Merge pull request #10 from instriq/develop

Develop
instriq · Nov 28, 2024 · 9ffe878 · 9ffe878
2 parents 708f796 + ba8026f
commit 9ffe878
Show file tree

Hide file tree

Showing 24 changed files with 349 additions and 178 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,6 @@
+[*]
+indent_style = space
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,10 @@
 version: 2
 updates:
-  - package-ecosystem: github-actions
+  - package-ecosystem: docker
     directory: /
     schedule:
       interval: weekly
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: weekly
diff --git a/.github/workflows/dependabot_metrics.yml b/.github/workflows/dependabot_metrics.yml
diff --git a/.github/workflows/deploy-image.yml b/.github/workflows/deploy-image.yml
@@ -0,0 +1,37 @@
+name: Deploy to GitHub Container Registry
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        id: build
+        run: |
+          COMMIT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
+          IMAGE_NAME="ghcr.io/${{ github.repository }}/sentra"
+          docker build --file Dockerfile --tag ${IMAGE_NAME}:latest --tag ${IMAGE_NAME}:${COMMIT_SHA} .
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
+          echo "COMMIT_SHA=${COMMIT_SHA}" >> $GITHUB_ENV
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.LESIS_DEPLOY }}
+
+      - name: Push Docker image to GitHub Container Registry
+        run: |
+          docker push ${{ env.IMAGE_NAME }}:latest
+          docker push ${{ env.IMAGE_NAME }}:${{ env.COMMIT_SHA }}
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -0,0 +1,18 @@
+name: Docker Image CI
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    branches: [ "main", "develop" ]
+
+jobs:
+
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: Build the Docker image
+      run: docker build . --file Dockerfile --tag sentra:$(date +%s)
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -0,0 +1,21 @@
+name: Linter
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  critic:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Run Perl::Critic
+      uses: natanlao/[email protected]
+      with:
+        files: critic
diff --git a/.github/workflows/maintaned.yml b/.github/workflows/maintaned.yml
diff --git a/.github/workflows/search_files.yml b/.github/workflows/search_files.yml
diff --git a/.github/workflows/security-gate.yaml b/.github/workflows/security-gate.yaml
@@ -0,0 +1,44 @@
+name: Security Gate - LESIS
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+
+permissions:
+  security-events: read
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    env:
+      MAX_CRITICAL: 0
+      MAX_HIGH: 0
+      MAX_MEDIUM: 0
+      MAX_LOW: 0
+      GITHUB_TOKEN: ${{ secrets.TOKEN }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Pull Docker image from GitHub Container Registry
+      run: docker pull ghcr.io/instriq/security-gate/security-gate:latest
+
+    - name: Verify security alerts from GHAS
+      run: |
+        docker run ghcr.io/instriq/security-gate/security-gate:latest \
+        -t "$GITHUB_TOKEN" \
+        -r "${{ github.repository }}" \
+        -c "$MAX_CRITICAL" \
+        -h "$MAX_HIGH" \
+        -m "$MAX_MEDIUM" \
+        -l "$MAX_LOW" \
+        --dependency-alerts
+        --secrets-alerts
+        --code-alerts
diff --git a/.github/workflows/test_suite.yml b/.github/workflows/test_suite.yml
@@ -25,4 +25,4 @@ jobs:
 
       - name: Run tests
         working-directory: ./tests
-        run: prove -r
+        run: prove -r
diff --git a/.github/workflows/zarn.yml b/.github/workflows/zarn.yml
@@ -0,0 +1,25 @@
+name: ZARN SAST
+
+on:
+  push:
+    branches: [ "main", "develop" ]
+  pull_request:
+    branches: [ "main", "develop" ]
+  schedule:
+    - cron: '28 23 * * 1'
+
+jobs:
+  zarn:
+    name: Security Static Analysis with ZARN
+    runs-on: ubuntu-20.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Perform Static Analysis
+      uses: htrgouvea/[email protected]
+
+    - name: Send result to Github Security
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: result.sarif
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+*.DS_Store
diff --git a/.perlcriticrc b/.perlcriticrc
@@ -1,5 +1,7 @@
-severity = 3
+severity = 2
 
