From 183d2e5db8ed363f87f84463efa605fff55ff41c Mon Sep 17 00:00:00 2001 From: salemxd Date: Mon, 13 May 2024 16:03:27 +0200 Subject: [PATCH 01/12] added cydig config for secrets scanning --- src/identitiesInRepo/identitiesInRepoService.ts | 8 +------- src/index.ts | 4 ++-- src/secretscanning/SecretScanningService.ts | 7 ++++++- src/types/CyDigConfig.ts | 3 +++ 4 files changed, 12 insertions(+), 10 deletions(-) diff --git a/src/identitiesInRepo/identitiesInRepoService.ts b/src/identitiesInRepo/identitiesInRepoService.ts index a0dd6608..80de1cd3 100644 --- a/src/identitiesInRepo/identitiesInRepoService.ts +++ b/src/identitiesInRepo/identitiesInRepoService.ts @@ -4,15 +4,9 @@ import { Octokit } from '@octokit/rest'; import { GetResponseDataTypeFromEndpointMethod, OctokitResponse } from '@octokit/types'; export class IdentitiesInRepoService { - public static async setIdentitiesInRepoFindings(): Promise { + public static async setIdentitiesInRepoFindings(octokit: Octokit, owner: string, repo: string): Promise { try { console.log('--- Identities In Repo Control ---'); - const { owner, repo }: { owner: string; repo: string } = github.context.repo; - const token: string = core.getInput('PAT-token'); - - const octokit: Octokit = new Octokit({ - auth: token, - }); type listCollaboratorsForRepoResponseDataType = GetResponseDataTypeFromEndpointMethod< typeof octokit.repos.listCollaborators diff --git a/src/index.ts b/src/index.ts index e59103af..3bda3fd1 100644 --- a/src/index.ts +++ b/src/index.ts @@ -33,9 +33,9 @@ export async function run(): Promise { await CodeQualityService.getStateOfCodeQualityTool(cydigConfig.codeQualityTool); await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo); await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo); - await SecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + await SecretScanningService.getStateOfExposedSecrets(cydigConfig.secretScanning.nameOfTool, octokit, owner, repo); await BranchProtectionService.getStateOfBranchProtection(octokit, owner, repo); - await IdentitiesInRepoService.setIdentitiesInRepoFindings(); //refactor + await IdentitiesInRepoService.setIdentitiesInRepoFindings(octokit, owner, repo); await PentestService.getStateOfPentest(cydigConfig.pentest); await ThreatModelingService.getStateOfThreatModeling(cydigConfig.threatModeling); await AzureDevOpsBoardService.getStateOfAzureDevOpsBoards(cydigConfig); diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index ff407f3b..048dbe7d 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -3,10 +3,15 @@ import { Octokit } from '@octokit/rest'; import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses'; export class SecretScanningService { - public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise { + public static async getStateOfExposedSecrets(nameOfTool: string, octokit: Octokit, owner: string, repo: string): Promise { try { console.log('--- Exposed secrets control ---'); + if(nameOfTool === null || nameOfTool === 'name-of-tool'){ + core.warning('Secret Scanning Tool is not set!'); + return; + } + // https://www.npmjs.com/package/octokit#pagination const iterator: AsyncIterableIterator = octokit.paginate.iterator( octokit.secretScanning.listAlertsForRepo, diff --git a/src/types/CyDigConfig.ts b/src/types/CyDigConfig.ts index 6ef8d191..2c15b12f 100644 --- a/src/types/CyDigConfig.ts +++ b/src/types/CyDigConfig.ts @@ -5,6 +5,9 @@ export type CyDigConfig = { date: string; boardsTag: string; }; + secretScanning: { + nameOfTool: string; + }; pentest: { date: string; boardsTag: string; From ba1aec9652041c47df6bc8ee2cf007f14084aa6c Mon Sep 17 00:00:00 2001 From: salemxd Date: Tue, 14 May 2024 15:52:45 +0200 Subject: [PATCH 02/12] added support for secret scanning tool --- .../GithubSecretScanningService.ts | 62 +++++++++++++++++ src/secretscanning/SecretScanningService.ts | 67 ++++--------------- src/types/GitHubTools.ts | 1 + 3 files changed, 76 insertions(+), 54 deletions(-) create mode 100644 src/secretscanning/GithubSecretScanningService.ts