From d6ef2e0fdf756be85cf757e1ff53503a10d0135d Mon Sep 17 00:00:00 2001 From: sanchezpaco Date: Mon, 7 Jul 2025 11:26:44 +0200 Subject: [PATCH 1/4] test: enabling secrets detection --- .github/workflows/03-secrets-detection.yml | 26 +++++++++++++++++---- .github/workflows/09-runtime-infra-scan.yml | 2 +- .github/workflows/pipeline-orchestrator.yml | 11 +++++++++ 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.github/workflows/03-secrets-detection.yml b/.github/workflows/03-secrets-detection.yml index b5e65fc..e1bdf20 100644 --- a/.github/workflows/03-secrets-detection.yml +++ b/.github/workflows/03-secrets-detection.yml @@ -2,10 +2,12 @@ name: Secrets Detection on: workflow_call: - outputs: - secrets-result: - description: "Secrets scan result" - value: ${{ jobs.secrets-scan.outputs.result }} + +permissions: + contents: read + id-token: write + issues: write + pull-requests: write jobs: secrets-scan: @@ -16,4 +18,18 @@ jobs: id: to_remove run: | echo "Copy here the workflow of the secrets scan tool you want to use. - Inside workshop/secrets_scan/{tool}/workflow.yml" \ No newline at end of file + Inside workshop/secrets_scan/{tool}/workflow.yml" + + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: TruffleHog OSS + id: trufflehog + uses: trufflesecurity/trufflehog@6641d4ba5b684fffe195b9820345de1bf19f3181 # v3.89.2 + with: + path: ./ + base: "${{ github.event.repository.default_branch }}" + head: HEAD + extra_args: --debug --only-verified diff --git a/.github/workflows/09-runtime-infra-scan.yml b/.github/workflows/09-runtime-infra-scan.yml index 7ea76e5..0d3a420 100644 --- a/.github/workflows/09-runtime-infra-scan.yml +++ b/.github/workflows/09-runtime-infra-scan.yml @@ -28,4 +28,4 @@ jobs: id: to_remove run: | echo "Copy here the workflow of the runtime infrastructure scan tool you want to use. - Inside workshop/runtime_infra_scan/{tool}/workflow.yml" \ No newline at end of file + Inside workshop/runtime_infra_scan/{tool}/workflow.yml" diff --git a/.github/workflows/pipeline-orchestrator.yml b/.github/workflows/pipeline-orchestrator.yml index 33cf0bf..f0411a5 100644 --- a/.github/workflows/pipeline-orchestrator.yml +++ b/.github/workflows/pipeline-orchestrator.yml @@ -7,6 +7,12 @@ on: branches: [main] workflow_dispatch: +permissions: + contents: read + id-token: write + issues: write + pull-requests: write + jobs: pipeline-scan: uses: ./.github/workflows/01-pipeline-scan.yml @@ -18,6 +24,11 @@ jobs: secrets-detection: needs: pipeline-scan uses: ./.github/workflows/03-secrets-detection.yml + permissions: + contents: read + id-token: write + issues: write + pull-requests: write iac-scan: needs: pipeline-scan From 4186fe2abc643fc3a33e0a6eff7748b465bfcfee Mon Sep 17 00:00:00 2001 From: sanchezpaco Date: Mon, 7 Jul 2025 12:00:26 +0200 Subject: [PATCH 2/4] chore: allow pipelines on every push --- .github/workflows/03-secrets-detection.yml | 12 ++++++------ .github/workflows/pipeline-orchestrator.yml | 1 - 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/03-secrets-detection.yml b/.github/workflows/03-secrets-detection.yml index e1bdf20..e584000 100644 --- a/.github/workflows/03-secrets-detection.yml +++ b/.github/workflows/03-secrets-detection.yml @@ -27,9 +27,9 @@ jobs: - name: TruffleHog OSS id: trufflehog - uses: trufflesecurity/trufflehog@6641d4ba5b684fffe195b9820345de1bf19f3181 # v3.89.2 - with: - path: ./ - base: "${{ github.event.repository.default_branch }}" - head: HEAD - extra_args: --debug --only-verified + run: | + # Install TruffleHog + curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + + # Run filesystem scan - will fail if secrets found + trufflehog filesystem . --no-verification --filter-entropy=1.0 --results="verified,unknown,unverified,filtered_unverified" --fail diff --git a/.github/workflows/pipeline-orchestrator.yml b/.github/workflows/pipeline-orchestrator.yml index f0411a5..26d1932 100644 --- a/.github/workflows/pipeline-orchestrator.yml +++ b/.github/workflows/pipeline-orchestrator.yml @@ -2,7 +2,6 @@ name: Pipeline Orchestrator on: push: - branches: [main, develop] pull_request: branches: [main] workflow_dispatch: From f1ccad819de9f7cb6cd9275b3a41f97504340164 Mon Sep 17 00:00:00 2001 From: Paco Sanchez Date: Wed, 16 Jul 2025 17:22:43 +0200 Subject: [PATCH 3/4] feat: creates folder for trufflehog --- .github/workflows/01-pipeline-scan.yml | 25 ++-- .github/workflows/03-secrets-detection.yml | 41 +++---- .github/workflows/pipeline-orchestrator.yml | 1 - .gitignore | 3 + workshop/pipeline_scan/claws/workflow.yml | 115 ++++++++++-------- workshop/secrets_scan/README.md | 6 +- workshop/secrets_scan/trufflehog/workflow.yml | 44 +++++++ 7 files changed, 140 insertions(+), 95 deletions(-) create mode 100644 .gitignore create mode 100644 workshop/secrets_scan/trufflehog/workflow.yml diff --git a/.github/workflows/01-pipeline-scan.yml b/.github/workflows/01-pipeline-scan.yml index 69aaec8..329208b 100644 --- a/.github/workflows/01-pipeline-scan.yml +++ b/.github/workflows/01-pipeline-scan.yml @@ -1,19 +1,24 @@ name: Pipeline Security Scan on: - push: - branches: [main, develop] - pull_request: - branches: [main] workflow_call: + outputs: + scan-result: + description: "Pipeline scan result" + value: ${{ jobs.pipeline-scan.outputs.result }} jobs: - pipeline-scan: - name: Analyze Github Workflows + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the pipeline scan tool you want to use. - Inside workshop/pipeline_scan/{tool}/workflow.yml" + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/03-secrets-detection.yml b/.github/workflows/03-secrets-detection.yml index e584000..66e017e 100644 --- a/.github/workflows/03-secrets-detection.yml +++ b/.github/workflows/03-secrets-detection.yml @@ -2,34 +2,23 @@ name: Secrets Detection on: workflow_call: - -permissions: - contents: read - id-token: write - issues: write - pull-requests: write + outputs: + secrets-result: + description: "Secrets scan result" + value: ${{ jobs.secrets-scan.outputs.result }} jobs: - secrets-scan: - name: Secrets Detection Scan + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the secrets scan tool you want to use. - Inside workshop/secrets_scan/{tool}/workflow.yml" - - - name: Checkout code - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: TruffleHog OSS - id: trufflehog - run: | - # Install TruffleHog - curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin - - # Run filesystem scan - will fail if secrets found - trufflehog filesystem . --no-verification --filter-entropy=1.0 --results="verified,unknown,unverified,filtered_unverified" --fail + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/pipeline-orchestrator.yml b/.github/workflows/pipeline-orchestrator.yml index 26d1932..5ceb402 100644 --- a/.github/workflows/pipeline-orchestrator.yml +++ b/.github/workflows/pipeline-orchestrator.yml @@ -1,7 +1,6 @@ name: Pipeline Orchestrator on: - push: pull_request: branches: [main] workflow_dispatch: diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..649990d --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +.DS_Store +.vscode +.env diff --git a/workshop/pipeline_scan/claws/workflow.yml b/workshop/pipeline_scan/claws/workflow.yml index 15582f9..c9b1db3 100644 --- a/workshop/pipeline_scan/claws/workflow.yml +++ b/workshop/pipeline_scan/claws/workflow.yml @@ -6,72 +6,81 @@ # # TO USE THIS JOB: # 1. Copy this entire job definition into .github/workflows/01-pipeline-scan.yml -# 2. Place it under the "jobs:" section +# 2. Replace the current jobs: definition with this one # 3. Ensure you have a claws-config.yml file in workshop/pipeline_scan/ # 4. The job will automatically scan all workflows in .github/workflows/ # ============================================================================= -pipeline-scan-claws: - name: Analyze Github Workflows - runs-on: ubuntu-latest - steps: - # Set up Ruby environment (required for Claws) - - name: Set Up Ruby - uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0 - with: - ruby-version: "3.3" +jobs: + pipeline-scan: + name: Analyze Github Workflows + runs-on: ubuntu-latest + outputs: + result: ${{ steps.claws.outputs.result }} + steps: + # Set up Ruby environment (required for Claws) + - name: Set Up Ruby + uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0 + with: + ruby-version: "3.3" - # Checkout the repository with full history - - uses: actions/checkout@v4 - with: - fetch-depth: 0 + # Checkout the repository with full history + - uses: actions/checkout@v4 + with: + fetch-depth: 0 - # Copy the