Merge branch 'main' into fix_sarif

AikidoSec · Jul 28, 2023 · b522fe5 · b522fe5
2 parents 750e310 + a032ec4
commit b522fe5
Show file tree

Hide file tree

Showing 629 changed files with 23,866 additions and 8,707 deletions.
diff --git a/.github/checkov.yaml b/.github/checkov.yaml
@@ -0,0 +1,24 @@
+enable-secret-scan-all-files: true
+framework:
+- secrets
+quiet: true
+skip-path:
+- docs
+- tests/arm/checks/resource/example_AzureScaleSetPassword/FAILED.json
+- tests/arm/checks/resource/example_AzureScaleSetPassword/UNKNOWN.json
+- tests/arm/checks/resource/example_StorageAccountAzureServicesAccessEnabled/storageAccountAzureServicesAccessEnabled-FAILED2.json
+- tests/arm/checks/resource/example_StorageAccountDefaultNetworkAccessDeny/storageAccountDefaultNetworkAccessDeny-FAILED2.json
+- tests/common/utils/conftest.py
+- tests/common/utils/test_secrets_utils.py
+- tests/sca_image/conftest.py
+- tests/sca_package/conftest.py
+- tests/sca_package_2/conftest.py
+- tests/secrets
+- tests/terraform/checks/provider
+- tests/terraform/parser/resources/plan_tags/tfplan.json
+- tests/terraform/runner/resources/plan/tfplan.json
+- tests/terraform/runner/tf_plan_skip_check_regex/resource/skip_directory/tfplan2.json
+- tests/terraform/runner/tf_plan_skip_check_regex/resource/tfplan1.json
+- tests/terraform/runner/tfplan2.json
+- tests/unit/test_secrets.py
+summary-position: bottom
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -28,11 +28,18 @@ on:
       - '.swm/**'
       - '.pre-commit-config.yaml'
 
+permissions:
+  contents: read
+
 concurrency:
   group: 'build'
   cancel-in-progress: true
 