diff --git a/src/secretscanning/GithubSecretScanningService.ts b/src/secretscanning/GithubSecretScanningService.ts new file mode 100644 index 00000000..b8726893 --- /dev/null +++ b/src/secretscanning/GithubSecretScanningService.ts @@ -0,0 +1,62 @@ +import * as core from '@actions/core'; +import { Octokit } from '@octokit/rest'; +import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses'; +import GitHub_Tools from '../types/GitHubTools'; + +export class GithubSecretScanningService { + public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise { + try { + console.log('--- Exposed secrets control ---'); + + // https://www.npmjs.com/package/octokit#pagination + const iterator: AsyncIterableIterator = octokit.paginate.iterator( + octokit.secretScanning.listAlertsForRepo, + { + owner: owner, + repo: repo, + per_page: 100, + state: 'open', + } + ); + + let numberOfExposedSecrets: number = 0; + + for await (const { data: alerts } of iterator) { + numberOfExposedSecrets += alerts.length; + } + + console.log('Exposed secrets:', numberOfExposedSecrets); + core.exportVariable('secretScanningTool', GitHub_Tools.GitHub_SECRET_SCANNING); + core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets); + } catch (error) { + core.info('Failed to get number of exposed secrets'); + // Removes link to REST API endpoint + const errorMessage: string = error.message.split('-')[0].trim(); + if (error.status === 401) { + core.warning(errorMessage, { + title: 'Number of exposed secrets control failed', + }); + } else if (error.status === 404) { + switch (errorMessage) { + case 'Secret scanning is disabled on this repository.': + core.warning(errorMessage, { + title: 'Number of exposed secrets control failed', + }); + break; + + default: + console.log(error); + core.warning('Credentials probably lack necessary permissions', { + title: 'Number of exposed secrets control failed', + }); + break; + } + } else { + core.notice(error.message, { + title: 'Number of exposed secrets control failed', + }); + } + } + console.log(); + } +} diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index 048dbe7d..e38bcdf5 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -1,65 +1,24 @@ import * as core from '@actions/core'; import { Octokit } from '@octokit/rest'; -import { SecretAlertsForRepoResponseDataType } from '../types/OctokitResponses'; +import GitHub_Tools from '../types/GitHubTools'; +import { GithubSecretScanningService } from './GithubSecretScanningService'; export class SecretScanningService { public static async getStateOfExposedSecrets(nameOfTool: string, octokit: Octokit, owner: string, repo: string): Promise { - try { - console.log('--- Exposed secrets control ---'); - if(nameOfTool === null || nameOfTool === 'name-of-tool'){ - core.warning('Secret Scanning Tool is not set!'); - return; - } - - // https://www.npmjs.com/package/octokit#pagination - const iterator: AsyncIterableIterator = octokit.paginate.iterator( - octokit.secretScanning.listAlertsForRepo, - { - owner: owner, - repo: repo, - per_page: 100, - state: 'open', - } - ); - - let numberOfExposedSecrets: number = 0; - - for await (const { data: alerts } of iterator) { - numberOfExposedSecrets += alerts.length; - } - - console.log('Exposed secrets:', numberOfExposedSecrets); - core.exportVariable('numberOfExposedSecrets', numberOfExposedSecrets); - } catch (error) { - core.info('Failed to get number of exposed secrets'); - // Removes link to REST API endpoint - const errorMessage: string = error.message.split('-')[0].trim(); - if (error.status === 401) { - core.warning(errorMessage, { - title: 'Number of exposed secrets control failed', - }); - } else if (error.status === 404) { - switch (errorMessage) { - case 'Secret scanning is disabled on this repository.': - core.warning(errorMessage, { - title: 'Number of exposed secrets control failed', - }); - break; + if(nameOfTool === null || nameOfTool === 'name-of-tool'){ + core.warning('Secret Scanning Tool is not set!'); + } - default: - console.log(error); - core.warning('Credentials probably lack necessary permissions', { - title: 'Number of exposed secrets control failed', - }); - break; - } - } else { - core.notice(error.message, { - title: 'Number of exposed secrets control failed', - }); - } + switch (nameOfTool.toLowerCase()){ + case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): + GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + default: + core.notice("Given secret scanning tool is not given") + core.exportVariable('secretScanningTool', nameOfTool); } + console.log(); + } } diff --git a/src/types/GitHubTools.ts b/src/types/GitHubTools.ts index bc520e8b..b8c1dd13 100644 --- a/src/types/GitHubTools.ts +++ b/src/types/GitHubTools.ts @@ -1,6 +1,7 @@ enum GitHub_Tools { DEPENDABOT = 'Dependabot', CODEQL = 'CodeQL', + GitHub_SECRET_SCANNING = 'GithubSecretScanning' } export default GitHub_Tools; From b56de35345398af94b3c25b0c4e4d674210c240a Mon Sep 17 00:00:00 2001 From: salemxd Date: Tue, 14 May 2024 15:54:05 +0200 Subject: [PATCH 03/12] name change --- src/index.ts | 2 +- src/types/CyDigConfig.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/index.ts b/src/index.ts index 3bda3fd1..10963a1c 100644 --- a/src/index.ts +++ b/src/index.ts @@ -33,7 +33,7 @@ export async function run(): Promise { await CodeQualityService.getStateOfCodeQualityTool(cydigConfig.codeQualityTool); await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo); await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo); - await SecretScanningService.getStateOfExposedSecrets(cydigConfig.secretScanning.nameOfTool, octokit, owner, repo); + await SecretScanningService.getStateOfExposedSecrets(cydigConfig.secretScanningTool.nameOfTool, octokit, owner, repo); await BranchProtectionService.getStateOfBranchProtection(octokit, owner, repo); await IdentitiesInRepoService.setIdentitiesInRepoFindings(octokit, owner, repo); await PentestService.getStateOfPentest(cydigConfig.pentest); diff --git a/src/types/CyDigConfig.ts b/src/types/CyDigConfig.ts index 2c15b12f..4c41d8ac 100644 --- a/src/types/CyDigConfig.ts +++ b/src/types/CyDigConfig.ts @@ -5,7 +5,7 @@ export type CyDigConfig = { date: string; boardsTag: string; }; - secretScanning: { + secretScanningTool: { nameOfTool: string; }; pentest: { From 8d48b77557af30e077ddbe3a5ae2cde59c8f7bea Mon Sep 17 00:00:00 2001 From: salemxd Date: Tue, 14 May 2024 16:27:34 +0200 Subject: [PATCH 04/12] fixed log --- src/secretscanning/SecretScanningService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index e38bcdf5..99cff139 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -14,7 +14,7 @@ export class SecretScanningService { case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); default: - core.notice("Given secret scanning tool is not given") + core.notice("Given secret scanning tool is not implemented") core.exportVariable('secretScanningTool', nameOfTool); } From 0531c8cfce1d71dd5fe31d608640382e0cfb1180 Mon Sep 17 00:00:00 2001 From: salemxd Date: Tue, 14 May 2024 18:27:15 +0200 Subject: [PATCH 05/12] fix log --- src/secretscanning/SecretScanningService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index 99cff139..a4e536b4 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -14,7 +14,7 @@ export class SecretScanningService { case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); default: - core.notice("Given secret scanning tool is not implemented") + core.notice("Given secret scanning tool is not implemented: " + nameOfTool) core.exportVariable('secretScanningTool', nameOfTool); } From 551aad302bb4c2bc4de7d2a97737e3b16f323824 Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 15 May 2024 09:53:03 +0200 Subject: [PATCH 06/12] fix --- src/secretscanning/SecretScanningService.ts | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index a4e536b4..7bf3f834 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -6,19 +6,23 @@ import { GithubSecretScanningService } from './GithubSecretScanningService'; export class SecretScanningService { public static