forked from ZupIT/horusec-examples-vulnerabilities
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Setup broken security-scan workflow with Bearer SAST
- Loading branch information
Showing
3,212 changed files
with
1,260,298 additions
and
1,922 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| FROM bearer/bearer:latest as bear | ||
| FROM golang:1.23 | ||
|
|
||
| COPY --from=bear /usr/local/bin/bearer /usr/local/bin | ||
| COPY --from=bear /usr/bin/git /usr/bin | ||
|
|
||
| WORKDIR / | ||
|
|
||
| RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| name: SAST Scan | ||
| run-name: Push from ${{ github.actor }} initiated a Security Scan 🚀 | ||
| permissions: | ||
| contents: write | ||
| jobs: | ||
| sast-scan: | ||
| runs-on: ubuntu-latest | ||
| container: avarteqgmbh/bearer-osv-scan | ||
| steps: | ||
| - name: Checkout repo inside CI runner | ||
| uses: actions/checkout@v4 | ||
| - name: Setup results file | ||
| run: | | ||
| touch ./scan_results/bearer.out.json | ||
| git config --global --add safe.directory '*' | ||
| - name: SAST Scan | ||
| working-directory: . | ||
| run: bearer scan . ./ci/bearer.yml | ||
| - name: Commit changes | ||
| uses: EndBug/add-and-commit@v9 | ||
| with: | ||
| author_name: scanner-bot | ||
| author_email: [email protected] | ||
| message: '[bot] Add SAST scan results' |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,19 +1,3 @@ | ||
| <p align="center" margin="20 0"><a href="https://horusec.io/"> | ||
| <img src="https://github.com/ZupIT/horusec-devkit/blob/main/assets/horusec_logo.png?raw=true" | ||
| alt="logo_header" width="65%" style="max-width:100%;"/></a></p> | ||
|
|
||
| <p align="center"> | ||
| <a href="https://github.com/ZupIT/horusec-engine/pulse" alt="activity"> | ||
| <img src="https://img.shields.io/github/commit-activity/m/ZupIT/horusec-engine?label=activity"/></a> | ||
| <a href="https://github.com/ZupIT/horusec-engine/graphs/contributors" alt="contributors"> | ||
| <img src="https://img.shields.io/github/contributors/ZupIT/horusec-engine?label=contributors"/></a> | ||
| <a href="https://github.com/ZupIT/horusec-engine/actions/workflows/security.yml" alt="security"> | ||
| <img src="https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Security?label=security"/></a> | ||
| <a href="https://opensource.org/licenses/Apache-2.0" alt="license"> | ||
| <img src="https://img.shields.io/badge/license-Apache%202-blue"/></a> | ||
|
|
||
| # **Horusec Examples Vulnerabilities** | ||
|
|
||
| ## **Table of contents** | ||
| ### 1. [**About**](#about) | ||
| ### 2. [**Documentation**](#documentation) | ||
|
|
@@ -23,54 +7,6 @@ | |
|
|
||
|
|
||
| ## **About** | ||
| This repository contains some vulnerabilities examples for you to test Horusec's analysis. | ||
|
|
||
| ## **Documentation** | ||
|
|
||
| For more information about Horusec, please check out the [**documentation**](https://docs.horusec.io). | ||
|
|
||
|
|
||
| ## **Contributing** | ||
|
|
||
| If you want to contribute to this repository, access our [**Contributing Guide**](https://github.com/ZupIT/horusec/blob/main/CONTRIBUTING.md). | ||
|
|
||
|
|
||
| ### **Developer Certificate of Origin - DCO** | ||
|
|
||
| This is a security layer for the project and for the developers. It is mandatory. | ||
|
|
||
| Follow one of these two methods to add DCO to your commits: | ||
|
|
||
| **1. Command line** | ||
| Follow the steps: | ||
| **Step 1:** Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions. | ||
|
|
||
| ``` | ||
| git config --global user.name “Name” | ||
| git config --global user.email “[email protected]” | ||
| ``` | ||
| **Step 2:** Add the Signed-off-by line with the `'-s'` flag in the git commit command: | ||
|
|
||
| ``` | ||
| $ git commit -s -m "This is my commit message" | ||
| ``` | ||
|
|
||
| **2. GitHub website** | ||
| You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below: | ||
|
|
||
| **Step 1:** When the commit changes box opens, manually type or paste your signature in the comment box, see the example: | ||
|
|
||
| ``` | ||
| Signed-off-by: Name < e-mail address > | ||
| ``` | ||
|
|
||
| For this method, your name and e-mail must be the same registered on your GitHub account. | ||
|
|
||
| ## **License** | ||
| [**Apache License 2.0**](https://github.com/ZupIT/horusec-examples-vulnerabilities/blob/main/LICENSE). | ||
|
|
||
| ## **Community** | ||
| Do you have any question about Horusec? Let's chat in our [**forum**](https://forum.zup.com.br/). | ||
|
|
||
| This repository contains some vulnerabilities examples, with a Bearer-based Github workflow in it that scans said vulnerabilities. This is a fork of the https://github.com/ZupIT/horusec-examples-vulnerabilities repository. No use or customization of Horusec tooling is made; the only changes concern the Github Workflows, this README and the addition of some mock vendored packages to facilitate CVE scanner tests. | ||
|
|
||
| This project exists thanks to all the contributors. You rock! ❤️🚀 | ||
| As such, the LICENSE and copyright.txt remain unchanged. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| disable-version-check: false | ||
| log-level: info | ||
| report: | ||
| fail-on-severity: critical,high,medium,low | ||
| format: json | ||
| no-color: false | ||
| output: "" | ||
| report: security | ||
| severity: critical,high,medium,low,warning | ||
| rule: | ||
| disable-default-rules: false | ||
| only-rule: [] | ||
| skip-rule: [] | ||
| scan: | ||
| context: "" | ||
| data_subject_mapping: "" | ||
| disable-domain-resolution: true | ||
| domain-resolution-timeout: 3s | ||
| external-rule-dir: [] | ||
| force: false | ||
| hide_progress_bar: false | ||
| internal-domains: [] | ||
| parallel: 0 | ||
| quiet: true | ||
| scanner: | ||
| - secrets | ||
| skip-test: true |
This file was deleted.
Oops, something went wrong.
16 changes: 0 additions & 16 deletions
16
csharp/example1/NetCoreVulnerabilities/NetCoreVulnerabilities.csproj
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.