diff --git a/.github/workflows/endor-vulnerability-scan.yml b/.github/workflows/endor-vulnerability-scan.yml new file mode 100644 index 0000000..1502775 --- /dev/null +++ b/.github/workflows/endor-vulnerability-scan.yml @@ -0,0 +1,60 @@ +name: "Endor Labs Vulnerability Scan" + +on: + push: + branches: + - main + - master + pull_request: + workflow_dispatch: + +jobs: + endor-scan: + runs-on: ubuntu-latest + + permissions: + contents: read + id-token: write + + environment: copilot + + steps: + - name: Checkout code + uses: actions/checkout@v5 + + - name: Setup Java + uses: actions/setup-java@v4 + with: + distribution: 'microsoft' + java-version: '17' + + - name: Setup endorctl + run: | + curl https://api.staging.endorlabs.com/download/endorlabs/v1.7.688/binaries/endorctl_v1.7.688_linux_amd64 -o endorctl + echo "2dd5e32c21afc893d1229a1c6e9864ad82ce2d1bc2f8e6cbfe9f5acba7f461a9 endorctl" | sha256sum --check + chmod +x ./endorctl + + - name: Run Endor Labs Vulnerability Scan + env: + ENDOR_API_KEY: ${{ secrets.ENDOR_API_KEY }} + ENDOR_API_SECRET: ${{ secrets.ENDOR_API_SECRET }} + ENDOR_NAMESPACE: ${{ secrets.ENDOR_NAMESPACE }} + run: | + ./endorctl scan \ + --path=. \ + --dependencies \ + --secrets \ + --languages=java \ + --output-type=summary \ + --sarif-file=endor-scan-results.sarif \ + --namespace=${{ secrets.ENDOR_NAMESPACE }} \ + --api-key=${{ secrets.ENDOR_API_KEY }} \ + --api-secret=${{ secrets.ENDOR_API_SECRET }} + + - name: Upload Scan Results + if: always() + uses: actions/upload-artifact@v4 + with: + name: endor-scan-results + path: endor-scan-results.sarif + retention-days: 30 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..80d66d1 --- /dev/null +++ b/.gitignore @@ -0,0 +1,14 @@ +# Build artifacts +target/ +*.class +*.jar +*.war + +# IDE files +.idea/ +*.iml +.vscode/ +.DS_Store + +# Endor Labs CLI +endorctl diff --git a/VULNERABILITY_SCANNING.md b/VULNERABILITY_SCANNING.md new file mode 100644 index 0000000..cc280b2 --- /dev/null +++ b/VULNERABILITY_SCANNING.md @@ -0,0 +1,84 @@ +# Endor Labs Vulnerability Scanning + +This repository is configured to run vulnerability scans using Endor Labs. + +## Overview + +Endor Labs provides comprehensive security scanning for: +- **Dependency vulnerabilities**: Scans all Maven dependencies for known security issues +- **Secret scanning**: Detects exposed credentials and secrets in code +- **Code vulnerabilities**: Identifies security issues in the codebase + +## Running Scans + +### Automated Scans via GitHub Actions + +The repository includes a GitHub Actions workflow that automatically runs vulnerability scans: + +- **Workflow**: `.github/workflows/endor-vulnerability-scan.yml` +- **Triggers**: + - On push to main/master branches + - On pull requests + - Manual trigger via workflow_dispatch + +### Manual Scans + +To run a scan manually on your local machine: + +1. Ensure you have the `endorctl` CLI tool installed +2. Set up authentication: + ```bash + export ENDOR_API_KEY="your-api-key" + export ENDOR_API_SECRET="your-api-secret" + export ENDOR_NAMESPACE="your-namespace" + ``` +3. Run the scan script: + ```bash + ./scan-vulnerabilities.sh + ``` + +Or run endorctl directly: +```bash +./endorctl scan \ + --path=. \ + --dependencies \ + --secrets \ + --languages=java \ + --output-type=summary +``` + +## Scan Types + +The vulnerability scan includes: + +- **Dependencies**: Scans all Maven dependencies defined in `pom.xml` +- **Secrets**: Scans for exposed credentials, API keys, and sensitive data +- **Languages**: Focuses on Java code analysis + +## Configuration + +### Required Secrets + +For GitHub Actions to work, configure these secrets in your repository: +- `ENDOR_API_KEY`: Your Endor Labs API key +- `ENDOR_API_SECRET`: Your Endor Labs API secret +- `ENDOR_NAMESPACE`: Your Endor Labs namespace + +### Files + +- `scan-vulnerabilities.sh`: Shell script for running scans +- `.github/workflows/endor-vulnerability-scan.yml`: GitHub Actions workflow +- `.gitignore`: Configured to exclude the endorctl binary + +## Viewing Results + +Scan results are available in multiple formats: +- Summary output in the console +- SARIF files for integration with GitHub Security tab +- JSON format for programmatic access +- Detailed reports in the Endor Labs web interface + +## Additional Resources + +- [Endor Labs Documentation](https://docs.endorlabs.com/) +- [endorctl CLI Reference](https://docs.endorlabs.com/endorctl/) diff --git a/scan-vulnerabilities.sh b/scan-vulnerabilities.sh new file mode 100755 index 0000000..56c3ba0 --- /dev/null +++ b/scan-vulnerabilities.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# Endor Labs Vulnerability Scan Script +# This script performs a comprehensive vulnerability scan using endorctl + +set -e + +echo "Starting Endor Labs vulnerability scan..." +echo "Repository: app-java-demo" +echo "Scan types: vulnerabilities, secrets, dependencies" +echo "" + +# Check if namespace is set and validate it +if [ -z "$ENDOR_NAMESPACE" ]; then + echo "Error: ENDOR_NAMESPACE environment variable is required" + echo "Please set it before running this script:" + echo " export ENDOR_NAMESPACE=your-namespace" + exit 1 +fi + +# Validate namespace contains only safe characters (alphanumeric, dash, underscore) +if ! [[ "$ENDOR_NAMESPACE" =~ ^[a-zA-Z0-9_-]+$ ]]; then + echo "Error: ENDOR_NAMESPACE contains invalid characters" + echo "Only alphanumeric characters, dashes, and underscores are allowed" + exit 1 +fi + +# Run endorctl scan with multiple scan types +./endorctl scan \ + --path=. \ + --dependencies \ + --secrets \ + --languages=java \ + --output-type=summary \ + --namespace="$ENDOR_NAMESPACE" \ + ${ENDOR_API_KEY:+--api-key="$ENDOR_API_KEY"} \ + ${ENDOR_API_SECRET:+--api-secret="$ENDOR_API_SECRET"} + +echo "" +echo "Scan completed successfully!"