 jobs:
+  security:
+    uses: ./.github/workflows/security-shared.yml
+    secrets: inherit
+
   integration-tests:
     strategy:
       fail-fast: true
@@ -41,11 +48,11 @@ jobs:
         os: [ubuntu-latest, macos-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
-      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: ${{ matrix.python }}
-      - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c  # v3
+      - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8  # v3
       - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -58,6 +65,8 @@ jobs:
           python -m pip install --no-cache-dir --upgrade pipenv
       - name: Build & install checkov package
         run: |
+          # remove venv, if exists
+          pipenv --rm || true
           pipenv --python ${{ matrix.python }}
           pipenv run pip install pytest pytest-xdist
           pipenv run python setup.py sdist bdist_wheel
@@ -85,8 +94,8 @@ jobs:
   prisma-tests:
     runs-on: [ self-hosted, public, linux, x64 ]
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
-      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
+      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: 3.7
       - name: Install pipenv
@@ -96,6 +105,8 @@ jobs:
         run: git clone https://github.com/bridgecrewio/terragoat
       - name: Build & install checkov package
         run: |
+          # remove venv, if exists
+          pipenv --rm || true
           pipenv --python 3.7
           pipenv run pip install pytest pytest-xdist
           pipenv run python setup.py sdist bdist_wheel
@@ -110,14 +121,14 @@ jobs:
           exit $?
   unit-tests:
     timeout-minutes: 30
-    runs-on: [self-hosted, public, linux, x64]
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
       - name: Set up Python 3.7
-        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: 3.7
-      - uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82  # v3
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
@@ -128,6 +139,8 @@ jobs:
           python -m pip install --no-cache-dir --upgrade pipenv
       - name: Install dependencies
         run: |
+          # remove venv, if exists
+          pipenv --rm || true
           pipenv --python 3.7
           pipenv install --dev
       - name: Test with pytest
@@ -145,24 +158,26 @@ jobs:
       id-token: write
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
         with:
           token: ${{ secrets.GH_PAT_SECRET }}
       - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549  # v5
+        uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41  # v5
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python 3.7
-        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: 3.7
       - name: Install pipenv
         run: |
           python -m pip install --no-cache-dir --upgrade pipenv
       - name: Install dependencies
         run: |
+          # remove venv, if exists
+          pipenv --rm || true
           pipenv --python 3.7
           pipenv install
       - name: Calculate version
@@ -243,130 +258,54 @@ jobs:
         run: |
           pipenv run python setup.py sdist bdist_wheel
       - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d  # v1
+        uses: pypa/gh-action-pypi-publish@f8c70e705ffc13c3b4d1221169b84f12a75d6ca8  # v1
       - name: sleep and wait for package to refresh
         run: |
           sleep 2m
     outputs:
       version: ${{ steps.calculateVersion.outputs.version }}
       major_version: ${{ steps.calculateVersion.outputs.major_version }}
   publish-checkov-dockerhub:
-    runs-on: [self-hosted, public, linux, x64]
     needs: bump-version
-    environment: release
+    uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
     permissions:
-      packages: write
+      contents: read
       id-token: write  # Enable OIDC
-    env:
-      DH_IMAGE_NAME: bridgecrew/checkov
-      GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
-      FULL_IMAGE_TAG: ${{ needs.bump-version.outputs.version }}
-      SHORT_IMAGE_TAG: ${{ needs.bump-version.outputs.major_version }}
-    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
-      - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b  # v2
-      - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18  # v2
-        with:
-          platforms: 'arm64,arm'
-      - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c  # v2
-      - name: Login to Docker Hub
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a  # v2
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Docker meta
-        id: docker_meta
-        uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e  # v4
-        with:
-          images: ${{ env.DH_IMAGE_NAME }}
-          labels: |
-            org.opencontainers.image.authors=Bridgecrew
-            org.opencontainers.image.version=${{ needs.bump-version.outputs.version }}
-      - name: Build and export image to Docker
-        # buildx changes the driver to 'docker-container' which doesn't expose the image to the host,
-        # so it is built and loaded to Docker and in the next step pushed to the registry
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671  # v4
-        with:
-          context: .
-          no-cache: true
-          load: true
-          labels: ${{ steps.docker_meta.outputs.labels }}
-          tags: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
-      - name: Push Docker image
-        id: docker_push
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671  # v4
-        with:
-          context: .
-          platforms: 'linux/amd64,linux/arm64'
-          push: true
-          labels: ${{ steps.docker_meta.outputs.labels }}
-          tags: |
-            ${{ env.DH_IMAGE_NAME }}:latest
-            ${{ env.DH_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
-            ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
-            ${{ env.GHCR_IMAGE_NAME }}:latest
-            ${{ env.GHCR_IMAGE_NAME }}:${{ env.SHORT_IMAGE_TAG }}
-            ${{ env.GHCR_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
-      - name: Generate SBOM
-        continue-on-error: true
-        uses: bridgecrewio/checkov-action@master  # use latest and greatest
-        with:
-          api-key: ${{ secrets.BC_API_KEY }}
-          docker_image: ${{ env.DH_IMAGE_NAME }}:${{ env.FULL_IMAGE_TAG }}
-          dockerfile_path: Dockerfile
-          output_format: cyclonedx_json
-          output_file_path: cyclonedx.json,
-      - name: Sign and attest image
-        run: |
-          # sign image
-          cosign sign ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-          cosign sign -f ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-          
-          # attest SBOM
-          cosign attest \
-            --type cyclonedx \
-            --predicate cyclonedx.json \
-            ${{ env.DH_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-          cosign attest -f \
-            --type cyclonedx \
-            --predicate cyclonedx.json \
-            ${{ env.GHCR_IMAGE_NAME }}@${{ steps.docker_push.outputs.digest }}
-        env:
-          COSIGN_EXPERIMENTAL: 1  # needed for keyless signing
+      packages: write
+    with:
+      image_name_dockerhub: bridgecrew/checkov
+      image_name_ghcr: ghcr.io/${{ github.repository }}
+      image_tag_full: ${{ needs.bump-version.outputs.version }}
+      image_tag_short: ${{ needs.bump-version.outputs.major_version }}
+      runner: "['self-hosted', 'public', 'linux', 'x64']"
+    secrets:
+      BC_API_KEY: ${{ secrets.BC_API_KEY }}
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
   publish-checkov-k8s-dockerhub:
-    runs-on: [self-hosted, public, linux, x64]
     needs: bump-version
-    environment: release
-    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
-      - name: update checkov-k8s version
-        run: |
-          checkov_version=${{ needs.bump-version.outputs.version }}
-          checkov_major_version=$(echo "${checkov_version}" | head -c1)
-          echo "version=$checkov_version" >> "$GITHUB_OUTPUT"
-          echo "major_version=$checkov_major_version" >> "$GITHUB_OUTPUT"
-        id: versions
-      - name: Publish to Registry
-        uses: elgohr/Publish-Docker-Github-Action@43dc228e327224b2eda11c8883232afd5b34943b  # v5
-        with:
-          name: bridgecrew/checkov-k8s
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-          tags: "latest,${{ steps.versions.outputs.version }},${{ steps.versions.outputs.major_version }}"
-          dockerfile: kubernetes/Dockerfile
-          buildoptions: "--no-cache"
+    uses: bridgecrewio/gha-reusable-workflows/.github/workflows/publish-image.yaml@main
+    permissions:
+      contents: read
+      id-token: write  # Enable OIDC
+      packages: write
+    with:
+      image_name_dockerhub: bridgecrew/checkov-k8s
+      image_name_ghcr: ghcr.io/${{ github.repository }}-k8s
+      image_tag_full: ${{ needs.bump-version.outputs.version }}
+      image_tag_short: ${{ needs.bump-version.outputs.major_version }}
+      dockerfile_path: kubernetes/Dockerfile
+      runner: "['self-hosted', 'public', 'linux', 'x64']"
+    secrets:
+      BC_API_KEY: ${{ secrets.BC_API_KEY }}
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }}
   publish-checkov-pyston-dockerhub:
     runs-on: [self-hosted, public, linux, x64]
     needs: bump-version
     environment: release
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
       - name: Get release version
         id: versions
         run: |
@@ -388,7 +327,7 @@ jobs:
     runs-on: [self-hosted, public, linux, x64]
     environment: release
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
       - name: update checkov release
         run: |
           curl -X POST "https://jenkins-webhook.bridgecrew.cloud/buildByToken/build?job=Open-Source/upgrade-checkov&token=${{ secrets.BC_JENKINS_TOKEN }}"