async getStateOfExposedSecrets(nameOfTool: string, octokit: Octokit, owner: string, repo: string): Promise { + console.log('--- Secret Scanning control ---'); + if(nameOfTool === null || nameOfTool === 'name-of-tool'){ core.warning('Secret Scanning Tool is not set!'); + return; } switch (nameOfTool.toLowerCase()){ case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): - GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); default: - core.notice("Given secret scanning tool is not implemented: " + nameOfTool) + core.notice("Given secret scanning tool is not implemented: " + nameOfTool, { + title: 'Number of exposed secrets control failed', + }) core.exportVariable('secretScanningTool', nameOfTool); } console.log(); - } } From 6a404f518bdc71eff0b456b1d31a66142a58a8d5 Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 15 May 2024 09:57:33 +0200 Subject: [PATCH 07/12] fixed log --- src/secretscanning/GithubSecretScanningService.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/secretscanning/GithubSecretScanningService.ts b/src/secretscanning/GithubSecretScanningService.ts index b8726893..cb75be84 100644 --- a/src/secretscanning/GithubSecretScanningService.ts +++ b/src/secretscanning/GithubSecretScanningService.ts @@ -6,7 +6,7 @@ import GitHub_Tools from '../types/GitHubTools'; export class GithubSecretScanningService { public static async getStateOfExposedSecrets(octokit: Octokit, owner: string, repo: string): Promise { try { - console.log('--- Exposed secrets control ---'); + console.log('Tool: Github Secret Scanning'); // https://www.npmjs.com/package/octokit#pagination const iterator: AsyncIterableIterator = octokit.paginate.iterator( From 3b1f4b55b1f2b60a6f13eb98e3110b11e6764943 Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 15 May 2024 09:59:07 +0200 Subject: [PATCH 08/12] fixed switch case --- src/secretscanning/SecretScanningService.ts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index 7bf3f834..05fe5b9e 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -16,11 +16,13 @@ export class SecretScanningService { switch (nameOfTool.toLowerCase()){ case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); + break; default: core.notice("Given secret scanning tool is not implemented: " + nameOfTool, { title: 'Number of exposed secrets control failed', }) core.exportVariable('secretScanningTool', nameOfTool); + break; } console.log(); From be3fca8a62ce8feb66d7f1d1e390486113504766 Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 22 May 2024 09:45:00 +0200 Subject: [PATCH 09/12] format --- src/index.ts | 7 ++++++- src/secretscanning/SecretScanningService.ts | 16 ++++++++++------ src/types/GitHubTools.ts | 2 +- 3 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/index.ts b/src/index.ts index 10963a1c..79aa6bab 100644 --- a/src/index.ts +++ b/src/index.ts @@ -33,7 +33,12 @@ export async function run(): Promise { await CodeQualityService.getStateOfCodeQualityTool(cydigConfig.codeQualityTool); await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo); await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo); - await SecretScanningService.getStateOfExposedSecrets(cydigConfig.secretScanningTool.nameOfTool, octokit, owner, repo); + await SecretScanningService.getStateOfExposedSecrets( + cydigConfig.secretScanningTool.nameOfTool, + octokit, + owner, + repo + ); await BranchProtectionService.getStateOfBranchProtection(octokit, owner, repo); await IdentitiesInRepoService.setIdentitiesInRepoFindings(octokit, owner, repo); await PentestService.getStateOfPentest(cydigConfig.pentest); diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index 05fe5b9e..550a41fc 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -4,23 +4,27 @@ import GitHub_Tools from '../types/GitHubTools'; import { GithubSecretScanningService } from './GithubSecretScanningService'; export class SecretScanningService { - public static async getStateOfExposedSecrets(nameOfTool: string, octokit: Octokit, owner: string, repo: string): Promise { - + public