From acaa965a8797f090cbd89ce4055c44d87728cf45 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sat, 10 Aug 2024 12:40:51 +0200 Subject: [PATCH 01/34] Create deploy.yml hace el built de la imagen y la almacena en ECR. Despues despliega los cambios en EKS --- .github/workflows/deploy.yml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 0000000000..6858696359 --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,39 @@ +name: Deploy to EKS + +on: + push: + branches: + - main # Puedes cambiarlo por la rama que prefieras + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: ${{ secrets.AWS_REGION }} + + - name: Log in to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Build, tag, and push image to ECR + run: | + IMAGE_TAG=$(echo $GITHUB_SHA | cut -c1-7) + REPOSITORY_URI= + docker build -t $REPOSITORY_URI:$IMAGE_TAG . + docker push $REPOSITORY_URI:$IMAGE_TAG + env: + ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }} + + - name: Update Kubernetes Deployment + run: | + aws eks update-kubeconfig --name ${{ secrets.EKS_CLUSTER_NAME }} --region ${{ secrets.AWS_REGION }} + kubectl set image deployment/ =:$(echo $GITHUB_SHA | cut -c1-7) From 1c00930cd6cef40d80a898714cef9142a2117e7a Mon Sep 17 00:00:00 2001 From: mhernes Date: Sat, 10 Aug 2024 12:49:54 +0200 Subject: [PATCH 02/34] Update deploy.yml --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 6858696359..66212a27c3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -18,7 +18,7 @@ jobs: with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-region: ${{ secrets.AWS_REGION }} + aws-region: eu-west-1 # ${{ secrets.AWS_REGION }} - name: Log in to Amazon ECR id: login-ecr From e2c37b9e9ce7dca07aeb2cc194d6dd568edde57b Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 10:23:35 +0200 Subject: [PATCH 03/34] Create sysdig-scan.yml --- .github/workflows/sysdig-scan.yml | 62 +++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 .github/workflows/sysdig-scan.yml diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml new file mode 100644 index 0000000000..8cee65a6c1 --- /dev/null +++ b/.github/workflows/sysdig-scan.yml @@ -0,0 +1,62 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Sysdig - Build, scan, push and upload sarif report + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '16 20 * * 5' + +permissions: + contents: read + +jobs: + + build: + + permissions: + checks: write # for sysdiglabs/scan-action to publish the checks + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Build the Docker image + # Tag image to be built + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below + run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + + - name: Sysdig Secure Inline Scan + id: scan + uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163 + with: + # Tag of the image to analyse. + # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above + image-tag: ${{ github.repository }}:latest + # API token for Sysdig Scanning auth + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}} + # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/ + # US-East https://secure.sysdig.com + # US-West https://us2.app.sysdig.com + # EU https://eu1.app.sysdig.com + sysdig-secure-url: https://us2.app.sysdig.com + dockerfile-path: ./Dockerfile + input-type: docker-daemon + ignore-failed-scan: true + # Sysdig inline scanner requires privileged rights + run-as-user: root + + - uses: github/codeql-action/upload-sarif@v3 + #Upload SARIF file + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarifReport }} From cb72a99b0ac20ae618d8d9d343903c84178a3a76 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 11:08:06 +0200 Subject: [PATCH 04/34] Create main.yml --- .github/workflows/main.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/main.yml diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000000..a59578b3a8 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,29 @@ +name: Sysdig Vulnerability Scan + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Install Sysdig CLI Scanner + run: | + curl -sLo /tmp/install-sysdig https://download.sysdig.com/stable/install-agent && \ + chmod +x /tmp/install-sysdig && \ + sudo /tmp/install-sysdig --cli + + - name: Run Sysdig CLI Scanner + env: + SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} + run: | + sudo /usr/local/bin/sysdig-cli-scanner scan From 4b9b9628917d7b21c98a07b08f6727efd9e9991d Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 