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -21,7 +21,8 @@ on:
     - cron: '17 4 * * 2'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   analyze:
@@ -33,9 +34,9 @@ jobs:
       security-events: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
       - name: Set up Python
-        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: '3.10'
       - name: Setup python for CodeQL
@@ -53,12 +54,12 @@ jobs:
           pipenv lock -r > requirements.txt
           pip install -r requirements.txt
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a  # v2
+        uses: github/codeql-action/init@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8  # v2
         with:
           languages: python
           setup-python-dependencies: false
           config-file: ./.github/codeql-config.yml
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f3feb00acb00f31a6f60280e6ace9ca31d91c76a  # v2
+        uses: github/codeql-action/autobuild@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8  # v2
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a  # v2
+        uses: github/codeql-action/analyze@1813ca74c3faaa3a2da2070b9b8a0b3e7373a0d8  # v2
diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
@@ -5,7 +5,8 @@ on:
     - cron: '0 0 * * 0'
   workflow_dispatch:
 
-permissions: read-all
+permissions:
+  contents: read
 
 jobs:
   update-coverage:
@@ -14,20 +15,20 @@ jobs:
       contents: write
     environment: release
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab  # v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3
         with:
           token: ${{ secrets.GH_PAT_SECRET }}
       - name: Import GPG key
         id: import_gpg
-        uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549  # v5
+        uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41  # v5
         with:
           gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.PASSPHRASE }}
       - name: Set up Python 3.7
-        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b  # v4
+        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1  # v4
         with:
           python-version: 3.7
-      - uses: azure/setup-helm@f382f75448129b3be48f8121b9857be18d815a82  # v3
+      - uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78  # v3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - uses: imranismail/setup-kustomize@a76db1c6419124d51470b1e388c4b29476f495f1  # v2
@@ -38,6 +39,8 @@ jobs:
           python -m pip install --no-cache-dir --upgrade pipenv
       - name: Install dependencies
         run: |
+          # remove venv, if exists
+          pipenv --rm || true
           pipenv --python 3.7
           pipenv install --dev
           pipenv run pip install pytest