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 #v0.28.0
         with:
-          image-ref: 'ast-cli:${{ github.sha }}'
+          scan-type: 'image'
+          image-ref: ast-cli:${{ github.sha }}
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
           vuln-type: 'os,library'
+          output: './trivy-image-results.txt'
           severity: 'CRITICAL,HIGH,MEDIUM,LOW'
-
-
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+
+      - name: Inspect action report
+        if: always()
+        shell: bash
+        run: cat ./trivy-image-results.txt
diff --git a/.github/workflows/manual-integration-test.yml b/.github/workflows/manual-integration-test.yml
@@ -91,7 +91,7 @@ jobs:
         shell: bash
         run: |
           CODE_COV=$(go tool cover -func cover.out | grep total | awk '{print substr($3, 1, length($3)-1)}')
-          EXPECTED_CODE_COV=80
+          EXPECTED_CODE_COV=79.9
           var=$(awk 'BEGIN{ print "'$CODE_COV'"<"'$EXPECTED_CODE_COV'" }')
           if [ "$var" -eq 1 ];then
             echo "Your code coverage is too low. Coverage precentage is: $CODE_COV"

diff --git a/.github/workflows/one-scan.yml b/.github/workflows/one-scan.yml
@@ -1,23 +1,25 @@
 name: Checkmarx One Scan
-
 on:
   workflow_dispatch:
   pull_request:
   push:
     branches:
       - main
+  schedule:
+    - cron: '00 7 * * *' # Every day at 07:00
 
 jobs:
   cx-scan:
+    name: Checkmarx One Scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Checkmarx One CLI Action
-        uses: checkmarx/ast-github-action@6c56658230f79c227a55120e9b24845d574d5225 # main
+        uses: checkmarx/ast-github-action@f0869bd1a37fddc06499a096101e6c900e815d81 # v.2.0.36
         with:
           base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }}
           cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }}
           cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }}
           cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }}
-          additional_params: --tags phoenix --threshold "sast-high=1;sast-medium=1;sast-low=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;sca-high=1;sca-medium=1;sca-low=1"
+          additional_params: --tags phoenix --threshold "sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1"
diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
@@ -0,0 +1,31 @@
+name: PR Linter
+
+on:
+  pull_request:
+    types: [opened, edited]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check PR Title and Branch
+        run: |
+          PR_TITLE="${{ github.event.pull_request.title }}"
+          PR_BRANCH="${{ github.head_ref }}"
+          
+          if ! [[ "$PR_TITLE" =~ ^[A-Z][a-zA-Z0-9]* ]]; then
+            echo "::error::PR title must be in CamelCase. Please update the title."
+            exit 1
+          fi
+          
+          if ! [[ "$PR_TITLE" =~ \(AST-[0-9]+\)$ ]]; then
+            echo "::error::PR title must contain a Jira ticket ID at the end in the format '(AST-XXXX)'."
+            exit 1
+          fi
+          
+          if ! [[ "$PR_BRANCH" =~ ^(bug|feature|other)/ ]]; then
+            echo "::error::Branch name must start with 'bug/' or 'feature/' or 'other/'."
+            exit 1
+          fi
+
+        shell: bash
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -35,6 +35,9 @@ jobs:
       AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
       APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
       APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
+      COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+      COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+      COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
     steps:
       - name: Checkout
         uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
@@ -64,7 +67,7 @@ jobs:
           brew install Bearer/tap/gon
       - name: Setup Docker on macOS
         if: inputs.dev == false
-        uses: douglascamata/setup-docker-macos-action@0f8f0e9f1033ccfb6676fe219e91781393f8ed4b  #v1-alpha
+        uses: douglascamata/setup-docker-macos-action@8d5fa43892aed7eee4effcdea113fd53e4d4bf83  #v1-alpha
       - name: Test docker
         if: inputs.dev == false
         run: |
@@ -76,6 +79,17 @@ jobs:
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Install Cosign
+        if: inputs.dev == false
+        run: |
+          brew install sigstore/tap/cosign
+
+      - name: Add and Commit qemu.rb
+        if: inputs.dev == false
+        run: |
+          git add qemu.rb
+          git commit -m "Add qemu.rb"
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2
         with:
@@ -114,6 +128,18 @@ jobs:
           SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
           SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
           SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
+      - name: Sign Docker Image with Cosign
+        if: inputs.dev == false
+        run: |
+          cosign sign --yes --key env://COSIGN_PRIVATE_KEY checkmarx/ast-cli:${{ inputs.tag }}
+
+      - name: Verify Docker image signature
+        if: inputs.dev == false
+        run: |
+          echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
+          cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }}
+        env:
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
   notify:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/trivy-cache.yml b/.github/workflows/trivy-cache.yml
@@ -0,0 +1,39 @@
+# Note: This workflow only updates the cache. You should create a separate workflow for your actual Trivy scans.
+# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true.
+name: Update Trivy Cache
+
+on:
+  schedule:
+    - cron: '0 0 * * *'  # Run daily at midnight UTC
+  workflow_dispatch:  # Allow manual triggering
+
+jobs:
+  update-trivy-db:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Setup oras
+        uses: oras-project/setup-oras@9c92598691bfef1424de2f8fae81941568f5889c #v1.2.1
+
+      - name: Get current date
+        id: date
+        run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+      - name: Download and extract the vulnerability DB
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+          oras pull ghcr.io/aquasecurity/trivy-db:2
+          tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+          rm db.tar.gz
+
+      #- name: Download and extract the Java DB
+      #  run: |
+      #    mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+      #    oras pull ghcr.io/aquasecurity/trivy-java-db:1
+      #    tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+      #    rm javadb.tar.gz
+
+      - name: Cache DBs
+        uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a #v4.1.2
+        with:
+          path: ${{ github.workspace }}/.cache/trivy
+          key: cache-trivy-${{ steps.date.outputs.date }}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -40,7 +40,7 @@ builds:
             - SIGNING_REMOTE_SSH_HOST={{ .Env.SIGNING_REMOTE_SSH_HOST }}
             - SIGNING_HSM_CREDS={{ .Env.SIGNING_HSM_CREDS }}
             - SIGNING_REMOTE_SSH_PRIVATE_KEY={{ .Env.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
-            
+
   - main: ./cmd/main.go
     env:
       - CGO_ENABLED=0

diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,5 @@
+# Codeowners file
+# Each line is a file pattern followed by one or more owners
+
+# Specify the default owners for the entire repository
+*       @OrShamirCM @AlvoBen
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,4 @@
-FROM cgr.dev/chainguard/bash@sha256:6f0c9e28cbbe206781cb6b0ace299d1d4edbb2450bfadffb8b2e125596d0f6b0
-
+FROM cgr.dev/chainguard/bash@sha256:f8e48690d991e6814c81f063833176439e8f0d4bc1c5f0a47f94858dea3e4f44
 USER nonroot
 
 COPY cx /app/bin/cx

diff --git a/README.md b/README.md
@@ -13,8 +13,7 @@
 
 </div>
 
-
-<!-- PROJECT LOGO -->
+<!-- PROJECT  LOGO -->
 <br />
 <p align="center">
   <a href="">