diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml deleted file mode 100644 index 2ad2352..0000000 --- a/.github/workflows/anchore.yml +++ /dev/null @@ -1,48 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow checks out code, builds an image, performs a container image -# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security -# code scanning feature. For more information on the Anchore scan action usage -# and parameters, see https://github.com/anchore/scan-action. For more -# information on Anchore's container image scanning tool Grype, see -# https://github.com/anchore/grype -name: Anchore Grype vulnerability scan - -on: - push: - branches: [ "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "master" ] - schedule: - - cron: '44 17 * * 4' - -permissions: - contents: read - -jobs: - Anchore-Build-Scan: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: ubuntu-latest - steps: - - name: Check out the code - uses: actions/checkout@v3 - - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore Grype scan action - uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 - id: scan - with: - image: "localbuild/testimage:latest" - fail-build: true - severity-cutoff: critical - - name: Upload vulnerability report - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/endorlabs.yml b/.github/workflows/endorlabs.yml deleted file mode 100644 index eb10791..0000000 --- a/.github/workflows/endorlabs.yml +++ /dev/null @@ -1,51 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -name: Endor Labs -on: - push: - branches: [ "master" ] - pull_request: - branches: [ "master" ] - schedule: - - cron: '32 1 * * 4' -jobs: - scan: - permissions: - security-events: write # Used to upload sarif artifact to GitHub - contents: read # Used to checkout a private repository by actions/checkout. - actions: read # Required for private repositories to upload sarif files. GitHub Advanced Security licenses are required. - id-token: write # Used for keyless authentication to Endor Labs - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v3 - #### Package Build Instructions - ### Use this section to define the build steps used by your software package. - ### Endor Labs builds your software for you where possible but the required build tools must be made available. - # - name: Setup Java - # uses: actions/setup-java@v3 - # with: - # distribution: 'microsoft' - # java-version: '17' - # - name: Build Package - # run: mvn clean install - - name: Endor Labs scan pull request - if: github.event_name == 'pull_request' - uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c - with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. - sarif_file: findings.sarif - - name: Endor Labs scan monitor - if: github.event_name == 'push' - uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c - with: - namespace: "example" # Modify the namespace to your Endor Labs tenant namespace. - ci_run: "false" - sarif_file: findings.sarif - - name: Upload SARIF to github - uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd - with: - sarif_file: findings.sarif diff --git a/.github/workflows/frogbot-scan-pr.yml b/.github/workflows/frogbot-scan-pr.yml deleted file mode 100644 index 2c63e20..0000000 --- a/.github/workflows/frogbot-scan-pr.yml +++ /dev/null @@ -1,74 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. -# Frogbot Scan Pull Request does the following: -# Automatically scans new pull requests for security vulnerabilities. -# Uses JFrog Xray to scan the project. -# Read more about Frogbot here - https://github.com/jfrog/frogbot#frogbot - -# Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - -name: "Frogbot Scan Pull Request" -on: - pull_request_target: - types: [ opened, synchronize ] -permissions: - pull-requests: write - contents: read -jobs: - scan-pull-request: - runs-on: ubuntu-latest - # A pull request needs to be approved, before Frogbot scans it. Any GitHub user who is associated with the - # "frogbot" GitHub environment can approve the pull request to be scanned. - # Read more here (Install Frogbot Using GitHub Actions): https://github.com/jfrog/frogbot/blob/master/docs/install-github.md - environment: frogbot - steps: - - uses: actions/checkout@v2 - with: - ref: ${{ github.event.pull_request.head.sha }} - - # IMPORTANT: - # 1. See the following link for information about the tools that need to be installed for Frogbot to work - https://github.com/jfrog/frogbot/tree/master/docs/templates/github-actions/scan-and-fix - # 2. Some projects require creating a frogbot-config.yml file. Read more about it here - https://github.com/jfrog/frogbot/blob/master/docs/frogbot-config.md - - - uses: jfrog/frogbot@8fbeca612957ae5f5f0c03a19cb6e59e237026f3 # v2.10.0 - env: - # [Mandatory if