Skip to content

Commit

Permalink
Merge pull request #1 from bridgecrewio/main
Browse files Browse the repository at this point in the history
Bump checkov to 3.0.16
  • Loading branch information
denys-potapov authored Nov 2, 2023
2 parents b522fe5 + 2fdb6f8 commit 6e19161
Show file tree
Hide file tree
Showing 864 changed files with 40,351 additions and 12,859 deletions.
2 changes: 0 additions & 2 deletions .bandit

This file was deleted.

2 changes: 1 addition & 1 deletion .flake8
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ max-line-length = 120
# E203,E501 don't work with black together
ignore = E203,E501,E731,W503,W504,DUO107,DUO104,DUO130,DUO109,DUO116,B028,B950,TC001,TC003,TC006,B907
select = C,E,F,W,B,B9,A,TC
extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*
extend-exclude = .github, .pytest_cache, docs/*, venv/*, tests/*, flake8_plugins/*, cdk_integration_tests/src/python/*

[flake8:local-plugins]
extension =
Expand Down
2 changes: 1 addition & 1 deletion .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
Additionally a scope is needs to be added to the prefix, which indicates the targeted framework, in doubt choose 'general'.
#
Allowed prefixs:
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json
#
ex.
feat(terraform): add CKV_AWS_123 to ensure that VPC Endpoint Service is configured for Manual Acceptance
Expand Down
4 changes: 2 additions & 2 deletions .github/pr-title-checker-config.json
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@
"prefixes": [
"chore: "
],
"regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
"regexp": "^(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): "
},
"MESSAGES": {
"success": "PR title is valid",
"failure": "PR title is invalid",
"notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
"notice": "Title needs to pass regex '(fix|feat|break|docs|chore|platform)\\((ansible|argo|arm|azure|bicep|bitbucket|circleci|cloudformation|dockerfile|github|gha|gitlab|helm|kubernetes|kustomize|openapi|sast|sca|secrets|serverless|terraform|general|graph|terraform_plan|terraform_json)\\): '"
}
}
117 changes: 70 additions & 47 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,15 @@ jobs:
strategy:
fail-fast: true
matrix:
python: ["3.7", "3.8", "3.9", "3.10", "3.11"]
python: ["3.8", "3.9", "3.10", "3.11"]
os: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: ${{ matrix.python }}
- uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3
- uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v3
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -93,24 +93,26 @@ jobs:
pipenv run pytest integration_tests
prisma-tests:
runs-on: [ self-hosted, public, linux, x64 ]
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: 3.7
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python 3.7
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
pipenv run pip install dist/checkov-*.whl
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone Terragoat - vulnerable terraform
run: git clone https://github.com/bridgecrewio/terragoat
- name: Run checkov with Prisma creds
env:
PRISMA_KEY: ${{ secrets.PRISMA_KEY }}
Expand All @@ -119,15 +121,55 @@ jobs:
pipenv run checkov -s -d terragoat --bc-api-key "$PRISMA_KEY" --repo-id yuvalyacoby/terragoat > checkov_report_prisma.txt
grep "prismacloud.io" checkov_report_prisma.txt
exit $?
sast-integration-tests:
strategy:
fail-fast: true
matrix:
python: ["3.8", "3.11"]
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
continue-on-error: true # for now it is ok to fail
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: ${{ matrix.python }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Build & install checkov package
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python ${{ matrix.python }}
pipenv run pip install pytest pytest-xdist
pipenv run python setup.py sdist bdist_wheel
bash -c 'pipenv run pip install dist/checkov-*.whl'
- name: Clone flask - Python repo for SAST
run: git clone https://github.com/pallets/flask
- name: Clone WebGoat - Java repo for SAST
run: git clone https://github.com/WebGoat/WebGoat
- name: Clone axios - JavaScript repo for SAST
run: git clone https://github.com/axios/axios
- name: Create checkov reports
env:
LOG_LEVEL: INFO
BC_API_KEY: ${{ secrets.BC_API_KEY }}
run: bash -c './sast_integration_tests/prepare_data.sh'
- name: Run integration tests
run: |
pipenv run pytest sast_integration_tests
unit-tests:
timeout-minutes: 30
runs-on: ubuntu-latest
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- name: Set up Python 3.7
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: 3.7
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -141,44 +183,47 @@ jobs:
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python 3.7
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
- name: Test with pytest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
IS_TEST: true
run: |
