diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..1e5c9a5 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,34 @@ +# Use the latest 2.1 version of CircleCI pipeline process engine. +# See: https://circleci.com/docs/2.0/configuration-reference +version: 2.1 + +# Define a job to be invoked later in a workflow. +# See: https://circleci.com/docs/2.0/configuration-reference/#jobs +jobs: + say-hello: + # Specify the execution environment. You can specify an image from Dockerhub or use one of our Convenience Images from CircleCI's Developer Hub. + # See: https://circleci.com/docs/2.0/configuration-reference/#docker-machine-macos-windows-executor + docker: + - image: cimg/base:stable + # Add steps to the job + # See: https://circleci.com/docs/2.0/configuration-reference/#steps + steps: + - checkout + - run: + name: ShiftLeft Build + command: | + #gcc main.c #build the app + #mkdir -p /tmp/workspace/target #create a directory for Qwiet + #mv target/hello-shiftleft-0.0.1.jar /tmp/workspace/target/ + curl https://cdn.shiftleft.io/download/sl > /usr/local/bin/sl && chmod a+rx /usr/local/bin/sl #download Qwiet + PR_USER=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f4) + PR_REPO=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f5) + PR_NUMBER=$(echo $CIRCLE_PULL_REQUEST | cut -d '/' -f7) + sl analyze --wait --tag branch=$CIRCLE_BRANCH --app shiftleft-c-demo --container 18fgsa/s3-resource --c --cpg . + +# Invoke jobs via workflows +# See: https://circleci.com/docs/2.0/configuration-reference/#workflows +workflows: + say-hello-workflow: + jobs: + - say-hello diff --git a/.github/workflows/shiftleft.yml b/.github/workflows/shiftleft.yml new file mode 100644 index 0000000..78b3987 --- /dev/null +++ b/.github/workflows/shiftleft.yml @@ -0,0 +1,45 @@ +--- +# This workflow integrates ShiftLeft NG SAST with GitHub +# Visit https://docs.shiftleft.io for help +name: ShiftLeft + +on: + pull_request: + workflow_dispatch: + +jobs: + NextGen-Static-Analysis: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Extract branch name + shell: bash + run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + id: extract_branch + - name: NextGen Static Analysis + run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --app shiftleft-c-demo --container 18fgsa/s3-resource --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }} --c --cpg . + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + Build-Rules: + runs-on: ubuntu-latest + needs: NextGen-Static-Analysis + steps: + - uses: actions/checkout@v3 + - name: Download ShiftLeft CLI + run: | + curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl + - name: Validate Build Rules + run: | + ${GITHUB_WORKSPACE}/sl check-analysis --app shiftleft-c-demo \ + --github-pr-number=${{github.event.number}} \ + --github-pr-user=${{ github.repository_owner }} \ + --github-pr-repo=${{ github.event.repository.name }} \ + --github-token=${{ secrets.GITHUB_TOKEN }} + env: + SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }} + + \ No newline at end of file diff --git a/shiftleft.yml b/shiftleft.yml new file mode 100644 index 0000000..820144a --- /dev/null +++ b/shiftleft.yml @@ -0,0 +1,15 @@ +version: 2 +build_rules: + - id: Allow no critical findings + severities: + - critical + - id: Allow one OSS or container finding + finding_types: + - oss_vuln + - container + threshold: 1 + - id: Allow no reachable OSS vulnerability + finding_types: + - oss_vuln + options: + reachable: true