 [-TestingAndDebugging::RequireUseStrict]
 [-TestingAndDebugging::RequireUseWarnings]
-[-Subroutines::ProhibitManyArgs]
+
+[TestingAndDebugging::ProhibitNoWarnings]
+allow = once
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,8 @@
+FROM perl:5.40
+
+COPY . /usr/src/sentra
+WORKDIR /usr/src/sentra
+
+RUN cpanm --installdeps .
+
+ENTRYPOINT [ "perl", "./sentra.pl" ]
diff --git a/lib/Sentra/Engine/DependabotMetrics.pm b/lib/Sentra/Engine/DependabotMetrics.pm
@@ -7,60 +7,77 @@ package Sentra::Engine::DependabotMetrics {
     sub new {
         my ($class, $org, $token, $per_page) = @_;
 
-        my $ua = Mojo::UserAgent->new;
+        my $userAgent = Mojo::UserAgent -> new();
+
         my $headers = {
             'X-GitHub-Api-Version' => '2022-11-28',
-            'Accept' => 'application/vnd.github+json',
-            'User-Agent' => 'Sentra 0.0.1',
-            'Authorization' => "Bearer $token"
+            'Accept'               => 'application/vnd.github+json',
+            'User-Agent'           => 'Sentra 0.0.3',
+            'Authorization'        => "Bearer $token"
         };
 
         my @repos;
         my $repo_page = 1;
+
         while (1) {
             my $repo_url = "https://api.github.com/orgs/$org/repos?per_page=$per_page&page=$repo_page";
-            my $repo_tx = $ua->get($repo_url => $headers);
-
-            my $res = $repo_tx->result or return "Error fetching repositories: " . $repo_tx->error->{message} . "\n";
+            my $repo_tx  = $userAgent -> get($repo_url => $headers);
+            my $res      = $repo_tx -> result or return "Error fetching repositories: " . $repo_tx->error->{message} . "\n";
+
             $res->is_success or return "Error fetching repositories: " . $res->message . "\n";
 
-            my $repo_data = $res->json;
+            my $repo_data = $res -> json;
+
             last unless @$repo_data;
+
             push @repos, map { "$org/$_->{name}" } grep { !$_->{archived} } @$repo_data;
+
             $repo_page++;
         }
 
         return "Error when trying to request information from GitHub, please review the parameters provided." unless @repos;
 
         my $total_alerts = 0;
-        my %severity_count = (low => 0, medium => 0, high => 0, critical => 0);
+
+        my %severity_count = (
+            low => 0, 
+            medium => 0, 
+            high => 0, 
+            critical => 0
+        );
 
         for my $repo (@repos) {
             my $alert_page = 1;
+
             while (1) {
                 my $alert_url = "https://api.github.com/repos/$repo/dependabot/alerts?state=open&per_page=$per_page&page=$alert_page";
-                my $alert_tx = $ua->get($alert_url => $headers);
-
-                my $res = $alert_tx->result or return "Error fetching alerts for $repo: " . $alert_tx->error->{message} . "\n";
+                my $alert_tx  = $userAgent -> get($alert_url => $headers);
+                my $res       = $alert_tx->result or return "Error fetching alerts for $repo: " . $alert_tx->error->{message} . "\n";
+
                 $res->is_success or return "Error fetching alerts for $repo: " . $res->message . "\n";
 
-                my $alert_data = $res->json;
+                my $alert_data = $res -> json;
+
                 last unless @$alert_data;
+
                 $total_alerts += scalar @$alert_data;
+
                 for my $alert (@$alert_data) {
-                    my $severity = $alert->{security_vulnerability}{severity} || 'unknown';
+                    my $severity = $alert -> {security_vulnerability}{severity} || 'unknown';
                     $severity_count{$severity}++ if exists $severity_count{$severity};
                 }
+
                 $alert_page++;
             }
         }
 
         my $output = "";
+
         $output .= "Severity $_: $severity_count{$_}\n" for keys %severity_count;
         $output .= "Total DependaBot Alerts: $total_alerts\n";
 
         return $output;
     }
 }
 
-1;
+1;