From 1eacd4767cc97a635476047ba635a3a3cf156ed8 Mon Sep 17 00:00:00 2001
From: Alper Gumus <140546841+agumus-veritone@users.noreply.github.com>
Date: Fri, 1 Sep 2023 17:37:02 -0500
Subject: [PATCH] Adding Orca scanners

---
 .github/workflows/Orca-IAC-scan.yaml     | 39 ++++++++++++++++++++++++
 .github/workflows/Orca-image-scan.yaml   | 36 ++++++++++++++++++++++
 .github/workflows/Orca-secrets-scan.yaml | 39 ++++++++++++++++++++++++
 3 files changed, 114 insertions(+)
 create mode 100644 .github/workflows/Orca-IAC-scan.yaml
 create mode 100644 .github/workflows/Orca-image-scan.yaml
 create mode 100644 .github/workflows/Orca-secrets-scan.yaml

diff --git a/.github/workflows/Orca-IAC-scan.yaml b/.github/workflows/Orca-IAC-scan.yaml
new file mode 100644
index 0000000..96ea2b5
--- /dev/null
+++ b/.github/workflows/Orca-IAC-scan.yaml
@@ -0,0 +1,39 @@
+name: Sample Orca IaC Scan Workflow
+on:
+  # Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
+  push:
+    branches: ["main"]
+  # NOTE: To enable scanning for pull requests, uncomment the section below.
+  pull_request:
+    #branches: [ "main" ]
+  # NOTE: To schedule a daily scan at midnight, uncomment the section below.
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  orca-iac_scan:
+    name: Orca IaC Scan
+    runs-on: ubuntu-latest
+    env:
+      PROJECT_KEY: default # Set the desired project to run the cli scanning with
+    steps:
+      # Checkout your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Run Orca IaC Scan
+        uses: orcasecurity/shiftleft-iac-action@v1
+        with:
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          format: "sarif"
+          output: "results/"
+          console_output: json
+          project_key: ${{ env.PROJECT_KEY }}
+          path:
+            # scanning directories: ./terraform/ ./sub-dir/ and a file: ./Dockerfile
+            "."
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: orca-results
+          path: results/
diff --git a/.github/workflows/Orca-image-scan.yaml b/.github/workflows/Orca-image-scan.yaml
new file mode 100644
index 0000000..0d74d94
--- /dev/null
+++ b/.github/workflows/Orca-image-scan.yaml
@@ -0,0 +1,36 @@
+name: Sample Orca Container Image Scan Workflow
+on:
+  # Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
+  push:
+    branches: ["main"]
+  # NOTE: To enable scanning for pull requests, uncomment the section below.
+  pull_request:
+  #branches: [ "main" ]
+  # NOTE: To schedule a daily scan at midnight, uncomment the section below.
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  orca-container_scan:
+    name: Orca Container Image Scan
+    runs-on: ubuntu-latest
+    env:
+      PROJECT_KEY: default # Set the desired project to run the cli scanning with
+    steps:
+      # Checkout your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Run Orca Container Image Scan
+        uses: orcasecurity/shiftleft-container-image-action@v1
+        with:
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: ${{ env.PROJECT_KEY }}
+          image: <image to scan> #requires a hardcoded value here!!!
+          output: "results/"
+          console_output: json
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: orca-results
+          path: results/
diff --git a/.github/workflows/Orca-secrets-scan.yaml b/.github/workflows/Orca-secrets-scan.yaml
new file mode 100644
index 0000000..6ee3e1e
--- /dev/null
+++ b/.github/workflows/Orca-secrets-scan.yaml
@@ -0,0 +1,39 @@
+name: Sample Orca FS Scan Workflow
+on:
+  # Scan for each push event on your protected branch. If you have a different branch configured, please adjust the configuration accordingly by replacing 'main'.
+  push:
+    branches: ["main"]
+  # NOTE: To enable scanning for pull requests, uncomment the section below.
+  pull_request:
+    #branches: [ "main" ]
+  # NOTE: To schedule a daily scan at midnight, uncomment the section below.
+  schedule:
+    - cron: "0 0 * * *"
+jobs:
+  orca-fs-scan:
+    name: Orca Secrets Scan
+    runs-on: ubuntu-latest
+    env:
+      PROJECT_KEY: default # Set the desired project to run the cli scanning with
+    steps:
+      # Checkout your repository under $GITHUB_WORKSPACE, so your job can access it
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Run Orca FS Secret Scan
+        uses: orcasecurity/shiftleft-fs-action@v1
+        with:
+          api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
+          project_key: ${{ env.PROJECT_KEY }}
+          path:
+            # scanning the entire repository
+            "."
+          format: "sarif"
+          output: "results/"
+          console_output: json
+
+      - uses: actions/upload-artifact@v3
+        if: always()
+        with:
+          name: orca-results
+          path: results/