Claws configuration file to temporary location - - name: Set Up Claws Config - run: | - cp workshop/pipeline_scan/claws-config.yml /tmp/claws-config.yml + # Copy the Claws configuration file to temporary location + - name: Set Up Claws Config + run: | + cp workshop/pipeline_scan/claws-config.yml /tmp/claws-config.yml - # Install Shellcheck (dependency for Claws) - - name: Set Up Shellcheck - run: | - sudo apt-get update - sudo apt-get install -y shellcheck + # Install Shellcheck (dependency for Claws) + - name: Set Up Shellcheck + run: | + sudo apt-get update + sudo apt-get install -y shellcheck - # Install the Claws security scanner - - name: Set Up Claws - run: | - gem install claws-scan -v 0.7.5 + # Install the Claws security scanner + - name: Set Up Claws + run: | + gem install claws-scan -v 0.7.5 - # Run security analysis on all workflow files - - name: Analyze Workflows - run: | - #!/bin/bash + # Run security analysis on all workflow files + - name: Analyze Workflows + id: claws + run: | + #!/bin/bash - echo "🔍 Starting workflow security analysis..." + echo "🔍 Starting workflow security analysis..." - # Find all workflow files in .github/workflows directory - workflow_files=$(find .github/workflows -type f) + # Find all workflow files in .github/workflows directory + workflow_files=$(find .github/workflows -type f) - # Check if any workflow files exist - if [[ -z "$workflow_files" ]]; then - echo "⚠️ No workflow files found in .github/workflows" - echo " Make sure your workflows are in the correct directory" - exit 0 - fi + # Check if any workflow files exist + if [[ -z "$workflow_files" ]]; then + echo "⚠️ No workflow files found in .github/workflows" + echo " Make sure your workflows are in the correct directory" + exit 0 + fi - # Prepare command flags for each workflow file - flags=() - echo "📁 Found workflow files:" + # Prepare command flags for each workflow file + flags=() + echo "📁 Found workflow files:" - while IFS= read -r file; do - echo " - $file" - flags+=("-t" "$file") - done <<< "$workflow_files" + while IFS= read -r file; do + echo " - $file" + flags+=("-t" "$file") + done <<< "$workflow_files" - echo "" - echo "🚀 Running Claws security analysis..." + echo "" + echo "🚀 Running Claws security analysis..." - # Execute the security analysis - analyze -f github -c /tmp/claws-config.yml "${flags[@]}" - - echo "✅ Analysis complete!" + # Execute the security analysis and capture result + if analyze -f github -c /tmp/claws-config.yml "${flags[@]}"; then + echo "result=success" >> $GITHUB_OUTPUT + echo "✅ Analysis complete! No security issues detected" + else + echo "result=failure" >> $GITHUB_OUTPUT + echo "❌ Security issues detected in workflows" + exit 1 + fi diff --git a/workshop/secrets_scan/README.md b/workshop/secrets_scan/README.md index ce37c97..bb05522 100644 --- a/workshop/secrets_scan/README.md +++ b/workshop/secrets_scan/README.md @@ -33,13 +33,9 @@ There are other types of secrets or sensitive data that may not be covered by th - **AWS Account IDs** - AWS account IDs (or other cloud provider identifiers) can be used to enumerate resources and help attackers to map the attack surface. - There's a lot of discussion about if this should be considered a secret or not. #TODO: Elaborate on this, and find references. -## Tools Used in This Module #TODO: Update this section +## Tools Used in This Module - **TruffleHog** - Git history secrets scanner -- **GitLeaks** - SAST-focused secrets detection -- **detect-secrets** - Yelp's secrets detection library -- **GitHub Secret Scanning** - Built-in GitHub security feature -- **HashiCorp Vault** - Secrets management solution ## Learning Objectives diff --git a/workshop/secrets_scan/trufflehog/workflow.yml b/workshop/secrets_scan/trufflehog/workflow.yml new file mode 100644 index 0000000..4ace849 --- /dev/null +++ b/workshop/secrets_scan/trufflehog/workflow.yml @@ -0,0 +1,44 @@ + +# ============================================================================= +# TRUFFLEHOG SECRETS SCAN JOB +# ============================================================================= +# +# TruffleHog is a secrets detection tool for finding credentials in code +# Repository: https://github.com/trufflesecurity/trufflehog +# +# TO USE THIS