From 90c176d3f569ab1823e233d4151ac31e35eb1c25 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Mon, 26 Sep 2022 15:49:22 -0400 Subject: [PATCH 01/14] ngsast.yaml with sl modification rules --- ngsast.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 ngsast.yaml diff --git a/ngsast.yaml b/ngsast.yaml new file mode 100644 index 00000000..44b74ee8 --- /dev/null +++ b/ngsast.yaml @@ -0,0 +1,11 @@ +ngsast: +- app: + name: helloshiftleft-spring-app + additional-findings: + - hsl-secrets + policy: io.shiftleft/helloshiftleft + language: JAVA +additional-findings: + hsl-secrets: + entropy: 0.5 + name: secrets From 74e73054c2e0c083875772804fac70ae239ec1d2 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Fri, 21 Oct 2022 15:17:23 -0400 Subject: [PATCH 02/14] Update shiftleft.yml --- shiftleft.yml | 116 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 103 insertions(+), 13 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 89d6c8e7..d8f96dfa 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -1,20 +1,110 @@ -source: - branch: master - build_rules: - - id: allow-zero-new-findings + - id: "No critical or high SAST findings" finding_types: - vuln + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + - id: "Allow 0 secrets" + finding_types: - secret - - insight - - "*" - severity: - - SEVERITY_MEDIUM_IMPACT - - SEVERITY_HIGH_IMPACT - - SEVERITY_LOW_IMPACT + threshold: 0 + options: + num_findings: 10 # Return 10 sast findings + - id: "No reachable SCA findings" + finding_types: + - oss_vuln + cvss_31_severity_ratings: + - critical + - high threshold: 0 - - id: reachable-oss-vuln - finding_types: [oss_vuln] options: reachable: true - num_findings: 5 + num_findings: 10 # Return 10 reachable sca findings + - id: "No critical or high container findings" + finding_types: + - container + cvss_31_severity_ratings: + - critical + - high + threshold: 0 + options: + num_findings: 10 # Return 10 container findings +# The above rule is perhaps the most common in that it +# is designed to be used with Pull Request and to block +# new vulns from being introduced that aren't already on +# the 'main' branch +# +# Below is enchalada with all the options shown +# +# ID is the name that will be reflected in the PR comments +# - id: build-rule-enchalada +# - vuln +#. - oss_vuln +# - secret +# - insight +# - container +# Do you want to block ALL types by severity? +# cvss_31_severity_ratings: +# - critical +# - high +# - medium +#. - low +# Do you want to focus on just one or more types? +# type: +# - Weak Random +# - Sensitive Data Leak +# - Deserialization +# - Directory Traversal +# - Sensitive Data Exposure +# - Remote Code Execution +# - Command Injection +# - Security Best Practices +# - Unsafe Reflection +# - Regex Injection +# - SQL Injection +# - XML External Entities +# - Template Injection +# - Cross-Site Scripting +# - JSON Injection +# - Potential SQL Injection +# - Potential Regex Injection +# - Header Injection +# - Security Misconfiguration +# - Deprecated Function Use +# - Mail Injection +# - Race Condition +# - Sensitive Data Usage +# - Open Redirect +# - Error Handling +# - HTTP to Database +# - HTTP to Model +# - LDAP Injection +# - Denial of Service +# - CRLF Injection +# - NoSQL Injection +# - Weak Hash +# - Session Injection +# - Server-Side Request Forgery +# - Prototype Pollution +# - Log Forging +# - XPath Injection +# - Insecure Authentication +# - Intent Redirection +# - Authentication Bypass +# - Weak Cipher +# - Crypto +# Focus by OWASP Category? +# owasp_category: +# - a01-2021-broken-access-control +# - a02-2021-cryptographic-failures +# - a03-2021-injection +# - a04-2021-insecure-design +# - a05-2021-security-misconfiguration +# - a06-2021-vulnerable-and-outdated-components +# - a07-2021-identification-and-authentication-failures +# - a08-2021-software-and-data-integrity-failures +# - a09-2021-security-logging-and-monitoring-failures +# - a10-2021-server-side-request-forgery-(ssrf) + From 93c868869602b0bd359640fcc841221665983ee7 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 31 May 2023 11:53:46 -0400 Subject: [PATCH 03/14] Update shiftleft.yml --- .github/workflows/shiftleft.