GitHub Advance Security Compliance Action

Overview

advanced-security-compliance

This Action was designed to allow users to configure their Risk threshold for security issues reported by GitHub Code Scanning, Secret Scanning and Dependabot Security.

Setup

Action

Here is how you can quickly setup advanced-security-compliance.

# Compliance
- name: Advance Security Compliance Action
  uses: GeekMasher/[email protected]

Action Examples

CLI

The CLI tool primarily using pipenv to manage dependencies and pip virtual environments to not mismatch dependencies.

# Install dependencies and virtual environment
pipenv install
# [option] Install system wide
pipenv install --system

Once installed, you can just call the module using the following command(s):

# Using pipenv script
pipenv run main --help
# ... or
pipenv run python -m ghascompliance

CLI Examples

Policy as Code / PaC

Here is an example of using a simple yet cross-organization using Policy as Code:

# Compliance
- name: Advance Security Compliance Action
  uses: GeekMasher/[email protected]
  with:
    # The owner/repo of where the policy is stored  
    policy: GeekMasher/security-queries
    # The local (within the workspace) or repository
    policy-path: policies/default.yml
    # The branch you want to target
    policy-branch: main

PaC Configuration file

The Policy as Code configuration file is very simple yet powerful allowing a user to define 4 types of rules per technologies you want to use.

# This is the technology you want to write a rule for
licensing:
  # The four main rules types to do everything you need to do for all things 
  #  compliance

  # Warnings will always occur if the rule applies and continues executing to 
  #  other rules.
  warnings:
    ids:
      - Other
      - NA
  # Ignores are run next so if an ignored rule is hit that matches the level, 
  #  it will be skipped
  ignores:
    ids:
      - MIT License
  # Conditions will only trigger and raise an error when an exact match is hit
  conditions:
    ids:
      - GPL-2.0
    names:
      - tunnel-agent

  # The simplest and ultimate rule which checks the severity of the alert and
  #  reports an issue if the level matches or higher (see PaC Levels for more info)
  level: error

PaC Levels

There are many different levels of severities with the addition of all and none (self explanatory). When a level is selected like for example error, all higher level severities (critical and high in this example) will also be added.

- critical
- high
- error
- medium
- moderate
- low
- warning
- notes

PaC Rule Blocks

For each rule you can choose either or both of the two different criteria's matches; ids and names

You can also use imports to side load data from other files to supplement the data already in the rule block

codescanning:
  conditions:
    # When the `ids` of the technologies/tool alert matches any one of the ID's in 
    #  the list specified, the rule will the triggered and report the alert.
    ids:
      # In this example case, the CodeQL rule ID below will always be reported if 
      #  present event if the severity is low or even note.
      - js/sql-injection

      # Side note: Check to see what different tools consider id's verses names,
      #  for example `licensing` considers the "Licence" name itself as the id 
      #  while the name of the package/library as the "name"
    
    # `names` allows you to specify the names of alerts or packages.
    names:
      - "Missing rate limiting"

    # The `imports` allows you to supplement your existing data with a list
    #  from a file on the system. 
    imports:
     ids: "path/to/ids/supplement/file.txt"
     names: "path/to/names/supplement/file.txt"

Wildcards

For both types of criteria matching you can use wildcards to easily match requirements in a quicker way. The matching is done using a Unix shell-style wildcards module called fnmatch which supports * for matching everything.

codescanning:
  conditions:
    ids:
      - '*/sql-injection'

Time to Remediate

The feature allows a user to define a time frame to which a security alert/vulnerability of a certain severity has before the alert triggered a violation in the Action.

By default, if this section is not defined in any part of the policy then no checks are done. Existing policy files should act the same without the new section.

general:
  # All other blocks will be inheriting the remediate section if they don't have 
  #  their own defined.
  remediate:
    # Only `error`'s and above have got 7 days to remediate according to the 
    #  policy. Any time before that, nothing will occur and post the remediation 
    #  time frame the alert will be raised. 
    error: 7

codescanning:
  # the `codescanning` block will inherit the `general` block
  # ...

dependabot:
  remediate:
    # high and critical security issues
    high: 7
    # moderate security issues
    moderate: 30
    # all other security issues
    all: 90

secretscanning:
  remediate:
    # All secrets by default are set to 'critical' severity so only `critical` 
    #  or `all` will work
    critical: 7
Time to Remediate Examples

Data Importing

Some things to consider when using imports:

  • Imports appending to existing lists and do not replace a previously generated list.
  • Imports are relative to:
    • Working Directory
    • GitHub Action / CLI directory
    • Cloned Repository Directory
  • Imports are only allowed from a number of predefined paths to prevent loading data on the system (AKA, path traversal).