11:11:10 +0200 Subject: [PATCH 05/34] Update sysdig-scan.yml --- .github/workflows/sysdig-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index 8cee65a6c1..d1ecdf0308 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -49,7 +49,7 @@ jobs: # US-West https://us2.app.sysdig.com # EU https://eu1.app.sysdig.com sysdig-secure-url: https://us2.app.sysdig.com - dockerfile-path: ./Dockerfile + dockerfile-path: ./worker/Dockerfile input-type: docker-daemon ignore-failed-scan: true # Sysdig inline scanner requires privileged rights From 961fcf51401314294585a728a88a44acca1479ca Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 11:13:15 +0200 Subject: [PATCH 06/34] Update sysdig-scan.yml --- .github/workflows/sysdig-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sysdig-scan.yml b/.github/workflows/sysdig-scan.yml index d1ecdf0308..321c516f7a 100644 --- a/.github/workflows/sysdig-scan.yml +++ b/.github/workflows/sysdig-scan.yml @@ -33,7 +33,7 @@ jobs: - name: Build the Docker image # Tag image to be built # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below - run: docker build . --file Dockerfile --tag ${{ github.repository }}:latest + run: docker build . --file worker/Dockerfile --tag ${{ github.repository }}:latest - name: Sysdig Secure Inline Scan id: scan From 19edf630a2af37d55e4323c550bf3ee2ed0dd4e2 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 11:34:31 +0200 Subject: [PATCH 07/34] Create IaC_scan.yml --- .github/workflows/IaC_scan.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/workflows/IaC_scan.yml diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml new file mode 100644 index 0000000000..3b2fb2ef34 --- /dev/null +++ b/.github/workflows/IaC_scan.yml @@ -0,0 +1,27 @@ +name: Sysdig IaC Scan + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + + iac-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Scan infrastructure + uses: sysdiglabs/scan-action@v5 + with: + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + cli-scanner-version: 1.9.0 + mode: iac + iac-scan-path: ./ From c7093efebf8a3b65860d077314f748ec89cc66be Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 15:56:32 +0200 Subject: [PATCH 08/34] Update main.yml --- .github/workflows/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index a59578b3a8..052f71a82b 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -18,12 +18,13 @@ jobs: - name: Install Sysdig CLI Scanner run: | - curl -sLo /tmp/install-sysdig https://download.sysdig.com/stable/install-agent && \ - chmod +x /tmp/install-sysdig && \ + curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" && \ + chmod +x ./sysdig-cli-scanner && \ sudo /tmp/install-sysdig --cli - name: Run Sysdig CLI Scanner env: SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} run: | - sudo /usr/local/bin/sysdig-cli-scanner scan + SECURE_API_TOKEN=SYSDIG_SECURE_TOKEN ./sysdig-cli-scanner --iac --apiurl https://eu1.app.sysdig.com ./ + From cb7160db3c3d5f99f1d60a5f3c050e82dcd14a52 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:00:39 +0200 Subject: [PATCH 09/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 23 ++--------------------- 1 file changed, 2 insertions(+), 21 deletions(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 3b2fb2ef34..1ad5830892 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -1,27 +1,8 @@ -name: Sysdig IaC Scan -on: - push: - branches: [ "main" ] - pull_request: - branches: [ "main" ] - -permissions: - contents: read - -jobs: - - iac-scan: - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Scan infrastructure + - name: Scan infrastructure uses: sysdiglabs/scan-action@v5 with: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} cli-scanner-version: 1.9.0 mode: iac - iac-scan-path: ./ + iac-scan-path: ./terraform From 91c18c61a5424a75aca199b3118427570cbc8811 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:00:48 +0200 Subject: [PATCH 10/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 1ad5830892..02315f5d64 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -5,4 +5,4 @@ sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} cli-scanner-version: 1.9.0 mode: iac - iac-scan-path: ./terraform + iac-scan-path: ./ From fe8a693039d89c95fc7ae08b398f3e309a263f03 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:02:15 +0200 Subject: [PATCH 11/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 02315f5d64..8dd40241cb 