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml index edbf014e..3301da0e 100644 --- a/.github/workflows/shiftleft.yml +++ b/.github/workflows/shiftleft.yml @@ -36,7 +36,7 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --policy 776c9fdb-b8a9-4029-b41c-af4829368682/nishfath-dictionary:latest --app java-sec-code --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --remediation-config remediation.yaml --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 0d09c17490b08bfc0caa51a98127ec6d3cffffdc Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 14 Jun 2023 16:26:48 -0400 Subject: [PATCH 04/14] Update shiftleft.yml with licenses build rules --- shiftleft.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/shiftleft.yml b/shiftleft.yml index d8f96dfa..0d694a80 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -31,6 +31,15 @@ build_rules: threshold: 0 options: num_findings: 10 # Return 10 container findings + - id: "Allow no license violations" + finding types: + - license + licenses: + - allow: + - Apache-2.0, Public-Domain, Unknown + - block: + - MIT + threshold: 0 # The above rule is perhaps the most common in that it # is designed to be used with Pull Request and to block # new vulns from being introduced that aren't already on From 3d237d6310ac749f844d33e63eb612e42e5d7be3 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 22 Jun 2023 13:24:45 -0400 Subject: [PATCH 05/14] Update shiftleft.yml --- shiftleft.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 0d694a80..1dc6f770 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -1,18 +1,18 @@ build_rules: - id: "No critical or high SAST findings" - finding_types: - - vuln + finding_types: + - vuln cvss_31_severity_ratings: - critical - high threshold: 0 - - id: "Allow 0 secrets" + - id: "Allow 0 secrets" finding_types: - secret threshold: 0 options: num_findings: 10 # Return 10 sast findings - - id: "No reachable SCA findings" + - id: "No reachable SCA findings" finding_types: - oss_vuln cvss_31_severity_ratings: @@ -22,7 +22,7 @@ build_rules: options: reachable: true num_findings: 10 # Return 10 reachable sca findings - - id: "No critical or high container findings" + - id: "No critical or high container findings" finding_types: - container cvss_31_severity_ratings: @@ -31,7 +31,7 @@ build_rules: threshold: 0 options: num_findings: 10 # Return 10 container findings - - id: "Allow no license violations" + - id: "Allow no license violations" finding types: - license licenses: From 3ef126b56d57fcfbc1c9877760fa931ee5e6fc2f Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:11:53 -0400 Subject: [PATCH 06/14] Create main.yml --- .github/workflows/main.yml | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..a9a85a2c --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,42 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analyis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + # We are building this application with Java 11 + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 11.0.x + - name: Build and package with Maven + run: mvn clean package -DskipTests + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + # ShiftLeft requires Java 1.8. Post the package step override the version + - name: Setup Java JDK + uses: actions/setup-java@v1.4.3 + with: + java-version: 1.8 + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + From 48177cf70d832bff39ca7e879fee60ee1b368f34 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:19:57 -0400 Subject: [PATCH 07/14] Update main.yml --- .github/workflows/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a9a85a2c..54a1c883 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -39,4 +39,12 @@ jobs: run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code-test \ + --report \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} From 2670978d9245c02b4d3318097f973ad02466c18c Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:34:33 -0400 Subject: [PATCH 08/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 54a1c883..9b37c404 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -39,7 +39,7 @@ jobs: run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - - name: Validate Build Rules + - name: Validate Build Rules run: | ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code-test \ --report \ From 6998f58c1499dc038dd5e2c1a5249268ea30f402 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:47:29 -0400 Subject: [PATCH 09/14] Update shiftleft.yml --- shiftleft.