Licensing Notice

MIT License

Copyright (c) 2021 Mathew Payne

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Comments
  • allow list

    allow list

    Description

    I am trying to define an allow list of licenses but using * under conditions isn't giving the desired result.

    image

    Propose Solution

    if I do the below the ignores are not actually ignoring anything as I am still

    licensing:
      # The four main rules types to do everything you need to do for all things
      #  compliance
    
      # Warnings will always occur if the rule applies and continues executing to
      #  other rules.
      warnings:
        ids:
          - other
          - na
    
      # Ignores are run next so if an ignored rule is hit that matches the level,
      #  it will be skipped
      ignores:
        ids:
          - apache license 2.0
          - bsd 3-clause "new" or "revised" license
          - mit license
    
      # Conditions will only trigger and raise an error when an exact match is hit
      conditions:
        # note using 'names' here instead of `ids` has the same result
        ids:
          - "*"
    
    enhancement 
    opened by lsmith77 4
  • Unknown Exception was hit, Error: Query failed to run

    Unknown Exception was hit, Error: Query failed to run

    Describe the bug Running this action on our workflow we get an error we can't understand.

    To Reproduce Steps to reproduce the behavior:

    1. Add action "build-and-test.yaml" to workflow
    2. With the following code: " advancesecurityComplience: runs-on: ubuntu-latest name: Advanced Security Complience steps:
    3. See error

    Dependabot Results Error: {"data": {"repository": {"vulnerabilityAlerts": null}}, "errors": [{"type": "FORBIDDEN", "path": ["repository", "vulnerabilityAlerts"], "extensions": {"saml_failure": false}, "locations": [{"line": 3, "column": 9}], "message": "Resource not accessible by integration"}]} Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance Error: Query failed to run

    Expected behavior Dependabot to block the PR if finds a critical or high risk vulnerability.

    bug 
    opened by hmarnd 4
  • Add GitHub App API token authentication to clone custom policy inside a private repository

    Add GitHub App API token authentication to clone custom policy inside a private repository

    As stated in issue #50, the custom policy clone using GitHub App API token is not possible as x-access-tokenusername need to be set in the https clone link.

    I've added an optionnal argument --is-github-app-token to specify if the authentication token is a GitHub App API token, and set the x-access-token username needed to clone the policy.

    I've also added the branch argument to Policy()call, as it was actually never used.

    opened by 4bg0P 4
  • Dependabot scan fails with the default policy

    Dependabot scan fails with the default policy

    Describe the bug The Dependabot scan fails with the default policy. The repository does not have any open dependabot alerts, is that why?

    To Reproduce Steps to reproduce the behavior:

    1. Run the default action configuration
    jobs:
      compliance:
        name: Compliance
        runs-on: ubuntu-latest
        steps:
        - name: Advanced Security Compliance Action
          uses: GeekMasher/[email protected]
    

    Expected behavior Dependabot violations should be 0.

    Screenshots If applicable, add screenshots to help explain your problem. Screenshot 2021-10-23 at 15 09 13

    Additional context The compliance job is run as a reusable workflow from another repository.

    opened by leostolyarov 4
  • `policy-branch` argument does not work as expected

    `policy-branch` argument does not work as expected

    Describe the bug Action parameter policy-branch is not working as intended. No matter what value is set, it seems to be always using the default branch.

    To Reproduce Setup action with the following params:

    security-compliance:
        runs-on: ubuntu-latest
        needs:
          - codeql
        steps:
          - name: Advance Security Compliance Action
            uses: GeekMasher/[email protected]
            with:
              token: ${{ secrets.GITHUB_PERSONAL_TOKEN }}
              policy: myTestRepo/github-actions
              policy-path: security/policies/default.yml
              policy-branch: security
    

    Expected behavior Action should checkout the branch defined policy-branch

    Screenshots image

    Desktop (please complete the following information): N/A

    Smartphone (please complete the following information): N/A

    Additional context none

    opened by jlouros 4
  • GHAS Compliance Action Default Branch Limitation

    GHAS Compliance Action Default Branch Limitation

    Description

    Limitation identified using Code Scanning and Secret Scanning checks, they are only supported on the default branch. We had hoped these checks could be performed on branch pushes and PRs to catch alerts before they are propagated to the default branch but that functionality does not seem to be supported.

