ShiftLeftSecurity · e6-qwiet · Dec 6, 2024 · Dec 13, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/.github/workflows/qwiet-prezero-workflow.yml b/.github/workflows/qwiet-prezero-workflow.yml
@@ -0,0 +1,40 @@
+# This workflow integrates Qwiet preZero with GitHub
+# .... 
+# Visit https://docs.shiftleft.io for help
+name: Qwiet
+
+on:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # * is a special character in YAML so you have to quote this string
+    - cron: '0 11 * * 6'
+jobs:
+  NextGen-Static-Analysis:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Setup Java JDK v8
+      uses: actions/setup-java@v3
+      with:
+        distribution: zulu
+        java-version: 8
+
+    - name: Download Qwiet CLI
+      run: |
+        curl https://cdn.shiftleft.io/download/sl > ${GITHUB_WORKSPACE}/sl && chmod a+rx ${GITHUB_WORKSPACE}/sl
+
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+      id: extract_branch
+
+    - name: preZero NextGen Static Analysis
+      run: ${GITHUB_WORKSPACE}/sl analyze --strict --wait --verbose --tag branch=${{ github.head_ref || steps.extract_branch.outputs.branch }}
+
+      env:
+        SHIFTLEFT_ACCESS_TOKEN: ${{ secrets.SHIFTLEFT_ACCESS_TOKEN }}
+        SHIFTLEFT_API_HOST: www.shiftleft.io
+        SHIFTLEFT_GRPC_TELEMETRY_HOST: telemetry.shiftleft.io:443
+        SHIFTLEFT_GRPC_API_HOST: api.shiftleft.io:443
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,139 @@
+*.DS_STORE
+.idea/
+.gitleaks_bin/
+repos/
+.vscode/
+.idea/
+.tox/
+.tool-versions
+venv/
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+.coverage
+reports/
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "shiftleft-core.slHomePath": "/Users/rootman/.shiftleft"
+}
diff --git a/shiftleft-python-demo.iml b/shiftleft-python-demo.iml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="WEB_MODULE" version="4">
+  <component name="NewModuleRootManager" inherit-compiler-output="true">
+    <exclude-output />
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+</module>
diff --git a/shiftleft.yml b/shiftleft.yml
@@ -0,0 +1,110 @@
+build_rules:
+  - id: "No critical or high SAST findings"
+    finding_types:
+      - vuln
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+  - id: "Allow 0 secrets"
+    finding_types:
+      - secret
+    threshold: 0  
+    options:
+      num_findings: 10 # Return 10 sast findings
+  - id: "No reachable SCA findings"
+    finding_types:
+      - oss_vuln
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+    options:
+      reachable: true
+      num_findings: 10 # Return 10 reachable sca findings
+  - id: "No critical or high container findings"
+    finding_types:
+      - container
+    cvss_31_severity_ratings:
+      - critical
+      - high
+    threshold: 0
+    options:
+      num_findings: 10 # Return 10 container findings
+# The above rule is perhaps the most common in that it
+# is designed to be used with Pull Request and to block
+# new vulns from being introduced that aren't already on
+# the 'main' branch
+#
+# Below is enchalada with all the options shown
+#
+# ID is the name that will be reflected in the PR comments
+#  - id: build-rule-enchalada
+#      - vuln
+#.     - oss_vuln
+#      - secret
+#      - insight
+#      - container
+# Do you want to block ALL types by severity?
+#    cvss_31_severity_ratings:
+#      - critical
+#      - high
+#      - medium
+#.     - low
+# Do you want to focus on just one or more types?
+#    type:
+#      - Weak Random
+#      - Sensitive Data Leak
+#      - Deserialization
+#      - Directory Traversal
+#      - Sensitive Data Exposure
+#      - Remote Code Execution
+#      - Command Injection
+#      - Security Best Practices
+#      - Unsafe Reflection
+#      - Regex Injection
+#      - SQL Injection
+#      - XML External Entities
+#      - Template Injection
+#      - Cross-Site Scripting
+#      - JSON Injection
+#      - Potential SQL Injection
+#      - Potential Regex Injection
+#      - Header Injection
+#      - Security Misconfiguration
+#      - Deprecated Function Use
+#      - Mail Injection
+#      - Race Condition
+#      - Sensitive Data Usage
+#      - Open Redirect
+#      - Error Handling
+#      - HTTP to Database
+#      - HTTP to Model
+#      - LDAP Injection
+#      - Denial of Service
+#      - CRLF Injection
+#      - NoSQL Injection
+#      - Weak Hash
+#      - Session Injection
+#      - Server-Side Request Forgery
+#      - Prototype Pollution
+#      - Log Forging
+#      - XPath Injection
+#      - Insecure Authentication
+#      - Intent Redirection
+#      - Authentication Bypass
+#      - Weak Cipher
+#      - Crypto
+# Focus by OWASP Category?
+#    owasp_category:
+#      - a01-2021-broken-access-control
+#      - a02-2021-cryptographic-failures
+#      - a03-2021-injection
+#      - a04-2021-insecure-design
+#      - a05-2021-security-misconfiguration
+#      - a06-2021-vulnerable-and-outdated-components
+#      - a07-2021-identification-and-authentication-failures
+#      - a08-2021-software-and-data-integrity-failures
+#      - a09-2021-security-logging-and-monitoring-failures
+#      - a10-2021-server-side-request-forgery-(ssrf)
+