From 45f4cacc8b3129a8986cf40e6997bb9c1e82e729 Mon Sep 17 00:00:00 2001 From: kchason Date: Wed, 24 Jan 2024 10:19:11 -0500 Subject: [PATCH 1/4] Add KICS scan for image --- .github/workflows/validate.yml | 16 ++++++++++++++++ .gitignore | 3 +++ CONTRIBUTING.md | 27 +++++++++++++++++++++++++++ Dockerfile | 7 ++++++- 4 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 CONTRIBUTING.md diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 5954e15..346d7db 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -25,6 +25,22 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Scan the Dockerfile with KICS to check for security issues. + - name: Docker Scan + uses: Checkmarx/kics-github-action@v1.7.0 + with: + path: . + fail_on: high,medium + output_path: results + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # Upload the results of the KICS scan as a build artifact. + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results-dir/results.sarif + test: runs-on: ubuntu-latest steps: diff --git a/.gitignore b/.gitignore index 5972eeb..5611359 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,6 @@ # Environments venv/ virtualenv/ + +# Security Artifacts +results.json diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..771f3b3 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,27 @@ +# Contribution Guide + +Contributions in the form of issues and pull requests are welcome. Please read the following guidelines before contributing. + +## Pre-commit Hooks + +This project uses [pre-commit](https://pre-commit.com/) to run a series of checks before committing code. To install the pre-commit hooks, run the following command: + +```bash +pre-commit install +``` + +Run the following command to run the pre-commit hooks on all files: + +```bash +pre-commit run --all-files +``` + +## Security Testing + +This project uses [KICS](https://docs.kics.io/latest/getting-started/) to scan for security issues in the infrastructure such as the `Dockerfile`. To run the scan, run the following command: + +```bash +docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/" +``` + +This will generate a `results.json` file as well as print the contents to the console. Any findings above a `low` severity should be addressed before committing code as they will fail the CI pipeline. diff --git a/Dockerfile b/Dockerfile index 8960ab1..4324ccd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM python:3.11-slim-bullseye WORKDIR /opt/workspace # Install dependencies -RUN python -m pip install case-utils==0.15.0 PyGithub +RUN python -m pip install case-utils==0.15.0 PyGithub==2.1.1 --no-cache-dir # Delete source files now that package has been installed WORKDIR /opt/workspace @@ -12,6 +12,11 @@ WORKDIR /opt/workspace # Copy in the entrypoint file COPY entrypoint.py /opt/workspace/entrypoint.py +# Setup a user with the appropriate permissions +RUN useradd -ms /bin/bash case &&\ + chown -R case:case /opt/workspace +USER case + # Define the base path for the validation path ENV CASE_PATH "/opt/json/" ENV CASE_VERSION "case-1.2.0" From 15fb1429eab69ba3f1671e71ac9cdd1404cd57ab Mon Sep 17 00:00:00 2001 From: kchason Date: Wed, 24 Jan 2024 10:22:00 -0500 Subject: [PATCH 2/4] Only scan Dockerfile --- .github/workflows/validate.yml | 2 +- CONTRIBUTING.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 346d7db..5ba4c0a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -29,7 +29,7 @@ jobs: - name: Docker Scan uses: Checkmarx/kics-github-action@v1.7.0 with: - path: . + path: Dockerfile fail_on: high,medium output_path: results env: diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 771f3b3..204d0b6 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -21,7 +21,7 @@ pre-commit run --all-files This project uses [KICS](https://docs.kics.io/latest/getting-started/) to scan for security issues in the infrastructure such as the `Dockerfile`. To run the scan, run the following command: ```bash -docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path -o "/path/" +docker run -t -v $(pwd):/path checkmarx/kics:latest scan -p /path/Dockerfile -o "/path/" ``` This will generate a `results.json` file as well as print the contents to the console. Any findings above a `low` severity should be addressed before committing code as they will fail the CI pipeline. From ba5495aa704bc378fa16c94ac919bff70ead056d Mon Sep 17 00:00:00 2001 From: kchason Date: Wed, 24 Jan 2024 10:24:38 -0500 Subject: [PATCH 3/4] Fix report upload --- .github/workflows/validate.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 5ba4c0a..7384b7a 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -32,6 +32,7 @@ jobs: path: Dockerfile fail_on: high,medium output_path: results + output_formats: 'json,sarif' env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -39,7 +40,7 @@ jobs: - name: Upload SARIF file uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results-dir/results.sarif + sarif_file: results/results.sarif test: runs-on: ubuntu-latest From 6a90310487a947427920cc4a70f1597796baa4f6 Mon Sep 17 00:00:00 2001 From: Keith Chason Date: Mon, 23 Jun 2025 12:47:50 +0000 Subject: [PATCH 4/4] Bump KICS version --- .github/workflows/validate.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index f0187dd..df7bcd0 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -27,7 +27,7 @@ jobs: # Scan the Dockerfile with KICS to check for security issues. - name: Docker Scan - uses: Checkmarx/kics-github-action@v1.7.0 + uses: Checkmarx/kics-github-action@v2.1.10 with: path: Dockerfile fail_on: high,medium