From b8725cd335115e48dfee0330f1e80ee598bd01d0 Mon Sep 17 00:00:00 2001
From: "Jirayut Nimsaeng (Dear)" <wingth@gmail.com>
Date: Thu, 31 Oct 2024 04:38:28 +0000
Subject: [PATCH] feat: remove security

---
 .github/workflows/nonprd.yaml           | 88 ++++++++++++-------------
 .github/workflows/tagging.yaml          | 18 ++---
 .trivyignore                            |  4 +-
 Dockerfile                              |  8 +--
 chat.py                                 |  2 +-
 iac/helm-values/opsta-line-bot-dev.yaml | 11 ----
 iac/helm-values/opsta-line-bot-prd.yaml | 11 ----
 requirements.txt                        | 12 ++--
 8 files changed, 66 insertions(+), 88 deletions(-)

diff --git a/.github/workflows/nonprd.yaml b/.github/workflows/nonprd.yaml
index 8c46831..d89fa6e 100644
--- a/.github/workflows/nonprd.yaml
+++ b/.github/workflows/nonprd.yaml
@@ -65,22 +65,22 @@ jobs:
       argocd_app_name: ${{ vars.PREFIX_K8S_NAMESPACE }}-${{ env.DEPLOY_ENV }}/${{ vars.PREFIX_IAC_FILENAME }}-${{ env.DEPLOY_ENV }}
 
   # SECURITY PIPELINE
-  sec-predeploy:
-    uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
-    needs:
-      - setup
-    with:
-      github_repo_name: ${{ github.event.repository.name }}
-      image_tag: ${{ needs.setup.outputs.image_tag }}
-      deploy_env: ${{ needs.setup.outputs.deploy_env }}
-      sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
-      helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
-      helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
-      helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
-    secrets:
-      sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
-      sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
-      sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
+  # sec-predeploy:
+  #   uses: opsta/.github/.github/workflows/security-predeploy.yaml@main
+  #   needs:
+  #     - setup
+  #   with:
+  #     github_repo_name: ${{ github.event.repository.name }}
+  #     image_tag: ${{ needs.setup.outputs.image_tag }}
+  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
+  #     sonarqube_args: ${{ needs.setup.outputs.sonarqube_args }}
+  #     helm_values_file: ${{ needs.setup.outputs.helm_values_file }}
+  #     helm_chart_name: ${{ needs.setup.outputs.helm_chart_name }}
+  #     helm_chart_version: ${{ needs.setup.outputs.helm_chart_version }}
+  #   secrets:
+  #     sonarqube_org: ${{ secrets.SONARQUBE_ORG }}
+  #     sonarqube_host: ${{ secrets.SONARQUBE_HOST }}
+  #     sonarqube_token: ${{ secrets.SONARQUBE_TOKEN }}
 
   build-push:
     runs-on: ubuntu-latest
@@ -106,24 +106,24 @@ jobs:
           tags: ${{ needs.setup.outputs.tags }}
           labels: ${{ needs.setup.outputs.labels }}
           # SECURITY VULNERABILITY
-          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
-          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
-          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
-          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
+          cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln,mode=max
+          cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache-vuln
+          # cache-to: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache,mode=max
+          # cache-from: type=registry,ref=${{ vars.IMAGE_NAME }}:buildcache
         env:
           DOCKER_BUILD_RECORD_UPLOAD: false
 
   # SECURITY PIPELINE
-  sec-postbuild:
-    uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
-    needs:
-      - setup
-      - build-push
-    with:
-      image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
-    secrets:
-      registry_username: ${{ github.actor }}
-      registry_password: ${{ secrets.GITHUB_TOKEN }}
+  # sec-postbuild:
+  #   uses: opsta/.github/.github/workflows/security-postbuild.yaml@main
+  #   needs:
+  #     - setup
+  #     - build-push
+  #   with:
+  #     image_name: "${{ vars.IMAGE_NAME }}:${{ needs.setup.outputs.image_tag }}"
+  #   secrets:
+  #     registry_username: ${{ github.actor }}
+  #     registry_password: ${{ secrets.GITHUB_TOKEN }}
 
   gitops-argocd:
     uses: opsta/.github/.github/workflows/gitops-argocd.yaml@main
@@ -143,17 +143,17 @@ jobs:
       argocd_auth_token: ${{ secrets.ARGOCD_AUTH_TOKEN }}
 
   # SECURITY PIPELINE
-  sec-postdeploy:
-    uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
-    needs:
-      - setup
-      - gitops-argocd
-    with:
-      github_repo_name: ${{ github.event.repository.name }}
-      zap_target: ${{ needs.setup.outputs.deploy_url }}
-      deploy_env: ${{ needs.setup.outputs.deploy_env }}
-      defectdojo_product_name: ${{ github.event.repository.name }}
-    secrets:
-      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  # sec-postdeploy:
+  #   uses: opsta/.github/.github/workflows/security-postdeploy.yaml@main
+  #   needs:
+  #     - setup
+  #     - gitops-argocd
+  #   with:
+  #     github_repo_name: ${{ github.event.repository.name }}
+  #     zap_target: ${{ needs.setup.outputs.deploy_url }}
+  #     deploy_env: ${{ needs.setup.outputs.deploy_env }}
+  #     defectdojo_product_name: ${{ github.event.repository.name }}
+  #   secrets:
+  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
diff --git a/.github/workflows/tagging.yaml b/.github/workflows/tagging.yaml
index f89b546..7c58453 100644
--- a/.github/workflows/tagging.yaml
+++ b/.github/workflows/tagging.yaml
@@ -20,15 +20,15 @@ on:
 