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shiftleft.yml b/shiftleft.yml index 1dc6f770..30161c65 100644 --- a/shiftleft.yml +++ b/shiftleft.yml @@ -36,9 +36,9 @@ build_rules: - license licenses: - allow: - - Apache-2.0, Public-Domain, Unknown + - Apache-2.0, Public-Domain - block: - - MIT + - Unknown threshold: 0 # The above rule is perhaps the most common in that it # is designed to be used with Pull Request and to block From 8b8bc1676896c82d9cc34a62b73cf7629fd88e03 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 19:55:07 -0500 Subject: [PATCH 10/14] Add files via upload --- remediation-sdl.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 remediation-sdl.yaml diff --git a/remediation-sdl.yaml b/remediation-sdl.yaml new file mode 100644 index 00000000..401abc3b --- /dev/null +++ b/remediation-sdl.yaml @@ -0,0 +1,10 @@ +# Example analysis remediation config +methods: + # - method: org.slf4j.Logger.info:void(java.lang.String,java.lang.Object) + # tags: + # - key: category + # value: Sensitive Data Leak + - pattern: ".*" + tags: + - key: category + value: Sensitive Data Usage From 4977059df29b9835050ef477329aaa1dcc3ad000 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 13 Sep 2023 20:56:38 -0400 Subject: [PATCH 11/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9b37c404..a85387cf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -36,7 +36,7 @@ jobs: run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --remediation-config remediation-sdl.yaml --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - name: Validate Build Rules From 6ff7c97653208005d4049ac557c0a606d21f1855 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 14 Sep 2023 09:43:44 -0400 Subject: [PATCH 12/14] Update main.yml --- .github/workflows/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a85387cf..7c2c1608 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -41,10 +41,12 @@ jobs: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - name: Validate Build Rules run: | - ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code-test \ + ${GITHUB_WORKSPACE}/sl check-analysis --v2 --app java-sec-code-test --config ~/shiftleft.yml\ --report \ --github-pr-number=${{github.event.number}} \ --github-pr-user=${{ github.repository_owner }} \ --github-pr-repo=${{ github.event.repository.name }} \ --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} From 74d9bb1240f1f275195374066e51b6937e4dbd60 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Wed, 3 Dec 2025 12:22:27 -0500 Subject: [PATCH 13/14] Update main.yml --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7c2c1608..aa0c71b0 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,7 +1,7 @@ --- # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help -name: ShiftLeft +name: ShiftLeft-demo on: push: From 042107f6fe96673ea3739ecf8bae74043fddfd84 Mon Sep 17 00:00:00 2001 From: nishfath <81247855+nishfath@users.noreply.github.com> Date: Thu, 4 Dec 2025 18:33:44 -0500 Subject: [PATCH 14/14] Update main.yml --- .github/workflows/main.yml | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index aa0c71b0..8a78e4f3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -1,42 +1,26 @@ + --- # This workflow integrates ShiftLeft NG SAST with GitHub # Visit https://docs.shiftleft.io for help -name: ShiftLeft-demo +name: Qwiet-run on: - push: - branches: - - main - - master pull_request: workflow_dispatch: - jobs: - NextGen-Static-Analyis: + NextGen-Static-Analysis: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - # We are building this application with Java 11 - - name: Setup Java JDK - uses: actions/setup-java@v1.4.3 - with: - java-version: 11.0.x - - name: Build and package with Maven - run: mvn clean package -DskipTests + - uses: actions/checkout@v3 - name: Download ShiftLeft CLI run: | curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl - # ShiftLeft requires Java 1.8. Post the package step override the version - - name: Setup Java JDK - uses: actions/setup-java@v1.4.3 - with: - java-version: 1.8 - name: Extract branch name shell: bash run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" id: extract_branch - name: NextGen Static Analysis - run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --remediation-config remediation-sdl.yaml --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --vcs-prefix-correction "*=/src/main/java" --java ./target/java-sec-code-1.0.0.jar + run: ${GITHUB_WORKSPACE}/sl analyze --wait --app java-sec-code-test --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} env: SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} - name: Validate Build Rules