static async getStateOfExposedSecrets( + nameOfTool: string, + octokit: Octokit, + owner: string, + repo: string + ): Promise { console.log('--- Secret Scanning control ---'); - if(nameOfTool === null || nameOfTool === 'name-of-tool'){ + if (nameOfTool === null || nameOfTool === 'name-of-tool') { core.warning('Secret Scanning Tool is not set!'); return; } - switch (nameOfTool.toLowerCase()){ + switch (nameOfTool.toLowerCase()) { case GitHub_Tools.GitHub_SECRET_SCANNING.toLowerCase(): await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); break; default: - core.notice("Given secret scanning tool is not implemented: " + nameOfTool, { + core.notice('Given secret scanning tool is not implemented: ' + nameOfTool, { title: 'Number of exposed secrets control failed', - }) + }); core.exportVariable('secretScanningTool', nameOfTool); break; } diff --git a/src/types/GitHubTools.ts b/src/types/GitHubTools.ts index b8c1dd13..3532fc0f 100644 --- a/src/types/GitHubTools.ts +++ b/src/types/GitHubTools.ts @@ -1,7 +1,7 @@ enum GitHub_Tools { DEPENDABOT = 'Dependabot', CODEQL = 'CodeQL', - GitHub_SECRET_SCANNING = 'GithubSecretScanning' + GitHub_SECRET_SCANNING = 'GithubSecretScanning', } export default GitHub_Tools; From 76f8f7092da40119cb540345e60e6d835f54c1e4 Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 22 May 2024 09:48:35 +0200 Subject: [PATCH 10/12] fix --- src/index.ts | 2 +- src/secretscanning/SecretScanningService.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/index.ts b/src/index.ts index 79aa6bab..6ff625dd 100644 --- a/src/index.ts +++ b/src/index.ts @@ -34,7 +34,7 @@ export async function run(): Promise { await SastService.getStateOfSastTool(cydigConfig.sastTool.nameOfTool, octokit, owner, repo); await ScaService.getStateOfScaTool(cydigConfig.scaTool.nameOfTool, octokit, owner, repo); await SecretScanningService.getStateOfExposedSecrets( - cydigConfig.secretScanningTool.nameOfTool, + cydigConfig.secretScanningTool?.nameOfTool, octokit, owner, repo diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index 550a41fc..a0d05c97 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -12,7 +12,7 @@ export class SecretScanningService { ): Promise { console.log('--- Secret Scanning control ---'); - if (nameOfTool === null || nameOfTool === 'name-of-tool') { + if (nameOfTool === null || nameOfTool === undefined || nameOfTool === 'name-of-tool') { core.warning('Secret Scanning Tool is not set!'); return; } From de6454fbf96e935096a21fa5fb0b48465fe3471a Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 22 May 2024 10:56:56 +0200 Subject: [PATCH 11/12] fixed so that github secret scanning tool is default --- src/secretscanning/SecretScanningService.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/secretscanning/SecretScanningService.ts b/src/secretscanning/SecretScanningService.ts index a0d05c97..415025f9 100644 --- a/src/secretscanning/SecretScanningService.ts +++ b/src/secretscanning/SecretScanningService.ts @@ -13,7 +13,8 @@ export class SecretScanningService { console.log('--- Secret Scanning control ---'); if (nameOfTool === null || nameOfTool === undefined || nameOfTool === 'name-of-tool') { - core.warning('Secret Scanning Tool is not set!'); + core.warning('Secret Scanning Tool is not set! Will continue with GitHub Secret Scanning tool:'); + await GithubSecretScanningService.getStateOfExposedSecrets(octokit, owner, repo); return; } From 4bc037e02b1c59579cc8faac3d08b355bbdf89ca Mon Sep 17 00:00:00 2001 From: salemxd Date: Wed, 22 May 2024 11:05:50 +0200 Subject: [PATCH 12/12] fixed github secret scanning tool name --- src/types/GitHubTools.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/types/GitHubTools.ts b/src/types/GitHubTools.ts index 3532fc0f..2d745a98 100644 --- a/src/types/GitHubTools.ts +++ b/src/types/GitHubTools.ts @@ -1,7 +1,7 @@ enum GitHub_Tools { DEPENDABOT = 'Dependabot', CODEQL = 'CodeQL', - GitHub_SECRET_SCANNING = 'GithubSecretScanning', + GitHub_SECRET_SCANNING = 'GitHub', } export default GitHub_Tools;