Merge branch 'master' into AST-124908-FP-Security_groups_not_used-Terraform/aws

Author: cx-artur-ribeiro

.github/workflows/cesar.yaml

@@ -0,0 +1,83 @@
+name: CESARt
+on:
+  pull_request:
+    types: [ labeled ]
+
+env:
+  ENGINE_VERSION: ${{ vars.CES_ENGINE_VERSION }}
+  PLATFORM: "LINUX_X64"
+  ENGINE: "kics"
+  REMOVE_HISTORY: "true"
+
+jobs:
+  build:
+    if: (github.event.label.name == 'cesar' && github.event.pull_request.mergeable == true)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: refs/pull/${{ github.event.pull_request.number }}/merge
+          path: kics
+
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: kics/go.mod
+          cache-dependency-path: kics/go.sum
+          cache: true
+
+      - name: Build kics Binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: amd64
+        run: |
+          cd $GITHUB_WORKSPACE/kics
+          go build -installsuffix cgo -ldflags "-s -w" -a -o ./bin/kics ./cmd/console/main.go
+          chmod +x ./bin/kics
+
+      - name: Create Metadata File
+        run: |
+          COMMIT_TIMESTAMP=$(git -C "$GITHUB_WORKSPACE/kics" log -1 --format=%ct)
+          METADATA_PATH="$GITHUB_WORKSPACE/pr-metadata.json"
+          CURR_TIMESTAMP=$(date +%s)
+          echo '{
+            "seq": "'"${CURR_TIMESTAMP}"'",
+            "tag": "'"${{ github.event.number }}"'",
+            "comment": "'"${{ github.event.pull_request.title }}"'",
+            "commit": "'"${{ github.event.pull_request.head.sha }}"'",
+            "owner": "'"${{ github.actor }}"'",
+            "branch": "'"${{ github.head_ref }}"'",
+            "engine": "'"${ENGINE}"'",
+            "platform": "'"${PLATFORM}"'",
+            "version": "'"${ENGINE_VERSION}"'",
+            "forkSeq": "'"${CURR_TIMESTAMP}"'",
+            "forkBranch": "'"${{ github.base_ref }}"'",
+            "removeHistory" : "'"${REMOVE_HISTORY}"'"
+          }' > "$METADATA_PATH"
+
+      - name: Zip kics Folder
+        run: |
+          cd $GITHUB_WORKSPACE
+          zip -qr kics.zip kics/
+
+      - name: Save kics
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kics
+          path: ${{ github.workspace }}/kics.zip
+          retention-days: 1
+
+      - name: Pr parameters
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: Metadata
+          path: ${{ github.workspace }}/pr-metadata.json
+          retention-days: 1
+
+  ci-projects:
+    needs: build
+    uses: ./.github/workflows/run-projects.yaml
+    with:
+      machines-count: 10
+    secrets: inherit

.github/workflows/ci-projects.yaml

@@ -0,0 +1,80 @@
+name: CI Projects
+on:
+  pull_request:
+    types: [closed]
+    branches:
+      - master
+
+env:
+  ENGINE_VERSION: ${{ vars.CES_ENGINE_VERSION }}
+  PLATFORM: "LINUX_X64"
+  ENGINE: "kics"
+
+jobs:
+  build:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event.pull_request.merge_commit_sha }}
+          path: kics
+
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: kics/go.mod
+          cache-dependency-path: kics/go.sum
+          cache: true
+
+      - name: Build kics Binary
+        env:
+          CGO_ENABLED: 0
+          GOOS: linux
+          GOARCH: amd64
+        run: |
+          cd $GITHUB_WORKSPACE/kics
+          go build -installsuffix cgo -ldflags "-s -w" -a -o ./bin/kics ./cmd/console/main.go
+          chmod +x ./bin/kics
+
+      - name: Create Metadata File
+        run: |
+          COMMIT_TIMESTAMP=$(git -C "$GITHUB_WORKSPACE/kics" log -1 --format=%ct)
+          METADATA_PATH="$GITHUB_WORKSPACE/pr-metadata.json"
+          echo '{
+            "seq": "'"${COMMIT_TIMESTAMP}"'",
+            "tag": "'"${{ github.event.number }}"'",
+            "comment": "'"${{ github.event.pull_request.title }}"'",
+            "commit": "'"${{ github.sha }}"'",
+            "owner": "'"${{ github.actor }}"'",
+            "branch": "'"${{ github.base_ref }}"'",
+            "engine": "'"${ENGINE}"'",
+            "platform": "'"${PLATFORM}"'",
+            "version": "'"${ENGINE_VERSION}"'"
+          }' > "$METADATA_PATH"
+
+      - name: Zip kics Folder
+        run: |
+          cd $GITHUB_WORKSPACE
+          zip -qr kics.zip kics/
+
+      - name: Save kics
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: kics
+          path: ${{ github.workspace }}/kics.zip
+          retention-days: 1
+
+      - name: Pr parameters
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: Metadata
+          path: ${{ github.workspace }}/pr-metadata.json
+          retention-days: 1
+
+  ci-projects:
+    needs: build
+    uses: ./.github/workflows/run-projects.yaml
+    with:
+      machines-count: 10
+    secrets: inherit