the two conditions below are met] - # 1. The project uses npm, yarn 2, NuGet or .NET to download its dependencies - # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. - # - # The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore") - # JF_INSTALL_DEPS_CMD: "" - - # [Mandatory] - # JFrog platform URL - JF_URL: ${{ secrets.JF_URL }} - - # [Mandatory if JF_USER and JF_PASSWORD are not provided] - # JFrog access token with 'read' permissions on Xray service - JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD - # JF_USER: ${{ secrets.JF_USER }} - - # [Mandatory if JF_ACCESS_TOKEN is not provided] - # JFrog password. Must be provided with JF_USER - # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} - - # [Mandatory] - # The GitHub token automatically generated for the job - JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - # [Optional] - # If the machine that runs Frogbot has no access to the internat, set the name of a remote repository - # in Artifactory, which proxies https://releases.jfrog.io/artifactory - # The 'frogbot' executable and other tools it needs will be downloaded through this repository. - # JF_RELEASES_REPO: "" - - # [Optional] - # Frogbot will download the project dependencies, if they're not cached locally. To download the - # dependencies from a virtual repository in Artifactory, set the name of of the repository. There's no - # need to set this value, if it is set in the frogbot-config.yml file. - # JF_DEPS_REPO: "" diff --git a/.github/workflows/ossar.yml b/.github/workflows/ossar.yml deleted file mode 100644 index 28b6bfc..0000000 --- a/.github/workflows/ossar.yml +++ /dev/null @@ -1,56 +0,0 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ "master" ] - pull_request: - # The branches below must be a subset of the branches above - branches: [ "master" ] - schedule: - - cron: '42 8 * * 2' - -permissions: - contents: read - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status - runs-on: windows-latest - - steps: - - name: Checkout repository - uses: actions/checkout@v3 - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # GitHub hosted runners already have a compatible version of dotnet installed and this step may be skipped. - # For self-hosted runners, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v2 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/pmd.yml b/.github/workflows/pmd.yml index 6ce3ff8..712474b 100644 --- a/.github/workflows/pmd.yml +++ b/.github/workflows/pmd.yml @@ -25,10 +25,10 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Set up JDK 21 + - name: Set up JDK 22 uses: actions/setup-java@v3 with: - java-version: '21' + java-version: '22' distribution: 'temurin' - name: Run PMD id: pmd diff --git a/README.md b/README.md new file mode 100644 index 0000000..1a2b574 --- /dev/null +++ b/README.md @@ -0,0 +1,69 @@ +Se trata de un repositorio creado para ejercitar contenidos del curso De +DevOps a DevSecOps: seguridad en los procesos da [IEBS](https://www.iebschool.com/). + +El proyecto en sí es una implementación API-First que utiliza Java, +Springboot y Gradle. A través de una especificación OpenAPI, se genera una interfaz +Java para que los controladores creados estén alineados con la especificación API +propuesta en la carpeta **build**. + +``` +. +├── build +│ └── generate-resources +│ └── main +│ ├── pom.xml +│ ├── README.md +│ └── src +│ └── main +│ └── java +│ └── org +│ └── openapitools +│ ├── api +│ │ ├── ApiUtil.java +│ │ └── BatidasApi.java +│ └── model +│ ├── Mensagem.java +│ └── Momento.java +├── build.gradle.kts +├── gradle +│ └── wrapper +├── gradle.properties +├── gradlew +├── gradlew.bat +├── plugins +│ ├── java.gradle +│ └── openapi.gradle +├── README.md +├── settings.gradle.kts +└── src + ├── main + │ ├── java + │ │ └── com + │ │ └── arthurfnsc + │ │ └── apifirst + │ │ ├── ApiFirstApplication.java + │ │ └── rest + │ │ └── FolhaPontoController.java + │ └── resources + │ ├── application.properties + │ └── openapi + │ └── folha_ponto-api.yaml + └── test + └── java +``` + +Para generar la interfaz, ejecute el siguiente comando: + +``` +./gradlew clean compileJava +``` + +Aunque el curso está dirigido a los pasos de DevSecOps, no tengo la experiencia para +definir el mejor enfoque para las herramientas SAST, DAST y definir el sombreado entre +opciones, por lo que agregué varias GithubActions para validar algunos conceptos en la +pipeline. + +En el futuro, el repositorio puede sufrir cambios no necesariamente relacionados con la +parte de seguridad, pero la pipeline de CI/CD y el contexto de seguridad permanecerán. +Debido a que agregaste varias GithubActions en confirmaciones futuras, es posible que +algunas de ellas se modifiquen sean eliminadas. \ No newline at end of file