    Propose Solution

    Working with this action we like what we see. We are very interested in this concept and the ability to push security checks farther left in the development process. Proposed solution is to modify this action to work on any branch, not just the default branch, so checks catch alerts on branch pushes and PRs before they are propagated to the default branch.

    enhancement 
    opened by HaleenUptain 3
  • GitHub Enterprise seems to not support ...

    GitHub Enterprise seems to not support ...

    Describe the bug We have updated to the v1.6.3.
    This newer version gives the following error "message": "Field 'dependencyGraphManifests' doesn't exist on type 'Repository'"

    We used the following command line options to disable licensing ( --disable-dependency-licensing --disable-dependencies) and got the same error.

    We grabbed the GraphQL GRAPHQL_DEPENDENCY_INFO from dependency.py and got the same error calling the GraphQL API directly.

    We compared the GitHub Cloud API (https://docs.github.com/en/graphql/overview/schema-previews) with the GitHut Enterprise API (https://docs.github.com/en/[email protected]/graphql/overview/schema-previews).

    GitHub Cloud API has a section called 'Access to a repositories dependency graph preview'. GitHub Enterprise API does NOT have this section.

    Are we correct in assuming this functionality has not been released for GitHub Enterprise yet?

    Is this functionality required for dependabot policy functionality? If it is, which GitHub Enterprise version will support 'Access to a repositories dependency graph preview'?

    To Reproduce Steps to reproduce the behavior:

    1. Run action with dependabot enabled on GitHub Enterprise @3.6.2

    Expected behavior Dependabot policy functionality works as it already does on GitHub Cloud

    bug 
    opened by midwestKC-coder 3
  • Documentation - Using GitHub App with Action

    Documentation - Using GitHub App with Action

    Description

    We need some introductional docs on how to setup and use this Action using a GitHub App.

    Related:

    • #50
      • #51

    +cc @4bg0P

    Propose Solution

    documentation 
    opened by GeekMasher 3
  • License Scanning and Policy : manage unknown license with local file

    License Scanning and Policy : manage unknown license with local file

    Dependabot sometimes fails to get the license information as it is not well documented in a repository for example:

    • https://github.com/pugjs/pug
    • https://github.com/jrburke/amdefine

    The idea would be to:

    • each time we do a test and the licence is unknown:
      • log an issue/contribution in the source repository to allow Dependabot to recognize the license
      • add an entry in a this Action project that will be the list of project/url without license
      • use the information in the policy management with clear information about the fact that it is coming from local scann
    enhancement 
    opened by tgrall 3
  • Change

    Change "conditions" for a more meaningful name

    Description

    As a noob I find confusing the term "conditions" because I don't know if it is a condition to fail or to pass.

    Propose Solution

    Instead of "ignore" and "conditions", can we find something that clearly states what will happen like allow/disallow or similar? I understand this will cause a compatibility issue with existing license policies, but you could warn that there will be a breaking change during a time window to allow everyone to change it.

    @romanoroth, @Padi-owasp

    enhancement 
    opened by jmservera 2
  • Dependabot not supporting GitHub Enterprise

    Dependabot not supporting GitHub Enterprise

    Describe the bug The change to support GitHub enterprise missed changing dependabot.py. It is still using direct GitHub cloud reference: instance = "https://api.github.com/graphql"

    To Reproduce Steps to reproduce the behavior:

    1. Code inspection dependabot.py Line 80 - instance = "https://api.github.com/graphql"

    Expected behavior Dependabot should use the GitHub enterprise URL and not the GitHub Cloud URL

    This change was missed with the merge (https://github.com/GeekMasher/advanced-security-compliance/pull/31) that added support for GitHub Enterprise.

    bug 
    opened by midwestKC-coder 2
  • Deprecation Notice

    Deprecation Notice

    This repository has been moved to a new policy-as-code repository.

    Please migrate all workflows to using the new repository as this repository is no longer receiving updates.

    opened by GeekMasher 0
Releases(v1.7.0)
Owner
Mathew Payne
Security guy with developer tendencies
Mathew Payne
LeLeLe: A tool to simplify the application of Lattice attacks.

LeLeLe is a very simple library (300 lines) to help you more easily implement lattice attacks, the library is inspired by Z3Py (python interfa

Mathias Hall-Andersen 4 Dec 14, 2021
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, downloads, history, and more.

