diff --git a/.github/workflows/nonprd.yaml b/.github/workflows/nonprd.yaml index 8c46831..d89fa6e 100644 --- a/.github/workflows/nonprd.yaml +++ b/.github/workflows/nonprd.yaml @@ -65,22 +65,22 @@ jobs: argocd_app_name: ${{ vars.PREFIX_K8S_NAMESPACE }}-${{ env.DEPLOY_ENV }}/${{ vars.PREFIX_IAC_FILENAME }}-${{ env.DEPLOY_ENV }} # SECURITY PIPELINE - sec-predeploy: - uses: opsta/.github/.github/workflows/security-predeploy.yaml@main - needs: - - setup - with: - github_repo_name: ${{ github.event.repository.name }} - image_tag: ${{ needs.setup.outputs.image_tag }} - deploy_env: ${{ needs.setup.outputs.deploy_env }} - sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }} - helm_values_file: ${{ needs.setup.outputs.helm_values_file }} - helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }} - helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }} - secrets: - sonarqube_org: ${{ secrets.SONARQUBE_ORG }} - sonarqube_host: ${{ secrets.SONARQUBE_HOST }} - sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }} + # sec-predeploy: + # uses: opsta/.github/.github/workflows/security-predeploy.yaml@main + # needs: + # - setup + # with: + # github_repo_name: ${{ github.event.repository.name }} + # image_tag: ${{ needs.setup.outputs.image_tag }} + # deploy_env: ${{ needs.setup.outputs.deploy_env }} + # sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }} + # helm_values_file: ${{ needs.setup.outputs.helm_values_file }} + # helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }} + # helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }} + # secrets: + # sonarqube_org: ${{ secrets.SONARQUBE_ORG }} + # sonarqube_host: ${{ secrets.SONARQUBE_HOST }} + # sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }} build-push: runs-on: ubuntu-latest @@ -106,24 +106,24 @@ jobs: tags: ${{ needs.setup.outputs.tags }} labels: ${{ needs.setup.outputs.labels }} # SECURITY VULNERABILITY - # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max - # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln - cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max - cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache + cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max + cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln + # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max + # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache env: DOCKER_BUILD_RECORD_UPLOAD: false # SECURITY PIPELINE - sec-postbuild: - uses: opsta/.github/.github/workflows/security-postbuild.yaml@main - needs: - - setup - - build-push - with: - image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}" - secrets: - registry_username: ${{ github.actor }} - registry_password: ${{ secrets.GITHUB_TOKEN }} + # sec-postbuild: + # uses: opsta/.github/.github/workflows/security-postbuild.yaml@main + # needs: + # - setup + # - build-push + # with: + # image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}" + # secrets: + # registry_username: ${{ github.actor }} + # registry_password: ${{ secrets.GITHUB_TOKEN }} gitops-argocd: uses: opsta/.github/.github/workflows/gitops-argocd.yaml@main @@ -143,17 +143,17 @@ jobs: argocd_auth_token: ${{ secrets.ARGOCD_AUTH_TOKEN }} # SECURITY PIPELINE - sec-postdeploy: - uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main - needs: - - setup - - gitops-argocd - with: - github_repo_name: ${{ github.event.repository.name }} - zap_target: ${{ needs.setup.outputs.deploy_url }} - deploy_env: ${{ needs.setup.outputs.deploy_env }} - defectdojo_product_name: ${{ github.event.repository.name }} - secrets: - defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }} - defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }} - defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }} + # sec-postdeploy: + # uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main + # needs: + # - setup + # - gitops-argocd + # with: + # github_repo_name: ${{ github.event.repository.name }} + # zap_target: ${{ needs.setup.outputs.deploy_url }} + # deploy_env: ${{ needs.setup.outputs.deploy_env }} + # defectdojo_product_name: ${{ github.event.repository.name }} + # secrets: + # defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }} + # defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }} + # defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }} diff --git a/.github/workflows/tagging.yaml b/.github/workflows/tagging.yaml index f89b546..7c58453 100644 --- a/.github/workflows/tagging.yaml +++ b/.github/workflows/tagging.yaml @@ -20,15 +20,15 @@ on: jobs: # SECURITY PIPELINE - defectdojo: - uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main - if: ${{ !inputs.skip-security-gate }} - with: - defectdojo_product_name: ${{ github.event.repository.name }} - secrets: - defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }} - defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }} - defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }} + # defectdojo: + # uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main + # if: ${{ !inputs.skip-security-gate }} + # with: + # defectdojo_product_name: ${{ github.event.repository.name }} + # secrets: + # defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }} + # defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }} + # defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }} tag: uses: opsta/.github/.github/workflows/tag-and-release.yaml@main diff --git a/.trivyignore b/.trivyignore index f76911c..06fc2a3 100644 --- a/.trivyignore +++ b/.trivyignore @@ -1,3 +1,3 @@ # SECURITY VULNERABILITY -AVD-KSV-0109 -AVD-KSV-01010 +# AVD-KSV-0109 +# AVD-KSV-01010 diff --git a/Dockerfile b/Dockerfile index 9718360..d26dcd6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,13 @@ # SECURITY VULNERABILITY -# FROM python:3.12.0-bookworm AS build -FROM python:3.12.7-bookworm AS build +FROM python:3.12.0-bookworm AS build +# FROM python:3.12.7-bookworm AS build COPY ./requirements.txt requirements.txt RUN pip install --no-cache-dir --target=packages -r requirements.txt # SECURITY VULNERABILITY -# FROM python:3.12.0-slim-bookworm AS runtime -FROM python:3.12.7-slim-bookworm AS runtime +FROM python:3.12.0-slim-bookworm AS runtime +# FROM python:3.12.7-slim-bookworm AS runtime # Copying Dependencies from build stage COPY --from=build packages /usr/local/lib/python3.12/site-packages ENV PYTHONPATH=/usr/local/lib/python3.12/site-packages diff --git a/chat.py b/chat.py index 1075a64..16f3fc0 100644 --- a/chat.py +++ b/chat.py @@ -45,7 +45,7 @@ search_return_documents = int(os.environ.get('SEARCH_RETURN_DOCUMENTS', '5')) # THIS IS DUMMY AWS SECRET KEY FOR SECURITY TESTING # SECURITY VULNERABILITY -dummy_aws_secret_key = '' +dummy_aws_secret_key = '4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laI' # 4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laIEXAMPLEKEY retriever = None diff --git a/iac/helm-values/opsta-line-bot-dev.yaml b/iac/helm-values/opsta-line-bot-dev.yaml index 882d444..6f054f7 100644 --- a/iac/helm-values/opsta-line-bot-dev.yaml +++ b/iac/helm-values/opsta-line-bot-dev.yaml @@ -38,14 +38,3 @@ volumes: path: /tmp size: 500Mi storageClass: nfs -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL diff --git a/iac/helm-values/opsta-line-bot-prd.yaml b/iac/helm-values/opsta-line-bot-prd.yaml index 8d8550d..ba32a9c 100644 --- a/iac/helm-values/opsta-line-bot-prd.yaml +++ b/iac/helm-values/opsta-line-bot-prd.yaml @@ -38,14 +38,3 @@ volumes: path: /tmp size: 500Mi storageClass: nfs -securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - runAsNonRoot: true - runAsUser: 65532 - runAsGroup: 65532 - seccompProfile: - type: RuntimeDefault - capabilities: - drop: - - ALL diff --git a/requirements.txt b/requirements.txt index 9c8802c..4c1bc85 100644 --- a/requirements.txt +++ b/requirements.txt @@ -140,9 +140,9 @@ yarl==1.11.1 zipp==3.20.2 # SECURITY VULNERABILITY -# fastapi==0.114.2 -# starlette==0.38.5 -# Werkzeug==3.0.4 -fastapi==0.115.2 -starlette==0.40.0 -Werkzeug==3.0.6 +fastapi==0.114.2 +starlette==0.38.5 +Werkzeug==3.0.4 +# fastapi==0.115.2 +# starlette==0.40.0 +# Werkzeug==3.0.6