Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Get Latest in main to v2m1m0 #771

Merged
merged 10 commits into from
Sep 19, 2023
30 changes: 30 additions & 0 deletions .github/workflows/ash.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: ASH

on:
workflow_dispatch:

permissions:
contents: read

jobs:
ash:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.8]
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: git clone https://github.com/aws-samples/automated-security-helper.git /tmp/ash
- name: ASH
run: /tmp/ash/ash --source-dir .
- name: Upload Artifact
if: always()
uses: actions/upload-artifact@v3
with:
name: ash-report
path: aggregated_results.txt
32 changes: 32 additions & 0 deletions .github/workflows/bandit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Bandit

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main

permissions:
contents: read

jobs:
bandit:
strategy:
matrix:
python-version: [3.8]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Install
run: |
python -m pip install --upgrade pip
python -m pip install bandit
- name: Bandit
run: bandit -r -lll -ii .
48 changes: 48 additions & 0 deletions .github/workflows/cdk-nag.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: CDK Nag

on:
workflow_dispatch:
push:
paths:
- "deploy/**"
branches:
- main
pull_request:
paths:
- "deploy/**"
branches:
- main

permissions:
contents: read

jobs:
cdk-nag:
strategy:
matrix:
python-version: [3.8]
env:
CDK_DEFAULT_REGION: eu-west-1
CDK_DEFAULT_ACCOUNT: 111111111111
GITHUB_ACTIONS: true
runs-on: ubuntu-latest
steps:
- name: Git clone
uses: actions/checkout@v3
- name: Set up Node.js
uses: actions/setup-node@v3
- name: Install CDK
run: |
npm install -g aws-cdk cdk-nag
cdk --version
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python-version }}
- name: Upgrade Pip
run: python -m pip install --upgrade pip
- name: Install Requirements
run: python -m pip install -r deploy/requirements.txt
- name: CDK Synth
run: |
npx cdk synth
37 changes: 37 additions & 0 deletions .github/workflows/eslint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Run eslint

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main
- release/*
- main-v2

permissions:
contents: read

jobs:
es-lint:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [16.x]

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache-dependency-path: |
./frontend/package-lock.json
./frontend/package.json
- run: npm install
working-directory: frontend
- run: npm run lint
working-directory: frontend
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@
name: "Minimal Security checks"
name: Run Lint

on:
workflow_dispatch:
pull_request:
branches:
- main
- release/*
- main-v2
- main
- release/*
- main-v2

jobs:
build:
lint:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [ 3.8 ]
python-version: [3.8]

steps:
- uses: actions/checkout@v2
- name: Set up Python ${{ matrix.python-version }}
Expand All @@ -24,5 +25,7 @@ jobs:
- name: Install Requirements
run: |
python -m pip install --upgrade pip
- name: Security check
run: make check-security
python -m pip install isort
python -m pip install flake8
- name: Lint
run: python -m flake8 --exclude cdk.out,blueprints --ignore E402,E501,F841,W503,F405,F403,F401,E712,E203 backend/
37 changes: 37 additions & 0 deletions .github/workflows/npm-audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
name: Run npm-audit

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main
- release/*
- main-v2

permissions:
contents: read

jobs:
npm-audit:
runs-on: ubuntu-latest

strategy:
matrix:
node-version: [16.x]

steps:
- uses: actions/checkout@v3
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v3
with:
node-version: ${{ matrix.node-version }}
cache-dependency-path: |
./frontend/package-lock.json
./frontend/package.json
- run: npm ci
working-directory: frontend
- run: npm run audit
working-directory: frontend
35 changes: 35 additions & 0 deletions .github/workflows/semgrep-schedule.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Run Semgrep-full

on:
workflow_dispatch:
branches:
- main
schedule:
- cron: '0 1 * * 2'

permissions:
contents: read

jobs:
semgrep-full:
runs-on: ubuntu-latest

container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep

# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')

steps:
- uses: actions/checkout@v3
- run: semgrep ci --verbose --metrics=off --sarif --output=semgrep.sarif
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # more at semgrep.dev/explore

- name: Upload SARIF file for GitHub Advanced Security Dashboard
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif
if: always()
35 changes: 35 additions & 0 deletions .github/workflows/semgrep.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: Run Semgrep

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main
- release/*
- main-v2

permissions:
contents: read

jobs:
semgrep:
runs-on: ubuntu-latest

container:
# A Docker image with Semgrep installed. Do not change this.
image: returntocorp/semgrep

# Skip any PR created by dependabot to avoid permission issues:
if: (github.actor != 'dependabot[bot]')

steps:
# Fetch project source with GitHub Actions Checkout.
- uses: actions/checkout@v3
# Run the "semgrep ci" command on the command line of the docker image.
- run: semgrep scan --error --verbose --metrics=off
env:
# Add the rules that Semgrep uses by setting the SEMGREP_RULES environment variable.
SEMGREP_RULES: p/default # more at semgrep.dev/explore
32 changes: 32 additions & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Items added to this file will be ignored by Semgrep.
#
# This file uses .gitignore syntax:
#
# To ignore a file anywhere it occurs in your project, enter a
# glob pattern here. E.g. "*.min.js".
#
# To ignore a directory anywhere it occurs in your project, add
# a trailing slash to the file name. E.g. "dist/".
#
# To ignore a file or directory only relative to the project root,
# include a slash anywhere except the last character. E.g.
# "/dist/", or "src/generated".
#
# Some parts of .gitignore syntax are not supported, and patterns
# using this syntax will be dropped from the ignore list:
# - Explicit "include syntax", e.g. "!kept/".
# - Multi-character expansion syntax, e.g. "*.py[cod]"
# To include ignore patterns from another file, start a line
# with ':include', followed by the path of the file. E.g.
# ":include path/to/other/ignore/file".
# UPDATE: this will not be be needed in osemgrep which supports
# all of the .gitignore syntax (!kept/, *.py[cod])
#
# To ignore a file with a literal ':' character, escape it with
# a backslash, e.g. "\:foo".

/backend/local_cdkapi_server.py
/backend/local_graphql_server.py
/backend/docker/dev/*
/frontend/docker/dev/*
.github/*
8 changes: 6 additions & 2 deletions backend/dataall/base/aws/sts.py
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,9 @@ def get_console_access_url(cls, boto3_session, region='eu-west-1', bucket=None):
request_parameters += '&Session=' + urllib.parse.quote_plus(json_string_with_temp_credentials)
request_url = 'https://signin.aws.amazon.com/federation' + request_parameters

r = urllib.request.urlopen(request_url).read()
r = urllib.request.urlopen(request_url).read() # nosemgrep
# The request parameters and url does not include any upstream input from data.all users.
# there is no danger of malicious actors introducing values

signin_token = json.loads(r)
request_parameters = '?Action=login'
Expand Down Expand Up @@ -339,7 +341,9 @@ def generate_console_url(credentials, session_duration=None, region='eu-west-1',
request_parameters += '&Session=' + quote_plus(json_string_with_temp_credentials)
request_url = 'https://signin.aws.amazon.com/federation' + request_parameters

r = urlopen(request_url).read()
r = urlopen(request_url).read() # nosemgrep
# The request parameters and url does not include any upstream input from data.all users.
# there is no danger of malicious actors introducing values

signin_token = json.loads(r)
request_parameters = '?Action=login'
Expand Down
Loading