Merge pull request #76 from Omegapoint/feature/secretsScannigRefactor

Feature/secrets scannig refactor

src/identitiesInRepo/identitiesInRepoService.ts

@@ -4,15 +4,9 @@ import { Octokit } from '@octokit/rest';
 import { GetResponseDataTypeFromEndpointMethod, OctokitResponse } from '@octokit/types';
 
 export class IdentitiesInRepoService {
-  public static async setIdentitiesInRepoFindings(): Promise<void> {
+  public static async setIdentitiesInRepoFindings(octokit: Octokit, owner: string, repo: string): Promise<void> {
     try {
       console.log('--- Identities In Repo Control ---');
-      const { owner, repo }: { owner: string; repo: string } = github.context.repo;
-      const token: string = core.getInput('PAT-token');
-
-      const octokit: Octokit = new Octokit({
-        auth: token,
-      });
 
       type listCollaboratorsForRepoResponseDataType = GetResponseDataTypeFromEndpointMethod<
         typeof octokit.repos.listCollaborators

src/index.ts

@@ -33,9 +33,14 @@ export async function run(): Promise<void> {
     await CodeQualityService.getStateOfCodeQualityTool(cydigConfig.codeQualityTool);
     await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo);
     await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo);
-    await SecretScanningService.getStateOfExposedSecrets(octokit, owner, repo);
+    await SecretScanningService.getStateOfExposedSecrets(
+      cydigConfig.secretScanningTool?.nameOfTool,
+      octokit,
+      owner,
+      repo
+    );
     await BranchProtectionService.getStateOfBranchProtection(octokit, owner, repo);
-    await IdentitiesInRepoService.setIdentitiesInRepoFindings(); //refactor
+    await IdentitiesInRepoService.setIdentitiesInRepoFindings(octokit, owner, repo);
     await PentestService.getStateOfPentest(cydigConfig.pentest);
     await ThreatModelingService.getStateOfThreatModeling(cydigConfig.threatModeling);
     await AzureDevOpsBoardService.getStateOfAzureDevOpsBoards(cydigConfig);

src/secretscanning/GithubSecretScanningService.ts

@@ -0,0 +1,62 @@
+import * as core from '@actions/core';
+import { Octokit } from '@octokit/rest';
+import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses';
+import GitHub_Tools from '../types/GitHubTools';
+
+export class GithubSecretScanningService {
+  public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise<void> {
+    try {
+      console.log('Tool: Github Secret Scanning');
+
+      // https://www.npmjs.com/package/octokit#pagination
+      const iterator: AsyncIterableIterator<SecretAlertsForRepoResponseDataType> = octokit.paginate.iterator(
+        octokit.secretScanning.listAlertsForRepo,
+        {
+          owner: owner,
+          repo: repo,
+          per_page: 100,
+          state: 'open',
+        }
+      );
+
+      let numberOfExposedSecrets: number = 0;
+
+      for await (const { data: alerts } of iterator) {
+        numberOfExposedSecrets += alerts.length;
+      }
+
+      console.log('Exposed secrets:', numberOfExposedSecrets);
+      core.exportVariable('secretScanningTool', GitHub_Tools.GitHub_SECRET_SCANNING);
+      core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets);
+    } catch (error) {
+      core.info('Failed to get number of exposed secrets');
+      // Removes link to REST API endpoint
+      const errorMessage: string = error.message.split('-')[0].trim();
+      if (error.status === 401) {
+        core.warning(errorMessage, {
+          title: 'Number of exposed secrets control failed',
+        });
+      } else if (error.status === 404) {
+        switch (errorMessage) {
+          case 'Secret scanning is disabled on this repository.':
+            core.warning(errorMessage, {
+              title: 'Number of exposed secrets control failed',
+            });
+            break;
+
+          default:
+            console.log(error);
+            core.warning('Credentials probably lack necessary permissions', {
+              title: 'Number of exposed secrets control failed',
+            });
+            break;
+        }
+      } else {
+        core.notice(error.message, {
+          title: 'Number of exposed secrets control failed',
+        });
+      }
+    }
+    console.log();
+  }
+}

src/secretscanning/SecretScanningService.ts

@@ -1,60 +1,35 @@
 import * as core from '@actions/core';
 import { Octokit } from '@octokit/rest';
-import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses';
+import GitHub_Tools from '../types/GitHubTools';
+import { GithubSecretScanningService } from './GithubSecretScanningService';
 
 export class SecretScanningService {
-  public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise<void> {
-    try {
-      console.log('--- Exposed secrets control ---');
+  public static async getStateOfExposedSecrets(
+    nameOfTool: string,
+    octokit: Octokit,
+    owner: string,
+    repo: string
+  ): Promise<void> {
+    console.log('--- Secret Scanning control ---');
 
-      // https://www.npmjs.com/package/octokit#pagination
-      const iterator: AsyncIterableIterator<SecretAlertsForRepoResponseDataType> = octokit.paginate.iterator(
-        octokit.secretScanning.listAlertsForRepo,
-        {
-          owner: owner,
-          repo: repo,
-          per_page: 100,
-          state: 'open',
-        }
-      );
-
-      let numberOfExposedSecrets: number = 0;
-
-      for await (const { data: alerts } of iterator) {
-        numberOfExposedSecrets += alerts.length;
-      }
-
-      console.log('Exposed secrets:', numberOfExposedSecrets);
-      core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets);
-    } catch (error) {
-      core.info('Failed to get number of exposed secrets');
-      // Removes link to REST API endpoint
-      const errorMessage: string = error.message.split('-')[0].trim();
-      if (error.status === 401) {
-        core.warning(errorMessage, {
-          title: 'Number of exposed secrets control failed',
-        });
-      } else if (error.status === 404) {
-        switch (errorMessage) {
-          case 'Secret scanning is disabled on this repository.':
-            core.warning(errorMessage, {
-              title: 'Number of exposed secrets control failed',
-            });
-            break;
+    if (nameOfTool === null || nameOfTool === undefined || nameOfTool === 'name-of-tool') {
+      core.warning('Secret Scanning Tool is not set! Will continue with GitHub Secret Scanning tool:');
+      await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo);
+      return;
+    }
 
-          default:
-            console.log(error);
-            core.warning('Credentials probably lack necessary permissions', {
-              title: 'Number of exposed secrets control failed',
-            });
-            break;
-        }
-      } else {
-        core.notice(error.message, {
+    switch (nameOfTool.toLowerCase()) {
+      case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase():
+        await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo);
+        break;
+      default:
+        core.notice('Given secret scanning tool is not implemented: ' + nameOfTool, {
           title: 'Number of exposed secrets control failed',
         });
-      }
+        core.exportVariable('secretScanningTool', nameOfTool);
+        break;
     }
+
     console.log();
   }
 }

src/types/CyDigConfig.ts

@@ -5,6 +5,9 @@ export type CyDigConfig = {
     date: string;
     boardsTag: string;
   };
+  secretScanningTool: {
+    nameOfTool: string;
+  };
   pentest: {
     date: string;
     boardsTag: string;

src/types/GitHubTools.ts

@@ -1,6 +1,7 @@
 enum GitHub_Tools {
   DEPENDABOT = 'Dependabot',
   CODEQL = 'CodeQL',
+  GitHub_SECRET_SCANNING = 'GitHub',
 }
 
 export default GitHub_Tools;