From 50d6ac003fde2bd44f790148a6482c066f529fff Mon Sep 17 00:00:00 2001 From: dlpzx <71252798+dlpzx@users.noreply.github.com> Date: Thu, 11 Jan 2024 15:40:41 +0100 Subject: [PATCH] Add checkov GitHub actions (#962) ### Feature or Bugfix - Feature ### Detail #### Checkov Add checkov github action on PRs and push to `main` Checkov scans ignore the paths: tests/, .github, compose/, docker/dev/ that contain support or local development files. The PR ignores the findings, which should (or not) be handled in a separate PR - CKV_DOCKER_2, CKV_DOCKER_4 are skipped in the checkov github action definition. They are LOW severity recommendations - [CKV_DOCKER_2](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images) - Healthcheck instructions have not been added to container images - [CKV_DOCKER_4](https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles) - Copy is not used instead of Add in Dockerfiles - Some CloudFormation findings on the pivot role and in the cdk execution role YAML templated are skipped with `# checkov:skip=` comments. We should review each finding one by one. In addition, other next steps include the assessment of how we can synthesize cdk templates so that checkov scans them. #### Other changes - upgraded all Python version to 3.9 in all actions - removed duplicated `static-checking.yaml` test in favor of `flake8` (Renamed from `Lint` - standardize names ### Relates - #881 ### Security Please answer the questions below briefly where applicable, or write `N/A`. Based on [OWASP 10](https://owasp.org/Top10/en/). - Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? - Is the input sanitized? - What precautions are you taking before deserializing the data you consume? - Is injection prevented by parametrizing queries? - Have you ensured no `eval` or similar functions are used? - Does this PR introduce any functionality or component that requires authorization? - How have you ensured it respects the existing AuthN/AuthZ mechanisms? - Are you logging failed auth attempts? - Are you using or adding any cryptographic features? - Do you use a standard proven implementations? - Are the used keys controlled by the customer? Where are they stored? - Are you introducing any new policies/roles/users? - Have you used the least-privilege principle? How? By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. --- ...lidate-db-schema.yml => alembic-tests.yml} | 5 ++- .github/workflows/ash.yml | 2 +- .github/workflows/bandit.yml | 2 +- .github/workflows/cdk-nag.yml | 2 +- .github/workflows/checkov.yml | 35 +++++++++++++++++++ .github/workflows/eslint.yml | 2 +- .github/workflows/{lint.yml => flake8.yml} | 6 ++-- .../{coverage.yml => integration-tests.yml} | 4 +-- .github/workflows/npm-audit.yml | 2 +- .github/workflows/semgrep-schedule.yml | 35 ------------------- .github/workflows/semgrep.yml | 2 +- .github/workflows/static-checking.yml | 32 ----------------- deploy/cdk_exec_policy/cdkExecPolicy.yaml | 4 +++ deploy/pivot_role/pivotRole.yaml | 5 +++ 14 files changed, 57 insertions(+), 81 deletions(-) rename .github/workflows/{validate-db-schema.yml => alembic-tests.yml} (92%) create mode 100644 .github/workflows/checkov.yml rename .github/workflows/{lint.yml => flake8.yml} (91%) rename .github/workflows/{coverage.yml => integration-tests.yml} (93%) delete mode 100644 .github/workflows/semgrep-schedule.yml delete mode 100644 .github/workflows/static-checking.yml diff --git a/.github/workflows/validate-db-schema.yml b/.github/workflows/alembic-tests.yml similarity index 92% rename from .github/workflows/validate-db-schema.yml rename to .github/workflows/alembic-tests.yml index b61dfb212..1a9c7d0e5 100644 --- a/.github/workflows/validate-db-schema.yml +++ b/.github/workflows/alembic-tests.yml @@ -1,5 +1,4 @@ -name: Validate DB migration with alembic - +name: alembic migration tests on: workflow_dispatch: pull_request: @@ -17,7 +16,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [ 3.8 ] + python-version: [ 3.9 ] services: postgres: image: postgres diff --git a/.github/workflows/ash.yml b/.github/workflows/ash.yml index ea2b6aadd..4851dd5ce 100644 --- a/.github/workflows/ash.yml +++ b/.github/workflows/ash.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8] + python-version: [3.9] steps: - uses: actions/checkout@v3 - name: Set up Python ${{ matrix.python-version }} diff --git a/.github/workflows/bandit.yml b/.github/workflows/bandit.yml index 029a69ee4..422f53b61 100644 --- a/.github/workflows/bandit.yml +++ b/.github/workflows/bandit.yml @@ -17,7 +17,7 @@ jobs: bandit: strategy: matrix: - python-version: [3.8] + python-version: [3.9] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 diff --git a/.github/workflows/cdk-nag.yml b/.github/workflows/cdk-nag.yml index 359fed3ce..98d9ec005 100644 --- a/.github/workflows/cdk-nag.yml +++ b/.github/workflows/cdk-nag.yml @@ -21,7 +21,7 @@ jobs: cdk-nag: strategy: matrix: - python-version: [3.8] + python-version: [3.9] env: CDK_DEFAULT_REGION: eu-west-1 CDK_DEFAULT_ACCOUNT: 111111111111 diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml new file mode 100644 index 000000000..a654800b7 --- /dev/null +++ b/.github/workflows/checkov.yml @@ -0,0 +1,35 @@ +name: checkov + +on: + workflow_dispatch: + push: + branches: + - main + pull_request: + branches: + - main + - v2m* + +permissions: + contents: read + +jobs: + build: + + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set up Python + uses: actions/setup-python@v4 + with: + python-version: 