Closed silas-x closed 2 years ago
microwavedcola1
commented
2 years ago Thanks! @silas-x can we ignore the test* and example* files in the py directory? I see bandit complaining about those in https://github.com/silas-x/mango-v3-service/runs/4767739425?check_suite_focus=true, once its all green on your fork we could merge
silas-x
commented
2 years ago Thanks! @silas-x can we ignore the test* and example* files in the py directory? I see bandit complaining about those in https://github.com/silas-x/mango-v3-service/runs/4767739425?check_suite_focus=true, once its all green on your fork we could merge
Added an ignore file in the root folder that contains test/example paths, so they should be ignored going forward :)
If other false positives/non prod findings occur, we can either update this file, but there is also an option to ignore in the github security tab. There you can use justifications, such as 'test data' and 'won't fix' etc.
microwavedcola1
commented
2 years ago Thanks, any ideas why https://github.com/silas-x/mango-v3-service/runs/4774408238?check_suite_focus=true#step:5:8 fails now?
silas-x
commented
2 years ago Short answer - no, but let me look into it! On 11 Jan 2022, 11:24 +0000, microwavedcola1 @.***>, wrote:
Thanks, any ideas why https://github.com/silas-x/mango-v3-service/runs/4774408238?check_suite_focus=true#step:5:8 fails now? — Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android. You are receiving this because you were mentioned.Message ID: @.***>
silas-x
commented
2 years ago As discussed, removed the bandit rules for now as the tool seems to error if ignores are added to files that already have been identified as having issues and flagged in GitHub security tab. Even if they are accepted as false positives and/or deleted. Known issue. CodeQL already scans Python code, so there is still coverage.
Contents of the PR
Addition of action that runs the CodeQL static application security testing tool. This tool identifies security bugs and unsafe coding practices and supports a range of languages. In this case, it's configured to JS/TS/Python
Addition of action that runs Trivy in repository mode. This tools scans dependencies in the software composition and reports on any vulnerable dependencies with fixes available. If a critical vulnerability with fix is found - the job fails. For lower severities, it warns (this can be tweaked).
Addition of Semgrep which is a testing framework that allows you to include rule-sets from https://semgrep.dev/. Have included rules for dockerfile linting and Bandit, which is a well known Python security scanning tool. The rules can be changed/expanded in the future if there is demand.
All 3 tools logs security issues in the GitHub security tab where the team can get context related to an issue and decide course of action with audit trail.