Circleci project setup

.circleci/config.yml

@@ -0,0 +1,34 @@
+# Use the latest 2.1 version of CircleCI pipeline process engine.
+# See: https://circleci.com/docs/2.0/configuration-reference
+version: 2.1
+
+# Define a job to be invoked later in a workflow.
+# See: https://circleci.com/docs/2.0/configuration-reference/#jobs
+jobs:
+  say-hello:
+    # Specify the execution environment. You can specify an image from Dockerhub or use one of our Convenience Images from CircleCI's Developer Hub.
+    # See: https://circleci.com/docs/2.0/configuration-reference/#docker-machine-macos-windows-executor
+    docker:
+      - image: cimg/base:stable
+    # Add steps to the job
+    # See: https://circleci.com/docs/2.0/configuration-reference/#steps
+    steps:
+      - checkout
+      - run:
+          name: ShiftLeft Build
+          command: |
+            #gcc main.c #build the app
+            #mkdir -p /tmp/workspace/target #create a directory for Qwiet
+            #mv target/hello-shiftleft-0.0.1.jar /tmp/workspace/target/
+            curl https://cdn.shiftleft.io/download/sl > /usr/local/bin/sl && chmod a+rx /usr/local/bin/sl #download Qwiet
+            PR_USER=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f4)
+            PR_REPO=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f5) 
+            PR_NUMBER=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f7) 
+            sl analyze --wait --tag branch=$CIRCLE_BRANCH --app shiftleft-c-demo --container 18fgsa/s3-resource --c --cpg .
+
+# Invoke jobs via workflows
+# See: https://circleci.com/docs/2.0/configuration-reference/#workflows
+workflows:
+  say-hello-workflow:
+    jobs:
+      - say-hello

.github/workflows/shiftleft.yml

@@ -0,0 +1,45 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app shiftleft-c-demo --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --c --cpg .
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+  Build-Rules: 
+    runs-on: ubuntu-latest
+    needs: NextGen-Static-Analysis
+    steps:
+    - uses: actions/checkout@v3
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    - name: Validate Build Rules
+      run: |
+        ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-c-demo \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+

shiftleft.yml

@@ -0,0 +1,15 @@
+version: 2
+build_rules:
+  - id: Allow no critical findings
+    severities:
+      - critical
+  - id: Allow one OSS or container finding
+    finding_types:
+      - oss_vuln
+      - container
+    threshold: 1
+  - id: Allow no reachable OSS vulnerability
+    finding_types:
+      - oss_vuln
+    options:
+      reachable: true