devsecblueprint
diff --git a/‎.github/.DS_Store‎
6 KB b/‎.github/.DS_Store‎
6 KB
diff --git a/‎.github/dependabot.yml‎
Lines changed: 9 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.github/workflows/build-image.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/workflows/build-image.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/lint-format.yml‎
Lines changed: 51 additions & 0 deletions b/‎.github/workflows/lint-format.yml‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎.github/workflows/main.yml‎
Lines changed: 29 additions & 0 deletions b/‎.github/workflows/main.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/pr.yml‎
Lines changed: 25 additions & 0 deletions b/‎.github/workflows/pr.yml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.github/workflows/push-docker-image.yml‎
Lines changed: 58 additions & 0 deletions b/‎.github/workflows/push-docker-image.yml‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎.github/workflows/push-image.yml‎
Lines changed: 29 additions & 0 deletions b/‎.github/workflows/push-image.yml‎
Lines changed: 29 additions & 0 deletions
diff --git a/‎.github/workflows/unit-sec-test.yml‎
Lines changed: 78 additions & 0 deletions b/‎.github/workflows/unit-sec-test.yml‎
Lines changed: 78 additions & 0 deletions
@@ -0,0 +1,9 @@
+# Set update schedule for GitHub Actions
+version: 2
+updates:
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "daily"
@@ -0,0 +1,19 @@
+name: Build Docker Image
+on:
+  workflow_call:
+
+
+jobs: 
+     # Build Docker Image  
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker Image
+      run: |
+        docker build -t python-fastapi:${{ github.sha }} . 
+        
@@ -0,0 +1,51 @@
+name: Linting and Formatting Checks
+on:
+  workflow_call:
+
+jobs:
+  # Run Pylint
+  pylint:
+    name: Run pylint checks
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.12.6"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Setup Python ${{ matrix.python-version}}"
+        uses: actions/setup-python@v5
+        with:
+          python-version: "${{ matrix.python-version}}"
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          python -m pip install --upgrade pip
+
+      - name: Run pylint
+        run: pylint .
+
+    # Run Black
+  black:
+    name: Run black formatting checks
+    runs-on: ubuntu-latest
+    needs: pylint
+    strategy:
+      matrix:
+        python-version: ["3.12.6"]
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: "Setup Python ${{ matrix.python-version}}"
+        uses: actions/setup-python@v5
+        with:
+          python-version: "${{ matrix.python-version}}"
+
+      - name: Install dependencies
+        run: |
+          pip install -r requirements.txt
+          python -m pip install --upgrade pip
+
+      - name: Run black
+        run: black --check .
@@ -0,0 +1,29 @@
+name: Main Workflow
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+  id-token: write
+  packages: write
+
+jobs:
+  build-image:
+    uses: ./.github/workflows/build-image.yml
+
+  lint-format:
+    uses: ./.github/workflows/lint-format.yml
+    needs: build-image
+
+  unit-sec-scan:
+    uses: ./.github/workflows/unit-sec-test.yml
+    needs: lint-format
+
+  push-docker-image:
+    uses: ./.github/workflows/push-docker-image.yml
+    needs: unit-sec-scan
@@ -0,0 +1,25 @@
+name: PR Workflow
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs: 
+    build-image:
+        uses: ./.github/workflows/build-image.yml
+
+    lint-format:
+        uses: ./.github/workflows/lint-format.yml
+        needs: build-image
+    
+    unit-sec-scan:
+        uses: ./.github/workflows/unit-sec-test.yml
+        needs: lint-format
@@ -0,0 +1,58 @@
+name: Push Docker Image
+
+
+on:
+    workflow_call:
+
+env:
+  # Use docker.io for Docker Hub if empty
+  REGISTRY: ghcr.io
+  IMAGE_NAME: 'python-fastapi'
+
+
+jobs:
+  Push_Image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Set up Docker Buildx
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 
+
+       # Extract metadata (tags, labels) for Docker
+      - name: Extract metadata for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+         images: ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}
+
+      # Login against a Docker registry 
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+
+      # Build and tag Docker Image    
+      - name: Build Docker Image
+        run: |
+         docker build -t ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }} .
+        
+      - name: Tag Docker Image
+        run: |
+          docker tag ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
+          docker tag ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }} ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:testing
+
+
+      # Push the Docker image to the registry
+      - name: Push Docker Image to GHCR
+        run: |
+          docker push ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.sha }}
+          docker push ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest
+          docker push ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:testing
@@ -0,0 +1,29 @@
+name: Push Contianer to Docker Hub
+on: 
+    workflow_call:
+
+
+jobs:
+
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+     -
+      name: login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}      
+     -  
+      name: Set up QEMU
+      uses: docker/setup-buildx-action@v3
+     -
+      name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+     -   
+      name: Build and Push
+      uses: docker/build-push-action@v6
+      with:
+        push: true
+        tags: user/app:latest
+
@@ -0,0 +1,78 @@
+name: Unit and Security Scanning
+on:
+  workflow_call:
+
+jobs: 
+    # Run unit test cases for the Docker image
+  unit_test:
+    name: Run unit test
+    runs-on: ubuntu-latest
+    needs: ['trivy_scans', 'owasp_zap_scan']  # Ensure this job runs after the security scans
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Install dependencies
+      run: |
+        pip install -r requirements.txt
+    
+    - name: Run tests
+      run: pytest tests/
+  
+  # Scan the contianer and lists all security vulnerabilities
+  trivy_scans:
+    name: Run Trivy security scanner against the image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Build Docker Image
+        run: |
+          docker build -t python-fastapi:${{ github.sha }} .   ###- This section needed to be added becasue the image was not persisting between jobs--##
+
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: 'python-fastapi:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  owasp_zap_scan:
+        runs-on: ubuntu-latest
+        name: app scan
+        steps:
+          - name: Checkout
+            uses: actions/checkout@v4
+          
+          # Build and Tag Image
+          # Run Docker Image in detached mode
+          - name: Build Docker Image
+            run: |
+              docker build -t python-fastapi:${{ github.sha }} .
+              docker run -d -p 8080:8080 python-fastapi:${{ github.sha }}
+              
+          - name: Wait for Docker container to be ready
+            run: sleep 30
+
+          - name: Confirm Docker container is running
+            run: docker ps
+
+          # Run OWASP ZAP scan
+          - name: zap scan
+            uses: zaproxy/[email protected]
+            with:
+             token: ${{ secrets.GITHUB_TOKEN }}
+             docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+             format: openapi
+             target: 'http://0.0.0.0:8080'
+             rules_file_name: '.zap/rules.tsv'
+             cmd_options: '-a'
+             allow_issue_writing: false