diff --git a/.github/workflows/Setup.yaml b/.github/workflows/Setup.yaml new file mode 100644 index 00000000..c95e4798 --- /dev/null +++ b/.github/workflows/Setup.yaml @@ -0,0 +1,30 @@ + - name: Setup Node.js environment + uses: actions/setup-node@v6.0.0 + with: + # Set always-auth in npmrc. + always-auth: # optional, default is false + # Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0. + node-version: # optional + # File containing the version Spec of the version to use. Examples: package.json, .nvmrc, .node-version, .tool-versions. + node-version-file: # optional + # Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default. + architecture: # optional + # Set this option if you want the action to check for the latest available version that satisfies the version spec. + check-latest: # optional + # Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN. + registry-url: # optional + # Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/). + scope: # optional + # Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting. + token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }} + # Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm. + cache: # optional + # Set to false to disable automatic caching. By default, caching is enabled when either devEngines.packageManager or the top-level packageManager field in package.json specifies npm as the package manager. + package-manager-cache: # optional, default is true + # Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies. + cache-dependency-path: # optional + # Used to specify an alternative mirror to downlooad Node.js binaries from + mirror: # optional + # The token used as Authorization header when fetching from the mirror + mirror-token: # optional + diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7f769ca1..a349f6c9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,44 +1,12 @@ -name: CI - -on: - - push - - pull_request +name: Test site for publicly known js vulnerabilities +on: push jobs: - build: - name: Ruby ${{ matrix.version }} + security: runs-on: ubuntu-latest - strategy: - matrix: - version: - - 3.0 - - 3.1 - - 3.2 - - 3.3 steps: - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - - name: Set up Ruby ${{ matrix.version }} - uses: ruby/setup-ruby@829114fc20da43a41d27359103ec7a63020954d4 # v1.255.0 + - name: Test for public javascript library vulnerabilities + uses: lirantal/is-website-vulnerable@main with: - ruby-version: ${{ matrix.version }} - - name: Install OpenSSL - run: | - sudo apt-get update - sudo apt-get install -y libssl-dev - - name: Run Bundle Commands - run: | - bundle config set --with docs - bundle config set ignore_messages true - bundle - - name: Run RuboCop - run: | - bundle exec rubocop - - name: Run Typecheck - run: | - bundle exec srb tc - - name: Run tests - run: | - bundle exec rake test:library - - name: Run REST wrapper tests - run: | - bundle exec rake test:rest_wrappers + scan-url: "https://*.*.com" + diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..d179055f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,99 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '33 7 * * 3' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: ruby + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹ️ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/ethicalcheck.yml b/.github/workflows/ethicalcheck.yml new file mode 100644 index 00000000..6774a197 --- /dev/null +++ b/.github/workflows/ethicalcheck.yml @@ -0,0 +1,69 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# EthicalCheck addresses the critical need to continuously security test APIs in development and in production. + +# EthicalCheck provides the industry’s only free & automated API security testing service that uncovers security vulnerabilities using OWASP API list. +# Developers relies on EthicalCheck to evaluate every update and release, ensuring that no APIs go to production with exploitable vulnerabilities. + +# You develop the application and API, we bring complete and continuous security testing to you, accelerating development. + +# Know your API and Applications are secure with EthicalCheck – our free & automated API security testing service. + +# How EthicalCheck works? +# EthicalCheck functions in the following simple steps. +# 1. Security Testing. +# Provide your OpenAPI specification or start with a public Postman collection URL. +# EthicalCheck instantly instrospects your API and creates a map of API endpoints for security testing. +# It then automatically creates hundreds of security tests that are non-intrusive to comprehensively and completely test for authentication, authorizations, and OWASP bugs your API. The tests addresses the OWASP API Security categories including OAuth 2.0, JWT, Rate Limit etc. + +# 2. Reporting. +# EthicalCheck generates security test report that includes all the tested endpoints, coverage graph, exceptions, and vulnerabilities. +# Vulnerabilities are fully triaged, it contains CVSS score, severity, endpoint information, and OWASP tagging. + + +# This is a starter workflow to help you get started with EthicalCheck Actions + +name: EthicalCheck-Workflow + +# Controls when the workflow will run +on: + # Triggers the workflow on push or pull request events but only for the "main" branch + # Customize trigger events based on your DevSecOps processes. + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '42 12 * * 1' + + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + +permissions: + contents: read + +jobs: + Trigger_EthicalCheck: + permissions: + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + + steps: + - name: EthicalCheck Free & Automated API Security Testing Service + uses: apisec-inc/ethicalcheck-action@005fac321dd843682b1af6b72f30caaf9952c641 + with: + # The OpenAPI Specification URL or Swagger Path or Public Postman collection URL. + oas-url: "http://127.0.0.1:8080" + # The email address to which the penetration test report will be sent. + email: "framton6996@wearehackerone.com" + sarif-result-file: "ethicalcheck-results.sarif" + + - name: Upload sarif file to repository + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ./ethicalcheck-results.sarif + diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 00000000..147d2242 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,28 @@ +name: Sauce Security Action + # You may pin to the exact commit or the version. + # uses: saucelabs/sauce-security-action@5008ddffb96db501fc71486cad3950304a73a2d5 + uses: saucelabs/sauce-security-action@v0.3.0 + with: + # Sauce Labs user name. + username: + # Sauce Labs API Key. + accessKey: + # Url to the application under test. + target: + # An url to an OpenAPI specification to help scan the full API. + openapi: # optional + # An url to a graphql schema to help scan the full API. + graphql: # optional + # Amount of severe vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedSevereVulnerabilties: # optional, default is 0 + # Amount of medium vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedMediumVulnerabilties: # optional, default is 0 + # Amount of low vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedLowVulnerabilties: # optional, default is 0 + # Amount of informational vulnerabilities that are allowed to be discovered - if set to `-1` these will be ignored. (Default: 0) + allowedInformationalVulnerabilties: # optional, default is -1 + # If set to true, this action will download Zap reports for you to attach to the job via actions/upload-artifact + downloadReports: # optional + # If set to true, this action will download all Sauce Labs job assets for you to attach to the job via actions/upload-artifact + downloadJobAssets: # optional +