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -1,5 +1,23 @@ +name: Sysdig IaC Scan - - name: Scan infrastructure +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + +permissions: + contents: read + +jobs: + iac-scan: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Scan infrastructure uses: sysdiglabs/scan-action@v5 with: sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} From d4f2a71403741fea31535bd421ac1156bdd24744 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:03:29 +0200 Subject: [PATCH 12/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 8dd40241cb..2452f24b89 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -20,7 +20,7 @@ jobs: - name: Scan infrastructure uses: sysdiglabs/scan-action@v5 with: - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 # ${{ secrets.SYSDIG_SECURE_TOKEN }} cli-scanner-version: 1.9.0 mode: iac iac-scan-path: ./ From 5e67e1bf17a34a98d39c36a9f1d98f72e0e1ee88 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:07:17 +0200 Subject: [PATCH 13/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 2452f24b89..309c7a12ee 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -23,4 +23,4 @@ jobs: sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 # ${{ secrets.SYSDIG_SECURE_TOKEN }} cli-scanner-version: 1.9.0 mode: iac - iac-scan-path: ./ + iac-scan-path: ./vote From 9ad8e2cc990d39ee8db8a53356cddb684be9a50c Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:09:17 +0200 Subject: [PATCH 14/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 309c7a12ee..91ed17492d 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -23,4 +23,5 @@ jobs: sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 # ${{ secrets.SYSDIG_SECURE_TOKEN }} cli-scanner-version: 1.9.0 mode: iac + sysdig-secure-url: https://eu1.app.sysdig.com iac-scan-path: ./vote From 45cede68acaeeb1bd289a214990a152bb6736b63 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:11:00 +0200 Subject: [PATCH 15/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 91ed17492d..a988034918 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -24,4 +24,4 @@ jobs: cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com - iac-scan-path: ./vote + iac-scan-path: ./ From 1b6a311ae28982c7dde3e8ac8e9c30d298fc8f9b Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:19:58 +0200 Subject: [PATCH 16/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index a988034918..38cbae5bae 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -20,7 +20,7 @@ jobs: - name: Scan infrastructure uses: sysdiglabs/scan-action@v5 with: - sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 # ${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} #98513912-9a2c-4f60-a5ba-2c424565e793 cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com From 90f3469263fff67c1a893b59cf9123a32ecf23a6 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:20:39 +0200 Subject: [PATCH 17/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 38cbae5bae..2047b6aa07 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -20,7 +20,7 @@ jobs: - name: Scan infrastructure uses: sysdiglabs/scan-action@v5 with: - sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN }} #98513912-9a2c-4f60-a5ba-2c424565e793 + sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} # cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com From ebd9933daa5e29fdc9ce912f21b9dd0ef32dd89f Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:21:48 +0200 Subject: [PATCH 18/34] Rename main.yml to vulnerability_scan.yml --- .github/workflows/{main.yml => vulnerability_scan.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{main.yml => vulnerability_scan.yml} (100%) diff --git a/.github/workflows/main.yml b/.github/workflows/vulnerability_scan.yml similarity index 100% rename from .github/workflows/main.yml rename to .github/workflows/vulnerability_scan.yml From 02aeec46f452272ab56c35a4a51082cce8992931 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:26:38 +0200 Subject: [PATCH 19/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 41 +++++++++++++----------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index 052f71a82b..184fc71957 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -1,30 +1,35 @@ -name: Sysdig Vulnerability Scan +name: Docker Image Build and Scan on: push: - branches: - - main + branches: [ "main" ] pull_request: - branches: - - main + branches: [ "main" ] + +permissions: + contents: read jobs: - scan: + build-and-scan: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 + + - name: Build the Docker image + run: docker build . --file ./vote/Dockerfile --tag sysdiglabs/dummy-vuln-app:latest - - name: Install Sysdig CLI Scanner - run: | - curl -LO "https://download.sysdig.com/scanning/bin/sysdig-cli-scanner/$(curl -L -s https://download.sysdig.com/scanning/sysdig-cli-scanner/latest_version.txt)/linux/amd64/sysdig-cli-scanner" && \ - chmod +x ./sysdig-cli-scanner && \ - sudo /tmp/install-sysdig --cli + - name: Scan image + id: scan + uses: sysdiglabs/scan-action@v5 + with: + image-tag: sysdiglabs/dummy-vuln-app:latest + sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} + sarif-output-file: ${{ github.workspace }}/sarif.json - - name: Run Sysdig CLI Scanner - env: - SYSDIG_SECURE_TOKEN: ${{ secrets.SYSDIG_SECURE_TOKEN }} - run: | - SECURE_API_TOKEN=SYSDIG_SECURE_TOKEN ./sysdig-cli-scanner --iac --apiurl https://eu1.app.sysdig.com ./ - + - name: Upload SARIF file + if: success() || failure() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ github.workspace }}/sarif.json From ded27e1c37c1d39e23f162848246ea4dc8af4423 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:30:30 +0200 Subject: [PATCH 20/34] Update Dockerfile --- vote/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vote/Dockerfile b/vote/Dockerfile index 9e812ca958..80874ea1a2 100644 --- a/vote/Dockerfile +++ b/vote/Dockerfile @@ -10,7 +10,7 @@ RUN apt-get update && \ WORKDIR /usr/local/app # Install our requirements.txt -COPY requirements.txt ./requirements.txt +COPY vote/requirements.txt ./requirements.txt RUN pip install --no-cache-dir -r requirements.txt # Define a stage specifically for development, where it'll watch for From 558e3ffe59a8cd1b914fc3809d90b349c68b467e Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:33:32 +0200 Subject: [PATCH 21/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index 184fc71957..a22e94550d 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -26,6 +26,7 @@ jobs: with: image-tag: sysdiglabs/dummy-vuln-app:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: https://eu1.app.sysdig.com sarif-output-file: ${{ github.workspace }}/sarif.json - name: Upload SARIF file From d20f25f611bc67952dcf32e8f1175f7980a2b711 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:39:09 +0200 Subject: [PATCH 22/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 30 ++++++++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index a22e94550d..145b6ca0da 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -17,8 +17,9 @@ jobs: - name: Checkout code uses: actions/checkout@v4 +#imagen 1 - name: Build the Docker image - run: docker build . --file ./vote/Dockerfile --tag sysdiglabs/dummy-vuln-app:latest + run: docker build . --file ./vote/Dockerfile --tag vote - name: Scan image id: scan @@ -28,9 +29,28 @@ jobs: sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com sarif-output-file: ${{ github.workspace }}/sarif.json +#imagen 2 + - name: Build the Docker image + run: docker build . --file ./result/Dockerfile --tag result - - name: Upload SARIF file - if: success() || failure() - uses: github/codeql-action/upload-sarif@v3 + - name: Scan image + id: scan + uses: sysdiglabs/scan-action@v5 with: - sarif_file: ${{ github.workspace }}/sarif.json + image-tag: sysdiglabs/dummy-vuln-app:latest + sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: https://eu1.app.sysdig.com + sarif-output-file: ${{ github.workspace }}/sarif.json +#imagen 3 + - name: Build the Docker image + run: docker build . --file ./worker/Dockerfile --tag worker + + - name: Scan image + id: scan + uses: sysdiglabs/scan-action@v5 + with: + image-tag: sysdiglabs/dummy-vuln-app:latest + sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} + sysdig-secure-url: https://eu1.app.sysdig.com + sarif-output-file: ${{ github.workspace }}/sarif.json + From 8b463a4cef1c47da752821683fad2e8832033f3c Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:40:59 +0200 Subject: [PATCH 23/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index 145b6ca0da..b3ebf87c5f 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -18,10 +18,10 @@ jobs: uses: actions/checkout@v4 #imagen 1 - - name: Build the Docker image + - name: Build the Docker image 1 run: docker build . --file ./vote/Dockerfile --tag vote - - name: Scan image + - name: Scan image 1 id: scan uses: