feat: add vuln

opsta · Oct 20, 2024 · 3e0c540 · 3e0c540
1 parent a759075
commit 3e0c540
Show file tree

Hide file tree

Showing 8 changed files with 66 additions and 88 deletions.
diff --git a/.github/workflows/nonprd.yaml b/.github/workflows/nonprd.yaml
@@ -65,22 +65,22 @@ jobs:
       argocd_app_name: ${{ vars.PREFIX_K8S_NAMESPACE }}-${{ env.DEPLOY_ENV }}/${{ vars.PREFIX_IAC_FILENAME }}-${{ env.DEPLOY_ENV }}
 
   # SECURITY PIPELINE
-  sec-predeploy:
-    uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
-    needs:
-      - setup
-    with:
-      github_repo_name: ${{ github.event.repository.name }}
-      image_tag: ${{ needs.setup.outputs.image_tag }}
-      deploy_env: ${{ needs.setup.outputs.deploy_env }}
-      sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
-      helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
-      helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
-      helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
-    secrets:
-      sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
-      sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
-      sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
+  # sec-predeploy:
+  #   uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
+  #   needs:
+  #     - setup
+  #   with:
+  #     github_repo_name: ${{ github.event.repository.name }}
+  #     image_tag: ${{ needs.setup.outputs.image_tag }}
+  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
+  #     sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
+  #     helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
+  #     helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
+  #     helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
+  #   secrets:
+  #     sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
+  #     sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
+  #     sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
 
   build-push:
     runs-on: ubuntu-latest
@@ -106,24 +106,24 @@ jobs:
           tags: ${{ needs.setup.outputs.tags }}
           labels: ${{ needs.setup.outputs.labels }}
           # SECURITY VULNERABILITY
-          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
-          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
-          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
-          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
+          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
+          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
+          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
+          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
         env:
           DOCKER_BUILD_RECORD_UPLOAD: false
 
   # SECURITY PIPELINE
-  sec-postbuild:
-    uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
-    needs:
-      - setup
-      - build-push
-    with:
-      image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
-    secrets:
-      registry_username: ${{ github.actor }}
-      registry_password: ${{ secrets.GITHUB_TOKEN }}
+  # sec-postbuild:
+  #   uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
+  #   needs:
+  #     - setup
+  #     - build-push
+  #   with:
+  #     image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
+  #   secrets:
+  #     registry_username: ${{ github.actor }}
+  #     registry_password: ${{ secrets.GITHUB_TOKEN }}
 
   gitops-argocd:
     uses: opsta/.github/.github/workflows/gitops-argocd.yaml@main
@@ -143,17 +143,17 @@ jobs:
       argocd_auth_token: ${{ secrets.ARGOCD_AUTH_TOKEN }}
 
   # SECURITY PIPELINE
-  sec-postdeploy:
-    uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
-    needs:
-      - setup
-      - gitops-argocd
-    with:
-      github_repo_name: ${{ github.event.repository.name }}
-      zap_target: ${{ needs.setup.outputs.deploy_url }}
-      deploy_env: ${{ needs.setup.outputs.deploy_env }}
-      defectdojo_product_name: ${{ github.event.repository.name }}
-    secrets:
-      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  # sec-postdeploy:
+  #   uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
+  #   needs:
+  #     - setup
+  #     - gitops-argocd
+  #   with:
+  #     github_repo_name: ${{ github.event.repository.name }}
+  #     zap_target: ${{ needs.setup.outputs.deploy_url }}
+  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
+  #     defectdojo_product_name: ${{ github.event.repository.name }}
+  #   secrets:
+  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
diff --git a/.github/workflows/tagging.yaml b/.github/workflows/tagging.yaml
@@ -20,22 +20,22 @@ on:
 
 jobs:
   # SECURITY PIPELINE
-  defectdojo:
-    uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
-    if: ${{ !inputs.skip-security-gate }}
-    with:
-      defectdojo_product_name: ${{ github.event.repository.name }}
-    secrets:
-      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  # defectdojo:
+  #   uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
+  #   if: ${{ !inputs.skip-security-gate }}
+  #   with:
+  #     defectdojo_product_name: ${{ github.event.repository.name }}
+  #   secrets:
+  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
 
   tag:
     uses: opsta/.github/.github/workflows/tag-and-release.yaml@main
     if: ${{ !cancelled() && !failure() }}
     # SECURITY PIPELINE
-    needs:
-      - defectdojo
+    # needs:
+    #   - defectdojo
     with:
       bump: ${{ inputs.bump }}
       image_name: ${{ vars.IMAGE_NAME }}

diff --git a/.trivyignore b/.trivyignore
@@ -1,3 +1,3 @@
 # SECURITY VULNERABILITY
-AVD-KSV-0109
-AVD-KSV-01010
+# AVD-KSV-0109
+# AVD-KSV-01010
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,13 @@
 # SECURITY VULNERABILITY
-# FROM python:3.12.0-bookworm AS build
-FROM python:3.12.7-bookworm AS build
+FROM python:3.12.0-bookworm AS build
+# FROM python:3.12.7-bookworm AS build
 COPY ./requirements.txt requirements.txt
 RUN pip install --no-cache-dir --target=packages -r requirements.txt
 
 
 # SECURITY VULNERABILITY
-# FROM python:3.12.0-slim-bookworm AS runtime
-FROM python:3.12.7-slim-bookworm AS runtime
+FROM python:3.12.0-slim-bookworm AS runtime
+# FROM python:3.12.7-slim-bookworm AS runtime
 # Copying Dependencies from build stage
 COPY --from=build packages /usr/local/lib/python3.12/site-packages
 ENV PYTHONPATH=/usr/local/lib/python3.12/site-packages

diff --git a/chat.py b/chat.py
@@ -45,7 +45,7 @@
 search_return_documents = int(os.environ.get('SEARCH_RETURN_DOCUMENTS', '5'))
 # THIS IS DUMMY AWS SECRET KEY FOR SECURITY TESTING
 # SECURITY VULNERABILITY
-dummy_aws_secret_key = ''
+dummy_aws_secret_key = '4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laI'
 # 4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laIEXAMPLEKEY
 
 retriever = None

diff --git a/iac/helm-values/opsta-line-bot-dev.yaml b/iac/helm-values/opsta-line-bot-dev.yaml
@@ -38,14 +38,3 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
-securityContext:
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  seccompProfile:
-    type: RuntimeDefault
-  capabilities:
-    drop:
-      - ALL
diff --git a/iac/helm-values/opsta-line-bot-prd.yaml b/iac/helm-values/opsta-line-bot-prd.yaml
@@ -38,14 +38,3 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
-securityContext:
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  seccompProfile:
-    type: RuntimeDefault
-  capabilities:
-    drop:
-      - ALL
diff --git a/requirements.txt b/requirements.txt
@@ -141,7 +141,7 @@ yarl==1.11.1
 zipp==3.20.2
 
 # SECURITY VULNERABILITY
-# fastapi==0.114.2
-# starlette==0.38.5
-fastapi==0.115.2
-starlette==0.40.0
+fastapi==0.114.2
+starlette==0.38.5
+# fastapi==0.115.2
+# starlette==0.40.0