.github/workflows/kics-gh-action.yaml

@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run KICS Scan
-        uses: checkmarx/kics-github-action@e01759d524f8abd5bd650d3d5bd4b96d46ebbc1d # v2.1.17
+        uses: checkmarx/kics-github-action@63fca4ca72e56edbb5a599ee756e6af1fdb1e785 # v2.1.18
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           path: "./Dockerfile"

.github/workflows/run-projects.yaml

@@ -0,0 +1,123 @@
+name: Run CI Projects
+
+on:
+  workflow_call:
+    inputs:
+      machines-count:
+        description: 'Total number of machines'
+        required: true
+        type: number
+
+env:
+  ENGINE: "kics"
+  CES_ENVIRONMENT: "prod"
+
+jobs:
+  setup:
+    runs-on: ubuntu-latest
+    outputs:
+      machines: ${{ steps.set-machines.outputs.machines }}
+    steps:
+      - name: Generate Machine Matrix
+        id: set-machines
+        run: |
+          machines=$(seq -s, 0 $((${{ inputs.machines-count }} - 1)))
+          echo "machines=[$machines]" >> "$GITHUB_OUTPUT"
+
+  run-projects:
+    needs: setup
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.CES_BUCKET_AWS_ACCESS_KEY }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.CES_BUCKET_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.CES_BUCKET_AWS_REGION }}
+
+    strategy:
+      fail-fast: false
+      max-parallel: 10
+      matrix:
+        machine: ${{ fromJSON(needs.setup.outputs.machines) }}
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          repository: ${{ secrets.CES_EXECUTOR_REPO }}
+          token: ${{ secrets.CX_CEBOT_GITHUB_TOKEN_CHECKMARX }}
+          path: cli
+          ref: master
+
+      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        with:
+          go-version-file: cli/go.mod
+          cache: false
+
+      - name: Download kics
+        uses: actions/[email protected]
+        with:
+          name: kics
+          path: .
+
+      - name: Unzip kics
+        run: |
+          unzip -q kics.zip
+
+      - name: Download Json
+        uses: actions/[email protected]
+        with:
+          name: Metadata
+          path: .
+
+      - name: Build Engines Executor
+        run: |
+          cd cli
+          go build -o executor
+
+      - name: Set log file
+        run: |
+          LOG_FILE="$GITHUB_WORKSPACE/log_${{ matrix.machine }}.log"
+          echo "LOG_FILE=$LOG_FILE" >> $GITHUB_ENV
+
+      - name: Select Projects
+        run: |
+          mkdir -p "$GITHUB_WORKSPACE/zips/"
+          cd cli
+          ./executor sources \
+          -s $GITHUB_WORKSPACE/zips/ \
+          -e $ENGINE \
+          --chunk ${{ matrix.machine }} \
+          --machines ${{ inputs.machines-count }} \
+          >> "$LOG_FILE" 2>&1
+
+      - name: Prepare Projects
+        run: |
+          cd "$GITHUB_WORKSPACE/zips/"
+          for zip in *.zip; do
+            [ -e "$zip" ] || continue
+            zip_name=$(basename "$zip" .zip)
+            echo "::add-mask::$zip_name"
+            unzip -qqo "$zip" -d "./$zip_name" >> "$LOG_FILE" 2>&1
+          done
+
+      - name: Run Engines Executor
+        run: |
+          mkdir -p $GITHUB_WORKSPACE/results
+          ./cli/executor run kics \
+          -b $GITHUB_WORKSPACE/kics/bin/kics \
+          -s $GITHUB_WORKSPACE/zips/ \
+          -r $GITHUB_WORKSPACE/results \
+          -j $GITHUB_WORKSPACE/pr-metadata.json \
+          -q $GITHUB_WORKSPACE/kics/assets/queries/ \
+          --libraries $GITHUB_WORKSPACE/kics/assets/libraries/ \
+          --assets $GITHUB_WORKSPACE/kics/assets/similarityID_transition/ \
+          --env $CES_ENVIRONMENT \
+          >> $LOG_FILE 2>&1
+
+      - name: Upload log
+        if: failure()
+        run: |
+          ./cli/executor save-log \
+          -e $ENGINE \
+          -j $GITHUB_WORKSPACE/pr-metadata.json \
+          -l $LOG_FILE \
+          --env $CES_ENVIRONMENT \
+          > /dev/null 2>&1

.github/workflows/sec-checks.yaml

@@ -87,7 +87,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Run Grype vulnerability scanner in repo mode
         id: grype-fs-scan
-        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # 7.2.2
         with:
           path: "."
           only-fixed: true
@@ -125,7 +125,7 @@ jobs:
           cache-to: type=local,dest=/tmp/.buildx-cache
       - name: Scan image
         id: grype-image-scan
-        uses: anchore/scan-action@16910ac423301c6d30554b83a7f71ac6ff4a51f3 # v6.4.0
+        uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # 7.2.2
         with:
           image: kics:sec-tests-${{ github.sha }}
           only-fixed: true
@@ -192,4 +192,4 @@ jobs:
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: binary-dependencies
-          path: ./binary_dependencies.txt
+          path: ./binary_dependencies.txt