sysdiglabs/scan-action@v5 with: @@ -30,10 +30,10 @@ jobs: sysdig-secure-url: https://eu1.app.sysdig.com sarif-output-file: ${{ github.workspace }}/sarif.json #imagen 2 - - name: Build the Docker image + - name: Build the Docker image 2 run: docker build . --file ./result/Dockerfile --tag result - - name: Scan image + - name: Scan image 2 id: scan uses: sysdiglabs/scan-action@v5 with: @@ -42,10 +42,10 @@ jobs: sysdig-secure-url: https://eu1.app.sysdig.com sarif-output-file: ${{ github.workspace }}/sarif.json #imagen 3 - - name: Build the Docker image + - name: Build the Docker image 3 run: docker build . --file ./worker/Dockerfile --tag worker - - name: Scan image + - name: Scan image 3 id: scan uses: sysdiglabs/scan-action@v5 with: From ad8fcfffe509dfaad224118c72497d3930300dd8 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:41:37 +0200 Subject: [PATCH 24/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index b3ebf87c5f..c091e59537 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -22,7 +22,7 @@ jobs: run: docker build . --file ./vote/Dockerfile --tag vote - name: Scan image 1 - id: scan + id: scan1 uses: sysdiglabs/scan-action@v5 with: image-tag: sysdiglabs/dummy-vuln-app:latest @@ -34,7 +34,7 @@ jobs: run: docker build . --file ./result/Dockerfile --tag result - name: Scan image 2 - id: scan + id: scan2 uses: sysdiglabs/scan-action@v5 with: image-tag: sysdiglabs/dummy-vuln-app:latest @@ -46,7 +46,7 @@ jobs: run: docker build . --file ./worker/Dockerfile --tag worker - name: Scan image 3 - id: scan + id: scan3 uses: sysdiglabs/scan-action@v5 with: image-tag: sysdiglabs/dummy-vuln-app:latest From 54b20c96fd46eedfc1883ffa73105564f7a6c66a Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:45:36 +0200 Subject: [PATCH 25/34] Update Dockerfile --- result/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/result/Dockerfile b/result/Dockerfile index 4fb74e8ca7..ebd891b486 100644 --- a/result/Dockerfile +++ b/result/Dockerfile @@ -10,7 +10,7 @@ WORKDIR /usr/local/app # have nodemon available for local dev use (file watching) RUN npm install -g nodemon -COPY package*.json ./ +COPY /result/package*.json ./ RUN npm ci && \ npm cache clean --force && \ From 07554aa880e251f063855728ad8d47f49dd9eec2 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:48:10 +0200 Subject: [PATCH 26/34] Update Dockerfile --- worker/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/worker/Dockerfile b/worker/Dockerfile index cdd31baecb..84bf7215eb 100644 --- a/worker/Dockerfile +++ b/worker/Dockerfile @@ -13,7 +13,7 @@ ARG BUILDPLATFORM RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM" WORKDIR /source -COPY *.csproj . +COPY /worker/*.csproj . RUN dotnet restore -a $TARGETARCH COPY . . @@ -23,4 +23,4 @@ RUN dotnet publish -c release -o /app -a $TARGETARCH --self-contained false --no FROM mcr.microsoft.com/dotnet/runtime:7.0 WORKDIR /app COPY --from=build /app . -ENTRYPOINT ["dotnet", "Worker.dll"] \ No newline at end of file +ENTRYPOINT ["dotnet", "Worker.dll"] From 1b457588b3e61fbb7662d0fb8a1bc952477e3dc3 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:51:57 +0200 Subject: [PATCH 27/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index c091e59537..a48528e11d 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -25,10 +25,10 @@ jobs: id: scan1 uses: sysdiglabs/scan-action@v5 with: - image-tag: sysdiglabs/dummy-vuln-app:latest + image-tag: voting-app/vote:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com - sarif-output-file: ${{ github.workspace }}/sarif.json + #sarif-output-file: ${{ github.workspace }}/sarif.json #imagen 2 - name: Build the Docker image 2 run: docker build . --file ./result/Dockerfile --tag result @@ -37,10 +37,10 @@ jobs: id: scan2 uses: sysdiglabs/scan-action@v5 with: - image-tag: sysdiglabs/dummy-vuln-app:latest + image-tag: voting-app/result:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com - sarif-output-file: ${{ github.workspace }}/sarif.json + #sarif-output-file: ${{ github.workspace }}/sarif.json #imagen 3 - name: Build the Docker image 3 run: docker build . --file ./worker/Dockerfile --tag worker @@ -49,8 +49,8 @@ jobs: id: scan3 uses: sysdiglabs/scan-action@v5 with: - image-tag: sysdiglabs/dummy-vuln-app:latest + image-tag: voting-app/worker:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com - sarif-output-file: ${{ github.workspace }}/sarif.json + #sarif-output-file: ${{ github.workspace }}/sarif.json From 4a023052a26eb95af9e1ace26c275100e52fca4d Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:56:58 +0200 Subject: [PATCH 28/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index a48528e11d..c07b8fa72b 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -25,7 +25,7 @@ jobs: id: scan1 uses: sysdiglabs/scan-action@v5 with: - image-tag: voting-app/vote:latest + image-tag: vote:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com #sarif-output-file: ${{ github.workspace }}/sarif.json @@ -37,7 +37,7 @@ jobs: id: scan2 uses: sysdiglabs/scan-action@v5 with: - image-tag: voting-app/result:latest + image-tag: result:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com #sarif-output-file: ${{ github.workspace }}/sarif.json From e6bc2a76a0045026574e3a36ec00cf6c5897f759 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 16:58:57 +0200 Subject: [PATCH 29/34] Update vulnerability_scan.yml --- .github/workflows/vulnerability_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability_scan.yml b/.github/workflows/vulnerability_scan.yml index c07b8fa72b..65ee92eb1c 100644 --- a/.github/workflows/vulnerability_scan.yml +++ b/.github/workflows/vulnerability_scan.yml @@ -49,7 +49,7 @@ jobs: id: scan3 uses: sysdiglabs/scan-action@v5 with: - image-tag: voting-app/worker:latest + image-tag: worker:latest sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} sysdig-secure-url: https://eu1.app.sysdig.com #sarif-output-file: ${{ github.workspace }}/sarif.json From 8c0e9383c5910a0cacef5b29d5a2c234708a1e64 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 17:07:56 +0200 Subject: [PATCH 30/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 2047b6aa07..fc4eab3047 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -24,4 +24,4 @@ jobs: cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com - iac-scan-path: ./ + iac-scan-path: ./result From 56fcfc2f8a67dc1e0920843985e382557b0cf987 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 17:09:59 +0200 Subject: [PATCH 31/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index fc4eab3047..1992b63fdf 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -24,4 +24,4 @@ jobs: cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com - iac-scan-path: ./result + iac-scan-path: ./result/* From 2269be46b540a7715a1a0097587980752016029b Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 17:11:58 +0200 Subject: [PATCH 32/34] Update IaC_scan.yml --- .github/workflows/IaC_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/IaC_scan.yml b/.github/workflows/IaC_scan.yml index 1992b63fdf..2047b6aa07 100644 --- a/.github/workflows/IaC_scan.yml +++ b/.github/workflows/IaC_scan.yml @@ -24,4 +24,4 @@ jobs: cli-scanner-version: 1.9.0 mode: iac sysdig-secure-url: https://eu1.app.sysdig.com - iac-scan-path: ./result/* + iac-scan-path: ./ From de3560c4f23c1e80eaed0e4ae24c926b7e6a0dc1 Mon Sep 17 00:00:00 2001 From: mhernes Date: Sun, 11 Aug 2024 17:13:33 +0200 Subject: [PATCH 33/34] Create bad_code.tf --- bad_code.tf | 43 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 bad_code.tf diff --git a/bad_code.tf b/bad_code.tf new file mode 100644 index 0000000000..514cfd5abb --- /dev/null +++ b/bad_code.tf @@ -0,0 +1,43 @@ +provider "aws" { + region = "us-west-2" +} + +resource "aws_security_group" "bad_sg" { + name = "bad_security_group" + description = "Security group with overly permissive rules" + vpc_id = "vpc-123456" + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_s3_bucket" "bad_bucket" { + bucket = "bad-bucket" + + acl = "public-read" # S3 bucket with public read access +} + +resource "aws_instance" "bad_instance" { + ami = "ami-123456" + instance_type = "t2.micro" + + user_data = <<-EOF + #!/bin/bash + echo "This is a test" > /tmp/test.txt + EOF + + tags = { + Name = "BadInstance" + } +} From f50a4cf4217a044f744f3e1975f70148b549ba76 Mon Sep 17 00:00:00 2001 From: mhernes Date: Mon, 12 Aug 2024 09:55:41 +0200 Subject: [PATCH 34/34] =?UTF-8?q?Descripci=C3=B3n=20breve=20de=20los=20cam?= =?UTF-8?q?bios?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fichero.txt | Bin 0 -> 14 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 fichero.txt diff --git a/fichero.txt b/fichero.txt new file mode 100644 index 0000000000000000000000000000000000000000..25b690689b298649c027af668c051282a96eed6c GIT binary patch literal 14 VcmezWuY@6$p_rkBftP`c0RSrC1JwWk literal 0 HcmV?d00001