--v2 build rules

.github/workflows/inspect.yml

@@ -0,0 +1,32 @@
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    # We recommend triggering a scan when merging to your default branch as a best practice,
+    # especially if you'd like to compare the results of two scans (e.g., a feature branch against the
+    # default branch)
+    branches:
+      - main
+      - master
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --app ShiftLeftJS --tag branch=${{ github.head_ref }} --js --cpg $(pwd)
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/main.yml

@@ -0,0 +1,66 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  push:
+    branches: 
+      - main
+      - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analyis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    # We are building this application with Java 11
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Build and package with Maven
+      run: mvn clean package -DskipTests
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --wait --app HelloShiftLeft --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+    - name: Validate Build Rules
+      run: |
+        ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code \
+            --report \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+
+    - name: Validate Build Rules
+      run: |
+        ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app HelloShiftLeft \
+            --report \
+            --github-pr-number=${{github.event.number}} \
+            --github-pr-user=${{ github.repository_owner }} \
+            --github-pr-repo=${{ github.event.repository.name }} \
+            --github-token=${{ secrets.GITHUB_TOKEN }}
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}

.github/workflows/qwiet.yml

@@ -0,0 +1,38 @@
+---
+# This workflow integrates ShiftLeft NG SAST with GitHub
+# Visit https://docs.shiftleft.io for help
+name: ShiftLeft
+
+on:
+  push:
+    branches: 
+      - main
+      - master
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analyis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    # We are building this application with Java 11
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 11.0.x
+    - name: Build and package with Maven
+      run: mvn clean package -DskipTests
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+    # ShiftLeft requires Java 1.8. Post the package step override the version
+    - name: Setup Java JDK
+      uses: actions/[email protected]
+      with:
+        java-version: 1.8
+    - name: NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --app HelloShiftLeft-test --vcs-prefix-correction "*=/src/main/java" --java ./target/HelloShiftLeft-1.0.0.jar
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+

.github/workflows/shiftleft.yml

@@ -0,0 +1,68 @@
+---
+# This workflow integrates qwiet.ai preZero with GitHub
+# Visit https://docs.shiftleft.io for help
+name: qwiet.ai
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - name: Setup Java JDK v11
+      uses: actions/setup-java@v3
+      with:
+        distribution: zulu
+        java-version: 11
+
+    - name: Setup Java JDK v8
+      uses: actions/setup-java@v3
+      with:
+        distribution: zulu
+        java-version: 8
+
+    - name: Download ShiftLeft CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+
+    - name: preZero Static Analysis
+      run: |
+        ${GITHUB_WORKSPACE}/sl --version
+        ${GITHUB_WORKSPACE}/sl analyze --strict --wait \
+          --app HelloShiftLeft \
+          --tag branch=${{ github.head_ref }} \
+          --java --container 18fgsa/s3-resource $(pwd)
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_API_HOST: www.shiftleft.io
+        SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+        SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+
+#   Build-Rules:
+#     runs-on: ubuntu-latest
+#     permissions: write-all
+#     needs: NextGen-Static-Analysis
+#     steps:
+#     - uses: actions/checkout@v3
+#     - name: Download ShiftLeft CLI
+#       run: |
+#         curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+#     - name: Validate Build Rules
+#       run: |
+#         ${GITHUB_WORKSPACE}/sl check-analysis --app HelloShiftLeft \
+#             --github-pr-number=${{github.event.number}} \
+#             --github-pr-user=${{ github.repository_owner }} \
+#             --github-pr-repo=${{ github.event.repository.name }} \
+#             --github-token=${{ secrets.GITHUB_TOKEN }}
+#       env:
+#         # SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+#
+#         SHIFTLEFT_API_HOST: www.shiftleft.io
+#         SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+#         SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
+#
+
+

shiftleft.yaml

@@ -0,0 +1,110 @@
+build_rules:
+  - id: "No critical or high SAST findings"
+    finding_types:
+      - vuln
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+    - id: "No secrets"
+    finding_types:
+      - secret
+    threshold: 0  
+    options:
+      num_findings: 10 # Return 10 sast findings
+  - id: "No reachable SCA findings"
+    finding_types:
+      - oss_vuln
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+    options:
+      reachable: true
+      num_findings: 10 # Return 10 reachable sca findings
+  - id: "No critical or high container findings"
+    finding_types:
+      - container
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+    options:
+      num_findings: 10 # Return 10 container findings
+# The above rule is perhaps the most common in that it
+# is designed to be used with Pull Request and to block
+# new vulns from being introduced that aren't already on
+# the 'main' branch
+#
+# Below is enchalada with all the options shown
+#
+# ID is the name that will be reflected in the PR comments
+#  - id: build-rule-enchalada
+#      - vuln
+#.     - oss_vuln
+#      - secret
+#      - insight
+#      - container
+# Do you want to block ALL types by severity?
+#    cvss_31_severity_ratings:
+#      - critical
+#      - high
+#      - medium
+#.     - low
+# Do you want to focus on just one or more types?
+#    type:
+#      - Weak Random
+#      - Sensitive Data Leak
+#      - Deserialization
+#      - Directory Traversal
+#      - Sensitive Data Exposure
+#      - Remote Code Execution
+#      - Command Injection
+#      - Security Best Practices
+#      - Unsafe Reflection
+#      - Regex Injection
+#      - SQL Injection
+#      - XML External Entities
+#      - Template Injection
+#      - Cross-Site Scripting
+#      - JSON Injection
+#      - Potential SQL Injection
+#      - Potential Regex Injection
+#      - Header Injection
+#      - Security Misconfiguration
+#      - Deprecated Function Use
+#      - Mail Injection
+#      - Race Condition
+#      - Sensitive Data Usage
+#      - Open Redirect
+#      - Error Handling
+#      - HTTP to Database
+#      - HTTP to Model
+#      - LDAP Injection
+#      - Denial of Service
+#      - CRLF Injection
+#      - NoSQL Injection
+#      - Weak Hash
+#      - Session Injection
+#      - Server-Side Request Forgery
+#      - Prototype Pollution
+#      - Log Forging
+#      - XPath Injection
+#      - Insecure Authentication
+#      - Intent Redirection
+#      - Authentication Bypass
+#      - Weak Cipher
+#      - Crypto
+# Focus by OWASP Category?
+#    owasp_category:
+#      - a01-2021-broken-access-control
+#      - a02-2021-cryptographic-failures
+#      - a03-2021-injection
+#      - a04-2021-insecure-design
+#      - a05-2021-security-misconfiguration
+#      - a06-2021-vulnerable-and-outdated-components
+#      - a07-2021-identification-and-authentication-failures
+#      - a08-2021-software-and-data-integrity-failures
+#      - a09-2021-security-logging-and-monitoring-failures
+#      - a10-2021-server-side-request-forgery-(ssrf)
+

shiftleft.yml

@@ -0,0 +1,15 @@
+version: 2
+build_rules:
+  - id: Allow no critical findings
+    severities:
+      - critical
+  - id: Allow one OSS or container finding
+    finding_types:
+      - oss_vuln
+      - container
+    threshold: 1
+  - id: Allow no reachable OSS vulnerability
+    finding_types:
+      - oss_vuln
+    options:
+      reachable: true