3.9 + - name: Test with Checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: . + quiet: true + skip_path: tests/, .github, compose/, docker/dev/ + hard_fail_on: MEDIUM + soft_fail_on: LOW + skip_check: CKV_DOCKER_2,CKV_DOCKER_4 diff --git a/.github/workflows/eslint.yml b/.github/workflows/eslint.yml index 3689fc776..2b7df8146 100644 --- a/.github/workflows/eslint.yml +++ b/.github/workflows/eslint.yml @@ -1,4 +1,4 @@ -name: Run eslint +name: eslint on: workflow_dispatch: diff --git a/.github/workflows/lint.yml b/.github/workflows/flake8.yml similarity index 91% rename from .github/workflows/lint.yml rename to .github/workflows/flake8.yml index dd217713a..4f12285d7 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/flake8.yml @@ -1,4 +1,4 @@ -name: Run Lint +name: flake8 on: workflow_dispatch: @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8] + python-version: [3.9] steps: - uses: actions/checkout@v2 @@ -28,5 +28,5 @@ jobs: python -m pip install --upgrade pip python -m pip install isort python -m pip install flake8 - - name: Lint + - name: flake8 run: python -m flake8 --exclude cdk.out,blueprints --ignore E402,E501,F841,W503,F405,F403,F401,E712,E203 backend/ diff --git a/.github/workflows/coverage.yml b/.github/workflows/integration-tests.yml similarity index 93% rename from .github/workflows/coverage.yml rename to .github/workflows/integration-tests.yml index 140cfa60e..687b131ab 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/integration-tests.yml @@ -1,4 +1,4 @@ -name: Coverage +name: Integration tests on: workflow_dispatch: @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [ 3.8 ] + python-version: [ 3.9 ] services: postgres: image: postgres diff --git a/.github/workflows/npm-audit.yml b/.github/workflows/npm-audit.yml index a3caff061..eef58e9b9 100644 --- a/.github/workflows/npm-audit.yml +++ b/.github/workflows/npm-audit.yml @@ -1,4 +1,4 @@ -name: Run npm-audit +name: npm-audit on: workflow_dispatch: diff --git a/.github/workflows/semgrep-schedule.yml b/.github/workflows/semgrep-schedule.yml deleted file mode 100644 index 7bfd546d3..000000000 --- a/.github/workflows/semgrep-schedule.yml +++ /dev/null @@ -1,35 +0,0 @@ -name: Run Semgrep-full - -on: - workflow_dispatch: - branches: - - main - schedule: - - cron: '0 1 * * 2' - -permissions: - contents: read - -jobs: - semgrep-full: - runs-on: ubuntu-latest - - container: - # A Docker image with Semgrep installed. Do not change this. - image: returntocorp/semgrep - - # Skip any PR created by dependabot to avoid permission issues: - if: (github.actor != 'dependabot[bot]') - - steps: - - uses: actions/checkout@v3 - - run: semgrep ci --verbose --metrics=off --sarif --output=semgrep.sarif - env: - # Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable. - SEMGREP_RULES: p/default # more at semgrep.dev/explore - - - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: semgrep.sarif - if: always() \ No newline at end of file diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 5cbe4b1f7..70d928366 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -1,4 +1,4 @@ -name: Run Semgrep +name: semgrep on: workflow_dispatch: diff --git a/.github/workflows/static-checking.yml b/.github/workflows/static-checking.yml deleted file mode 100644 index 88a17daf9..000000000 --- a/.github/workflows/static-checking.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Static Checking - -on: - workflow_dispatch: - pull_request: - branches: - - main - - release/* - - main-v2 - - v2m* - -jobs: - Check: - - runs-on: ubuntu-latest - strategy: - matrix: - python-version: [3.8] - - steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v3 - with: - python-version: ${{ matrix.python-version }} - cache: 'pip' - - name: Install Requirements - run: | - python -m pip install --upgrade pip - python -m pip install isort - - name: Lint - run: make lint diff --git a/deploy/cdk_exec_policy/cdkExecPolicy.yaml b/deploy/cdk_exec_policy/cdkExecPolicy.yaml index 21f113f2b..e698091fa 100644 --- a/deploy/cdk_exec_policy/cdkExecPolicy.yaml +++ b/deploy/cdk_exec_policy/cdkExecPolicy.yaml @@ -11,6 +11,10 @@ Parameters: Resources: CDKCustomExecutionPolicy0: Type: 'AWS::IAM::ManagedPolicy' + # checkov:skip=CKV_AWS_107:Ensure IAM policies does not allow credentials exposure + # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints + # checkov:skip=CKV_AWS_110:Ensure IAM policies does not allow privilege escalation + # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints Properties: ManagedPolicyName: !Ref PolicyName PolicyDocument: diff --git a/deploy/pivot_role/pivotRole.yaml b/deploy/pivot_role/pivotRole.yaml index 26435d897..cfb02b6c2 100644 --- a/deploy/pivot_role/pivotRole.yaml +++ b/deploy/pivot_role/pivotRole.yaml @@ -48,6 +48,8 @@ Resources: ] PivotRolePolicy0: Type: 'AWS::IAM::ManagedPolicy' + # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints + # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints Properties: PolicyDocument: Version: 2012-10-17 @@ -221,6 +223,8 @@ Resources: PivotRolePolicy1: Type: 'AWS::IAM::ManagedPolicy' + # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints + # checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints Properties: PolicyDocument: Version: 2012-10-17 @@ -421,6 +425,7 @@ Resources: PivotRolepolicy3: Type: 'AWS::IAM::ManagedPolicy' + # checkov:skip=CKV_AWS_109:Ensure IAM policies does not allow permissions management without constraints Properties: PolicyDocument: Version: 2012-10-17