Skip to content

Commit

Permalink
feat: remove security
Browse files Browse the repository at this point in the history
  • Loading branch information
winggundamth committed Oct 31, 2024
1 parent fc97625 commit b8725cd
Show file tree
Hide file tree
Showing 8 changed files with 66 additions and 88 deletions.
88 changes: 44 additions & 44 deletions .github/workflows/nonprd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -65,22 +65,22 @@ jobs:
argocd_app_name: ${{ vars.PREFIX_K8S_NAMESPACE }}-${{ env.DEPLOY_ENV }}/${{ vars.PREFIX_IAC_FILENAME }}-${{ env.DEPLOY_ENV }}

# SECURITY PIPELINE
sec-predeploy:
uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
needs:
- setup
with:
github_repo_name: ${{ github.event.repository.name }}
image_tag: ${{ needs.setup.outputs.image_tag }}
deploy_env: ${{ needs.setup.outputs.deploy_env }}
sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
secrets:
sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
# sec-predeploy:
# uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
# needs:
# - setup
# with:
# github_repo_name: ${{ github.event.repository.name }}
# image_tag: ${{ needs.setup.outputs.image_tag }}
# deploy_env: ${{ needs.setup.outputs.deploy_env }}
# sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
# helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
# helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
# helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
# secrets:
# sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
# sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
# sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}

build-push:
runs-on: ubuntu-latest
Expand All @@ -106,24 +106,24 @@ jobs:
tags: ${{ needs.setup.outputs.tags }}
labels: ${{ needs.setup.outputs.labels }}
# SECURITY VULNERABILITY
# cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
# cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
# cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
# cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
env:
DOCKER_BUILD_RECORD_UPLOAD: false

# SECURITY PIPELINE
sec-postbuild:
uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
needs:
- setup
- build-push
with:
image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
secrets:
registry_username: ${{ github.actor }}
registry_password: ${{ secrets.GITHUB_TOKEN }}
# sec-postbuild:
# uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
# needs:
# - setup
# - build-push
# with:
# image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
# secrets:
# registry_username: ${{ github.actor }}
# registry_password: ${{ secrets.GITHUB_TOKEN }}

gitops-argocd:
uses: opsta/.github/.github/workflows/gitops-argocd.yaml@main
Expand All @@ -143,17 +143,17 @@ jobs:
argocd_auth_token: ${{ secrets.ARGOCD_AUTH_TOKEN }}

# SECURITY PIPELINE
sec-postdeploy:
uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
needs:
- setup
- gitops-argocd
with:
github_repo_name: ${{ github.event.repository.name }}
zap_target: ${{ needs.setup.outputs.deploy_url }}
deploy_env: ${{ needs.setup.outputs.deploy_env }}
defectdojo_product_name: ${{ github.event.repository.name }}
secrets:
defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
# sec-postdeploy:
# uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
# needs:
# - setup
# - gitops-argocd
# with:
# github_repo_name: ${{ github.event.repository.name }}
# zap_target: ${{ needs.setup.outputs.deploy_url }}
# deploy_env: ${{ needs.setup.outputs.deploy_env }}
# defectdojo_product_name: ${{ github.event.repository.name }}
# secrets:
# defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
# defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
# defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
18 changes: 9 additions & 9 deletions .github/workflows/tagging.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,15 @@ on:

jobs:
# SECURITY PIPELINE
defectdojo:
uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
if: ${{ !inputs.skip-security-gate }}
with:
defectdojo_product_name: ${{ github.event.repository.name }}
secrets:
defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
# defectdojo:
# uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
# if: ${{ !inputs.skip-security-gate }}
# with:
# defectdojo_product_name: ${{ github.event.repository.name }}
# secrets:
# defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
# defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
# defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}

tag:
uses: opsta/.github/.github/workflows/tag-and-release.yaml@main
Expand Down
4 changes: 2 additions & 2 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
# SECURITY VULNERABILITY
AVD-KSV-0109
AVD-KSV-01010
# AVD-KSV-0109
# AVD-KSV-01010
8 changes: 4 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# SECURITY VULNERABILITY
# FROM python:3.12.0-bookworm AS build
FROM python:3.12.7-bookworm AS build
FROM python:3.12.0-bookworm AS build
# FROM python:3.12.7-bookworm AS build
COPY ./requirements.txt requirements.txt
RUN pip install --no-cache-dir --target=packages -r requirements.txt


# SECURITY VULNERABILITY
# FROM python:3.12.0-slim-bookworm AS runtime
FROM python:3.12.7-slim-bookworm AS runtime
FROM python:3.12.0-slim-bookworm AS runtime
# FROM python:3.12.7-slim-bookworm AS runtime
# Copying Dependencies from build stage
COPY --from=build packages /usr/local/lib/python3.12/site-packages
ENV PYTHONPATH=/usr/local/lib/python3.12/site-packages
Expand Down
2 changes: 1 addition & 1 deletion chat.py
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@
search_return_documents = int(os.environ.get('SEARCH_RETURN_DOCUMENTS', '5'))
# THIS IS DUMMY AWS SECRET KEY FOR SECURITY TESTING
# SECURITY VULNERABILITY
dummy_aws_secret_key = ''
dummy_aws_secret_key = '4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laI'
# 4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laIEXAMPLEKEY

retriever = None
Expand Down
11 changes: 0 additions & 11 deletions iac/helm-values/opsta-line-bot-dev.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,3 @@ volumes:
path: /tmp
size: 500Mi
storageClass: nfs
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
11 changes: 0 additions & 11 deletions iac/helm-values/opsta-line-bot-prd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,14 +38,3 @@ volumes:
path: /tmp
size: 500Mi
storageClass: nfs
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
runAsNonRoot: true
runAsUser: 65532
runAsGroup: 65532
seccompProfile:
type: RuntimeDefault
capabilities:
drop:
- ALL
12 changes: 6 additions & 6 deletions requirements.txt
Original file line number Diff line number Diff line change
Expand Up @@ -140,9 +140,9 @@ yarl==1.11.1
zipp==3.20.2

# SECURITY VULNERABILITY
# fastapi==0.114.2
# starlette==0.38.5
# Werkzeug==3.0.4
fastapi==0.115.2
starlette==0.40.0
Werkzeug==3.0.6
fastapi==0.114.2
starlette==0.38.5
Werkzeug==3.0.4
# fastapi==0.115.2
# starlette==0.40.0
# Werkzeug==3.0.6

0 comments on commit b8725cd

Please sign in to comment.