pipenv run python -m pytest tests
bump-version:
needs: [integration-tests, unit-tests, prisma-tests]
needs: [integration-tests, unit-tests, prisma-tests] # add 'sast-integration-tests' when ready
runs-on: [self-hosted, public, linux, x64]
environment: release
permissions:
contents: write
# IMPORTANT: this permission is mandatory for trusted publishing to pypi
id-token: write
timeout-minutes: 30
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5
uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python 3.7
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: 3.7
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pipenv
run: |
python -m pip install --no-cache-dir --upgrade pipenv
- name: Install dependencies
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python 3.7
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install
- name: Calculate version
run: |
Expand Down Expand Up @@ -258,7 +303,7 @@ jobs:
run: |
pipenv run python setup.py sdist bdist_wheel
- name: Publish a Python distribution to PyPI
uses: pypa/gh-action-pypi-publish@f8c70e705ffc13c3b4d1221169b84f12a75d6ca8 # v1
uses: pypa/gh-action-pypi-publish@b7f401de30cb6434a1e19f805ff006643653240e # v1
- name: sleep and wait for package to refresh
run: |
sleep 2m
Expand Down Expand Up @@ -300,34 +345,12 @@ jobs:
BC_API_KEY: ${{ secrets.BC_API_KEY }}
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
publish-checkov-pyston-dockerhub:
runs-on: [self-hosted, public, linux, x64]
needs: bump-version
environment: release
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- name: Get release version
id: versions
run: |
checkov_version=${{ needs.bump-version.outputs.version }}
checkov_major_version=$(echo "${checkov_version}" | head -c1)
echo "version=$checkov_version" >> "$GITHUB_OUTPUT"
echo "major_version=$checkov_major_version" >> "$GITHUB_OUTPUT"
- name: Publish to Registry
uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b # v5
with:
name: bridgecrew/checkov
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
tags: "pyston,${{ steps.versions.outputs.version }}-pyston,${{ steps.versions.outputs.major_version }}-pyston"
dockerfile: Dockerfile.pyston
buildoptions: "--no-cache"
update-bridgecrew-projects:
needs: publish-checkov-dockerhub
runs-on: [self-hosted, public, linux, x64]
environment: release
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: update checkov release
run: |
curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}"
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,9 +34,9 @@ jobs:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Set up Python
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: '3.10'
- name: Setup python for CodeQL
Expand All @@ -54,12 +54,12 @@ jobs:
pipenv lock -r > requirements.txt
pip install -r requirements.txt
- name: Initialize CodeQL
uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2
uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
with:
languages: python
setup-python-dependencies: false
config-file: ./.github/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2
uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8 # v2
uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2
14 changes: 8 additions & 6 deletions .github/workflows/coverage.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,22 @@ jobs:
permissions:
contents: write
environment: release
env:
PYTHON_VERSION: "3.8"
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
token: ${{ secrets.GH_PAT_SECRET }}
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5
uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v5
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Set up Python 3.7
uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4
- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4
with:
python-version: 3.7
python-version: ${{ env.PYTHON_VERSION }}
- uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -41,7 +43,7 @@ jobs:
run: |
# remove venv, if exists
pipenv --rm || true
pipenv --python 3.7
pipenv --python ${{ env.PYTHON_VERSION }}
pipenv install --dev
pipenv run pip install pytest
- name: Test with pytest
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/jekyll-gh-pages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,11 +27,11 @@ jobs:
runs-on: [self-hosted, public, linux, x64]
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Setup Pages
uses: actions/configure-pages@f156874f8191504dae5b037505266ed5dda6c382 # v3
- name: Build with Jekyll
uses: actions/jekyll-build-pages@058068233b22675635bdf8dfa178d6ae77f12694 # v1
uses: actions/jekyll-build-pages@e4ef22193c23ea849fc3fea6dbce69da1ee65b6d # v1
with:
source: ./docs
destination: ./_site
Expand All @@ -48,4 +48,4 @@ jobs:
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@12ab2b16cf43a7a061fe99da74b6f8f11fb77f5b # v2
uses: actions/deploy-pages@9dbe3824824f8a1377b8e298bafde1a50ede43e5 # v2
Loading

0 comments on commit 6e19161

Please sign in to comment.