JOB: +# 1. Copy this entire job definition into .github/workflows/03-secrets-detection.yml +# 2. Replace the current jobs: definition with this one +# 3. The job will automatically scan the entire repository for secrets +# 4. The scan will fail if any secrets are found +# ============================================================================= + +jobs: + secrets-scan: + name: Secrets Detection Scan + runs-on: ubuntu-latest + outputs: + result: ${{ steps.trufflehog.outputs.result }} + steps: + # Checkout the repository with full history + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + # Install and run TruffleHog secrets scanner + - name: TruffleHog OSS + id: trufflehog + run: | + # Install TruffleHog + curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin + + # Run filesystem scan and capture result + if trufflehog filesystem . --no-verification --filter-entropy=1.0 --results="verified,unknown,unverified,filtered_unverified" --fail; then + echo "result=success" >> $GITHUB_OUTPUT + echo "✅ No secrets detected" + else + echo "result=failure" >> $GITHUB_OUTPUT + echo "❌ Secrets detected in repository" + exit 1 + fi \ No newline at end of file From f9195633d078ac2ed2f0b68f550cd6718b45fb3a Mon Sep 17 00:00:00 2001 From: Paco Sanchez Date: Wed, 16 Jul 2025 18:09:41 +0200 Subject: [PATCH 4/4] chore: improves description of placeholder flows --- .github/workflows/02-code-analysis.yml | 17 +++++++++++------ .github/workflows/05-container-scan.yml | 17 +++++++++++------ .github/workflows/06-iac-scan.yml | 17 +++++++++++------ .github/workflows/09-runtime-infra-scan.yml | 17 +++++++++++------ 4 files changed, 44 insertions(+), 24 deletions(-) diff --git a/.github/workflows/02-code-analysis.yml b/.github/workflows/02-code-analysis.yml index fa3070b..fe0719c 100644 --- a/.github/workflows/02-code-analysis.yml +++ b/.github/workflows/02-code-analysis.yml @@ -8,12 +8,17 @@ on: value: ${{ jobs.dependency_check.outputs.result }} jobs: - sca-scan: - name: SCA Scan + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the SCA scan tool you want to use. - Inside workshop/code_scan/{tool}/workflow.yml" + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/05-container-scan.yml b/.github/workflows/05-container-scan.yml index 3f5692e..2aa1a10 100644 --- a/.github/workflows/05-container-scan.yml +++ b/.github/workflows/05-container-scan.yml @@ -13,12 +13,17 @@ on: value: ${{ jobs.container-scan.outputs.result }} jobs: - container-scan: - name: Container Vulnerability Scan + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the container scan tool you want to use. - Inside workshop/container_scan/{tool}/workflow.yml" \ No newline at end of file + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/06-iac-scan.yml b/.github/workflows/06-iac-scan.yml index bd9ec9b..fb8a9da 100644 --- a/.github/workflows/06-iac-scan.yml +++ b/.github/workflows/06-iac-scan.yml @@ -8,12 +8,17 @@ on: value: ${{ jobs.iac-scan.outputs.result }} jobs: - iac-scan: - name: Infrastructure Security Scan + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the IaC scan tool you want to use. - Inside workshop/iac_scan/{tool}/workflow.yml" \ No newline at end of file + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file diff --git a/.github/workflows/09-runtime-infra-scan.yml b/.github/workflows/09-runtime-infra-scan.yml index 0d3a420..9c9658d 100644 --- a/.github/workflows/09-runtime-infra-scan.yml +++ b/.github/workflows/09-runtime-infra-scan.yml @@ -20,12 +20,17 @@ on: value: ${{ jobs.load-test.outputs.result }} jobs: - runtime-infra-scan: - name: Runtime Infrastructure Scan + # 🚧 REPLACE THIS ENTIRE 'jobs:' SECTION WITH WORKSHOP CONTENT! 🚧 + # Copy from: workshop/{scan-type}/workflow.yml + + workshop-placeholder: + name: "🚧 Workshop Exercise Placeholder" runs-on: ubuntu-latest + outputs: + result: ${{ steps.placeholder.outputs.result }} steps: - - name: to_remove - id: to_remove + - name: Placeholder + id: placeholder run: | - echo "Copy here the workflow of the runtime infrastructure scan tool you want to use. - Inside workshop/runtime_infra_scan/{tool}/workflow.yml" + echo "Replace this job with content from workshop folder!" + echo "result=workshop-placeholder" >> $GITHUB_OUTPUT \ No newline at end of file