diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000000..c522f3e886 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,147 @@ + +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11.0.x + - name: Package with maven + run: mvn compile package + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --analysis-timeout=1h --app Benchmark --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --java --cpg target/benchmark.war + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + OWASP-Benchmark-Score: + runs-on: ubuntu-20.04 + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Setup Java JDK + uses: actions/setup-java@v3 + with: + distribution: zulu + java-version: 11.0.x + - name: Export NG SAST Findings + run: | + cd $HOME + git clone --depth 1 --branch v0.0.4 https://github.com/ShiftLeftSecurity/field-integrations + cd field-integrations/shiftleft-utils || exit 1 + mkdir -p ${GITHUB_WORKSPACE}/ngsast_results + pip3 install -r requirements.txt + python3 export.py --app Benchmark -f sl -o ${GITHUB_WORKSPACE}/ngsast_results/Benchmark.sl + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + - name: Package with maven + run: mvn compile package + - name: Calculate OWASP Benchmark Score + run: | + cd ${GITHUB_WORKSPACE} + mvn validate -Pbenchmarkscore -Dexec.args="expectedresults-1.2.csv ngsast_results ShiftLeft anonymous" + if [ -e "scorecard/Benchmark_Scorecard_for_ShiftLeft.html" ]; then + echo "*** Thank you for Benchmarking ShiftLeft NextGen Static Analysis ***" + echo "You can find the results for ShiftLeft under workflow artifacts called scorecard" + else + echo "Benchmark results were not produced correctly. Check if you have Java 1.8 installed" + fi + - uses: actions/upload-artifact@v3 + with: + name: Benchmark_v1.2_Scorecard_for_ShiftLeft + path: scorecard + + - name: Generate Results Checksum + run: | + OWASP_BENCHMARK_CHECKSUM=$(tail -n +2 scorecard/Benchmark_v1.2_Scorecard_for_ShiftLeft.csv | + sort | + tr -d '[:space:]' | + tr '[:upper:]' '[:lower:]' | + shasum | + tr -d " -") + echo "OWASP_BENCHMARK_CHECKSUM=$OWASP_BENCHMARK_CHECKSUM" >> $GITHUB_ENV + + - uses: actions/setup-node@v3 + with: + node-version: 14 + - run: npm install jwt-decode node-fetch@2 + if: github.event_name == 'pull_request' + + - name: Notify Benchmark Results + uses: actions/github-script@v4 + if: github.event_name == 'pull_request' + env: + OWASP_BENCHMARK_CHECKSUM: ${{ env.OWASP_BENCHMARK_CHECKSUM }} + SHIFTLEFT_USER_ID_V2: d825266c-608c-48a3-a87e-f32d90436572 + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + SHIFTLEFT_API_HOST: www.shiftleft.io + SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443 + SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // Leave a comment on the PR + const { issue: { number: issue_number }, repo: { owner, repo } } = context; + const run = await github.actions.getWorkflowRun({ + owner: context.repo.owner, + repo: context.repo.repo, + run_id: context.runId + }); + const loc = run.data.html_url ? '[GitHub Action](' + run.data.html_url + ')' : 'GitHub Action'; + const body = '👋 ' + '@' + context.actor + ' OWASP Benchmark scorecard is available for download in the Artifacts Section of ' + loc; + github.issues.createComment({ issue_number, owner, repo, body }); + + // Report the results + const jwt_decode = require('jwt-decode'); + const fetch = require("node-fetch"); + const { + SHIFTLEFT_API_HOST, + SHIFTLEFT_ACCESS_TOKEN, + SHIFTLEFT_USER_ID_V2, + OWASP_BENCHMARK_CHECKSUM, + } = process.env; + const decoded = jwt_decode(SHIFTLEFT_ACCESS_TOKEN); + const orgID = decoded.orgID; + const apiHost = SHIFTLEFT_API_HOST || 'app.shiftleft.io'; + fetch(`https://${apiHost}/api/v4/private/orgs/${orgID}/bi_proxy/owasp_benchmark_complete`, { + headers: { + "Content-Type": "application/json; charset=utf-8", + "Authorization": `Bearer ${SHIFTLEFT_ACCESS_TOKEN}`, + }, + method: 'POST', + body: JSON.stringify({ + artifact_url: run.data.html_url || '', + result_sha1: OWASP_BENCHMARK_CHECKSUM, + user_id_v2: SHIFTLEFT_USER_ID_V2, + }) + })