ChromePE [Linux/Windows] Chrome Post-Exploitation is a client-server Chrome exploit to remotely allow an attacker access to Chrome passwords, download

Finn Lancaster 3 Oct 05, 2022
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 08, 2022
CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware.

CVE-2021-43936 CVE-2021-43936 is a critical vulnerability (CVSS3 10.0) leading to Remote Code Execution (RCE) in WebHMI Firmware. This vulnerability w

Jeremiasz Pluta 8 Jul 05, 2022
version de mi tool de kali linux para miertuxzzzz digo, termux >:)

Msf-Tool 1.0 Termux apt install git -y apt install python apt install python3 apt install python3-pip apt install metasploit ---- ---- git clone ht

BruhGera 1 Feb 20, 2022
FOSSLight Scanner performs open source analysis after downloading the source by passing a link that can be cloned by wget or git.

FOSSLight Scanner Analyze at once for Open Source Compliance. FOSSLight Scanner performs open source analysis after downloading the source by passing

FOSSLight 8 Nov 03, 2022
Brute-forcing (or not!) deck builder for Pokemon Trading Card Game.

PokeBot Deck Builder Brute-forcing (or not!) deck builder for Pokemon Trading Card Game. Warning: intensely not optimized and spaghetti coded Credits

Hocky Harijanto 0 Jan 10, 2022
Obfuscate ip address using different encodings

ipobfuscator How it works? Single ip address can be written in multiple ways. The most popular way is to represent ip as 4 octets separated with dots.

Piotr Warmke 1 Nov 02, 2021
Ensure secure infrastructure and consistency with the firewall rules

Python Port Scanner This script tries to check if it's possible to make a connection with the specific endpoint port. This is very useful to ensure se

Allan Avelar 7 Feb 26, 2022
Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more.

Server-Security-Discord-Bot Anti-Nuke capabilities, powerful moderation features, auto punishments, captcha-verification and more. Installation Instal

20 Apr 07, 2022
A Python tool to automate some dorking stuff to find information disclosures.

WebDork v1.0.3 A open-source tool to find publicly available sensitive information about Companies/Organisations! WebDork A Python tool to automate so

Rahul rc 123 Jan 08, 2023
Undetectable Keylogger that reports to Discord

FUD Keylogger That Reports To Discord This python script will capture all of the keystrokes within a given time frame and report them to a Discord Ser

Dimitris Kalopisis 36 Dec 20, 2022
The self-hostable proxy tunnel

TTUN Server The self-hostable proxy tunnel. Running Running: docker run -e TUNNEL_DOMAIN=Your tunnel domain -e SECURE=True if using SSL ghcr.io/to

Tom van der Lee 2 Jan 11, 2022
Create a secure tunnel from a custom domain to localhost using Fly and WireGuard.

Fly Dev Tunnel Developers commonly use apps like ngrok, localtunnel, or cloudflared to expose a local web service at a publicly-accessible URL. This i

170 Dec 11, 2022
(D)arth (S)ide of the (L)og4j (F)orce, the ultimate log4j vulnerabilities assessor

DSLF DSLF stands for (D)arth (S)ide of the (L)og4j (F)orce. It is the ultimate log4j vulnerabilities assessor. It comes with four individual Python3 m

frontal 1 Jan 11, 2022
IDA Frida Plugin for tracing something interesting.

IDAFrida A simple IDA plugin to generate FRIDA script. Edit template for functions or you can use the default template. Select functions you want to t

PandaOS 133 Dec 24, 2022
A Modified version of TCC's Osprey poc framework......

fierce-fish fierce-fish是由TCC(斗象能力中心)出品并维护的开源漏洞检测框架osprey的改写,去掉臃肿功能的精简版本poc框架 PS:真的用不惯其它臃肿的功能,不过作为一个收集漏洞poc && exp的框架还是非常不错的!!! osprey For beginners fr

lUc1f3r11 10 Dec 30, 2022
Open source vulnerability DB and triage service.

OSV - Open Source Vulnerabilities OSV is a vulnerability database and triage infrastructure for open source projects aimed at helping both open source

Google 893 Jan 04, 2023
pybotnet - A Python Library for building Botnet , Trojan or BackDoor for windows and linux with Telegram control panel

pybotnet A Python Library for building botnet , trojan or backdoor for windows and linux with Telegram control panel Disclaimer: Please note that this

</oNion 181 Jan 02, 2023