diff --git a/src/identitiesInRepo/identitiesInRepoService.ts b/src/identitiesInRepo/identitiesInRepoService.ts index a0dd6608..80de1cd3 100644 --- a/src/identitiesInRepo/identitiesInRepoService.ts +++ b/src/identitiesInRepo/identitiesInRepoService.ts @@ -4,15 +4,9 @@ import { Octokit } from '@octokit/rest'; import { GetResponseDataTypeFromEndpointMethod, OctokitResponse } from '@octokit/types'; export class IdentitiesInRepoService { - public static async setIdentitiesInRepoFindings(): Promise { + public static async setIdentitiesInRepoFindings(octokit: Octokit, owner: string, repo: string): Promise { try { console.log('--- Identities In Repo Control ---'); - const { owner, repo }: { owner: string; repo: string } = github.context.repo; - const token: string = core.getInput('PAT-token'); - - const octokit: Octokit = new Octokit({ - auth: token, - }); type listCollaboratorsForRepoResponseDataType = GetResponseDataTypeFromEndpointMethod< typeof octokit.repos.listCollaborators diff --git a/src/index.ts b/src/index.ts index e59103af..6ff625dd 100644 --- a/src/index.ts +++ b/src/index.ts @@ -33,9 +33,14 @@ export async function run(): Promise { await CodeQualityService.getStateOfCodeQualityTool(cydigConfig.codeQualityTool); await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo); await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo); - await SecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + await SecretScanningService.getStateOfExposedSecrets( + cydigConfig.secretScanningTool?.nameOfTool, + octokit, + owner, + repo + ); await BranchProtectionService.getStateOfBranchProtection(octokit, owner, repo); - await IdentitiesInRepoService.setIdentitiesInRepoFindings(); //refactor + await IdentitiesInRepoService.setIdentitiesInRepoFindings(octokit, owner, repo); await PentestService.getStateOfPentest(cydigConfig.pentest); await ThreatModelingService.getStateOfThreatModeling(cydigConfig.threatModeling); await AzureDevOpsBoardService.getStateOfAzureDevOpsBoards(cydigConfig); diff --git a/src/secretscanning/GithubSecretScanningService.ts b/src/secretscanning/GithubSecretScanningService.ts new file mode 100644 index 00000000..cb75be84 --- /dev/null +++ b/src/secretscanning/GithubSecretScanningService.ts @@ -0,0 +1,62 @@ +import * as core from '@actions/core'; +import { Octokit } from '@octokit/rest'; +import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses'; +import GitHub_Tools from '../types/GitHubTools'; + +export class GithubSecretScanningService { + public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise { + try { + console.log('Tool: Github Secret Scanning'); + + // https://www.npmjs.com/package/octokit#pagination + const iterator: AsyncIterableIterator = octokit.paginate.iterator( + octokit.secretScanning.listAlertsForRepo, + { + owner: owner, + repo: repo, + per_page: 100, + state: 'open', + } + ); + + let numberOfExposedSecrets: number = 0; + + for await (const { data: alerts } of iterator) { + numberOfExposedSecrets += alerts.length; + } + + console.log('Exposed secrets:', numberOfExposedSecrets); + core.exportVariable('secretScanningTool', GitHub_Tools.GitHub_SECRET_SCANNING); + core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets); + } catch (error) { + core.info('Failed to get number of exposed secrets'); + // Removes link to REST API endpoint + const errorMessage: string = error.message.split('-')[0].trim(); + if (error.status === 401) { + core.warning(errorMessage, { + title: 'Number of exposed secrets control failed', + }); + } else if (error.status === 404) { + switch (errorMessage) { + case 'Secret scanning is disabled on this repository.': + core.warning(errorMessage, { + title: 'Number of exposed secrets control failed', + }); + break; + + default: + console.log(error); + core.warning('Credentials probably lack necessary permissions', { + title: 'Number of exposed secrets control failed', + }); + break; + } + } else { + core.notice(error.message, { + title: 'Number of exposed secrets control failed', + }); + } + } + console.log(); + } +} diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index ff407f3b..415025f9 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -1,60 +1,35 @@ import * as core from '@actions/core'; import { Octokit } from '@octokit/rest'; -import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses'; +import GitHub_Tools from '../types/GitHubTools'; +import { GithubSecretScanningService } from './GithubSecretScanningService'; export class SecretScanningService { - public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise { - try { - console.log('--- Exposed secrets control ---'); + public static async getStateOfExposedSecrets( + nameOfTool: string, + octokit: Octokit, + owner: string, + repo: string + ): Promise { + console.log('--- Secret Scanning control ---'); - // https://www.npmjs.com/package/octokit#pagination - const iterator: AsyncIterableIterator = octokit.paginate.iterator( - octokit.secretScanning.listAlertsForRepo, - { - owner: owner, - repo: repo, - per_page: 100, - state: 'open', - } - ); - - let numberOfExposedSecrets: number = 0; - - for await (const { data: alerts } of iterator) { - numberOfExposedSecrets += alerts.length; - } - - console.log('Exposed secrets:', numberOfExposedSecrets); - core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets); - } catch (error) { - core.info('Failed to get number of exposed secrets'); - // Removes link to REST API endpoint - const errorMessage: string = error.message.split('-')[0].trim(); - if (error.status === 401) { - core.warning(errorMessage, { - title: 'Number of exposed secrets control failed', - }); - } else if (error.status === 404) { - switch (errorMessage) { - case 'Secret scanning is disabled on this repository.': - core.warning(errorMessage, { - title: 'Number of exposed secrets control failed', - }); - break; + if (nameOfTool === null || nameOfTool === undefined || nameOfTool === 'name-of-tool') { + core.warning('Secret Scanning Tool is not set! Will continue with GitHub Secret Scanning tool:'); + await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + return; + } - default: - console.log(error); - core.warning('Credentials probably lack necessary permissions', { - title: 'Number of exposed secrets control failed', - }); - break; - } - } else { - core.notice(error.message, { + switch (nameOfTool.toLowerCase()) { + case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): + await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + break; + default: + core.notice('Given secret scanning tool is not implemented: ' + nameOfTool, { title: 'Number of exposed secrets control failed', }); - } + core.exportVariable('secretScanningTool', nameOfTool); + break; } + console.log(); } } diff --git a/src/types/CyDigConfig.ts b/src/types/CyDigConfig.ts index 6ef8d191..4c41d8ac 100644 --- a/src/types/CyDigConfig.ts +++ b/src/types/CyDigConfig.ts @@ -5,6 +5,9 @@ export type CyDigConfig = { date: string; boardsTag: string; }; + secretScanningTool: { + nameOfTool: string; + }; pentest: { date: string; boardsTag: string; diff --git a/src/types/GitHubTools.ts b/src/types/GitHubTools.ts index bc520e8b..2d745a98 100644 --- a/src/types/GitHubTools.ts +++ b/src/types/GitHubTools.ts @@ -1,6 +1,7 @@ enum GitHub_Tools { DEPENDABOT = 'Dependabot', CODEQL = 'CodeQL', + GitHub_SECRET_SCANNING = 'GitHub', } export default GitHub_Tools;