From b2d662ee05c6f0eb4db16db408cbbccf0bf40be5 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Mon, 15 Feb 2021 18:24:27 +0530 Subject: [PATCH 1/3] adding ShiftLeft action workflow config --- .github/workflows/shiftleft.yml | 49 +++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/shiftleft.yml diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 000000000..a6cb79717 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,49 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app GitPython --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --python $(pwd) + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + + ## Uncomment the following section to enable build rule checking and enforcing. + #Build-Rules: + #runs-on: ubuntu-latest + #needs: NextGen-Static-Analysis + #steps: + #- uses: actions/checkout@v2 + #- name: Download ShiftLeft CLI + # run: | + # curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + #- name: Validate Build Rules + # run: | + # ${GITHUB_WORKSPACE}/sl check-analysis --app GitPython \ + # --source 'tag.branch=${{ github.event.pull_request.base.ref }}' \ + # --target "tag.branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}" \ + # --report \ + # --github-pr-number=${{github.event.number}} \ + # --github-pr-user=${{ github.repository_owner }} \ + # --github-pr-repo=${{ github.event.repository.name }} \ + # --github-token=${{ secrets.GITHUB_TOKEN }} + # env: + #SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + \ No newline at end of file From aad70bd9c77172af6d227b315cf5804bc8ec1ad3 Mon Sep 17 00:00:00 2001 From: ShiftLeft Date: Mon, 15 Feb 2021 18:24:28 +0530 Subject: [PATCH 2/3] adding ShiftLeft action workflow config --- shiftleft.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 shiftleft.yml diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 000000000..220d4baf4 --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,12 @@ +build_rules: + - id: allow-zero-findings + finding_types: + - vuln + - secret + - insight + - "*" + severity: + - SEVERITY_MEDIUM_IMPACT + - SEVERITY_HIGH_IMPACT + - SEVERITY_LOW_IMPACT + threshold: 0 \ No newline at end of file From 13aeaf814a7b733a9f2c4e7e5a28087d690e4054 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Thu, 6 May 2021 04:50:25 +0000 Subject: [PATCH 3/3] fix: doc/requirements.txt to reduce vulnerabilities The following vulnerabilities are fixed by pinning transitive dependencies: - https://snyk.io/vuln/SNYK-PYTHON-PYGMENTS-1086606 - https://snyk.io/vuln/SNYK-PYTHON-PYGMENTS-1088505 - https://snyk.io/vuln/SNYK-PYTHON-SPHINX-570772 - https://snyk.io/vuln/SNYK-PYTHON-SPHINX-570773 --- doc/requirements.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/doc/requirements.txt b/doc/requirements.txt index 98e5c06a0..c014dcb85 100644 --- a/doc/requirements.txt +++ b/doc/requirements.txt @@ -1,2 +1,3 @@ sphinx<2.0 sphinx_rtd_theme +pygments>=2.7.4 # not directly required, pinned by Snyk to avoid a vulnerability