 jobs:
   # SECURITY PIPELINE
-  defectdojo:
-    uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
-    if: ${{ !inputs.skip-security-gate }}
-    with:
-      defectdojo_product_name: ${{ github.event.repository.name }}
-    secrets:
-      defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
-      defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
-      defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
+  # defectdojo:
+  #   uses: opsta/.github/.github/workflows/defectdojo-security-gate.yaml@main
+  #   if: ${{ !inputs.skip-security-gate }}
+  #   with:
+  #     defectdojo_product_name: ${{ github.event.repository.name }}
+  #   secrets:
+  #     defectdojo_host: ${{ secrets.DEFECTDOJO_HOST }}
+  #     defectdojo_username: ${{ secrets.DEFECTDOJO_USERNAME }}
+  #     defectdojo_password: ${{ secrets.DEFECTDOJO_PASSWORD }}
 
   tag:
     uses: opsta/.github/.github/workflows/tag-and-release.yaml@main
diff --git a/.trivyignore b/.trivyignore
index f76911c..06fc2a3 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,3 +1,3 @@
 # SECURITY VULNERABILITY
-AVD-KSV-0109
-AVD-KSV-01010
+# AVD-KSV-0109
+# AVD-KSV-01010
diff --git a/Dockerfile b/Dockerfile
index 9718360..d26dcd6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,13 @@
 # SECURITY VULNERABILITY
-# FROM python:3.12.0-bookworm AS build
-FROM python:3.12.7-bookworm AS build
+FROM python:3.12.0-bookworm AS build
+# FROM python:3.12.7-bookworm AS build
 COPY ./requirements.txt requirements.txt
 RUN pip install --no-cache-dir --target=packages -r requirements.txt
 
 
 # SECURITY VULNERABILITY
-# FROM python:3.12.0-slim-bookworm AS runtime
-FROM python:3.12.7-slim-bookworm AS runtime
+FROM python:3.12.0-slim-bookworm AS runtime
+# FROM python:3.12.7-slim-bookworm AS runtime
 # Copying Dependencies from build stage
 COPY --from=build packages /usr/local/lib/python3.12/site-packages
 ENV PYTHONPATH=/usr/local/lib/python3.12/site-packages
diff --git a/chat.py b/chat.py
index 1075a64..16f3fc0 100644
--- a/chat.py
+++ b/chat.py
@@ -45,7 +45,7 @@
 search_return_documents = int(os.environ.get('SEARCH_RETURN_DOCUMENTS', '5'))
 # THIS IS DUMMY AWS SECRET KEY FOR SECURITY TESTING
 # SECURITY VULNERABILITY
-dummy_aws_secret_key = ''
+dummy_aws_secret_key = '4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laI'
 # 4wcTdlSgTZAIoT7JPLduafIE90St95bQffGx3laIEXAMPLEKEY
 
 retriever = None
diff --git a/iac/helm-values/opsta-line-bot-dev.yaml b/iac/helm-values/opsta-line-bot-dev.yaml
index 882d444..6f054f7 100644
--- a/iac/helm-values/opsta-line-bot-dev.yaml
+++ b/iac/helm-values/opsta-line-bot-dev.yaml
@@ -38,14 +38,3 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
-securityContext:
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  seccompProfile:
-    type: RuntimeDefault
-  capabilities:
-    drop:
-      - ALL
diff --git a/iac/helm-values/opsta-line-bot-prd.yaml b/iac/helm-values/opsta-line-bot-prd.yaml
index 8d8550d..ba32a9c 100644
--- a/iac/helm-values/opsta-line-bot-prd.yaml
+++ b/iac/helm-values/opsta-line-bot-prd.yaml
@@ -38,14 +38,3 @@ volumes:
     path: /tmp
     size: 500Mi
     storageClass: nfs
-securityContext:
-  readOnlyRootFilesystem: true
-  allowPrivilegeEscalation: false
-  runAsNonRoot: true
-  runAsUser: 65532
-  runAsGroup: 65532
-  seccompProfile:
-    type: RuntimeDefault
-  capabilities:
-    drop:
-      - ALL
diff --git a/requirements.txt b/requirements.txt
index 9c8802c..4c1bc85 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -140,9 +140,9 @@ yarl==1.11.1
 zipp==3.20.2
 
 # SECURITY VULNERABILITY
-# fastapi==0.114.2
-# starlette==0.38.5
-# Werkzeug==3.0.4
-fastapi==0.115.2
-starlette==0.40.0
-Werkzeug==3.0.6
+fastapi==0.114.2
+starlette==0.38.5
+Werkzeug==3.0.4
+# fastapi==0.115.2
+# starlette==0.40.0
+# Werkzeug==3.0.6