Re-uploaded workflows as part of the repo

theangrytech-git · web-flow · commit 856ee00b6891 · 2025-03-31T18:23:56.000+01:00
diff --git a/msdo-credscan.yml b/msdo-credscan.yml
@@ -0,0 +1,129 @@
+name: msdo-secret-scanning-credscan 
+
+on:
+  workflow_call:
+    secrets:
+      GH_TOKEN:
+        required: false
+  workflow_dispatch:
+
+jobs:
+  secret-scan:
+    name: MSDO Secret Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository manually
+        run: |
+          git clone https://github.com/${{ github.repository }} .
+          git checkout ${{ github.ref_name }}
+
+      - name: Inject .gdnsettings to support secrets detection in Terraform, Bicep, ARM, Python, and YAML
+        run: |
+          mkdir -p .gdn
+          cat <<EOF > .gdn/.gdnsettings
+          {
+            "version": "1.0",
+            "fileFiltering": {
+              "filePathIncludes": [
+                "**/*.tf",
+                "**/*.tfvars",
+                "**/*.bicep",
+                "**/*.json",
+                "**/*template*.json",
+                "**/*.py",
+                "**/*.yml",
+                "**/*.yaml"
+              ],
+              "fileNameExcludes": [],
+              "filePathExcludes": []
+            },
+            "toolConfigurations": {
+              "credscan": {
+                "enabled": true,
+                "parameters": {
+                  "scanUnknownExtensions": true,
+                  "scanAllFiles": true,
+                  "severity": "low"
+                }
+              }
+            },
+            "break": {
+              "policies": [
+                {
+                  "tool": "credscan",
+                  "minimumSeverity": "low"
+                }
+              ]
+            }
+          }
+          EOF
+
+      - name: Set tool to only run secret scan
+        run: echo "TOOLS=credscan" >> $GITHUB_ENV
+
+      - name: Install .NET 6 SDK (for CredScan)
+        run: |
+          wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh
+          chmod +x dotnet-install.sh
+          ./dotnet-install.sh --version 6.0.415 --install-dir "$HOME/dotnet"
+
+          echo "DOTNET_ROOT=$HOME/dotnet" >> $GITHUB_ENV
+          echo "$HOME/dotnet" >> $GITHUB_PATH
+
+      - name: Run Microsoft Security DevOps - Secret Scan
+        uses: theangrytech-git/security-devops-action@main
+        id: msdo
+        with:
+          tools: ${{ env.TOOLS }}
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public'
+        run: |
+          echo "Compressing and uploading SARIF..."
+          sarif_file="${{ steps.msdo.outputs.sarifFile }}"
+          if [ ! -f "$sarif_file" ]; then
+            echo "SARIF file not found at $sarif_file"
+            exit 0
+          fi
+
+          gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
+          encoded_sarif=$(cat msdo.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d @- <<EOF
+          {
+          "commit_sha": "${{ github.sha }}",
+          "ref": "${{ github.ref }}",
+          "sarif": "$encoded_sarif",
+          "checkout_uri": "https://github.com/${{ github.repository }}",
+          "tool_name": "MSDO-CredScan"
+          }
+          EOF
+
+      # - name: Alert to Microsoft Teams on secret detection
+      #   if: github.repository_visibility == 'public'
+      #   run: |
+      #     echo "Checking for CredScan findings in SARIF..."
+      #     gzip -cd msdo.sarif.base64 | base64 -d > decoded.sarif || true
+      #     findings=$(jq '.runs[].results | length' decoded.sarif 2>/dev/null || echo 0)
+
+      #     if [ "$findings" -gt 0 ]; then
+      #       echo "\uD83D\uDEA8 Secrets detected: $findings"
+      #       curl -H 'Content-Type: application/json' -d '{
+      #         "title": "\u26A0\uFE0F MSDO CredScan Alert",
+      #         "text": "**Secrets detected in '${{ github.repository }}' on branch '${{ github.ref_name }}'**\nTotal findings: '"$findings"'"
+      #       }' ${{ secrets.TEAMS_WEBHOOK_URL }}
+      #     else
+      #       echo "\u2705 No secrets found."
+      #     fi
diff --git a/msdo-dynamic-scanning.yml b/msdo-dynamic-scanning.yml
@@ -0,0 +1,134 @@
+name: msdo-dynamic-scanning
+
+on:
+  workflow_dispatch:
+  workflow_call:
+    inputs:
+      branch:
+        required: false
+        type: string
+        default: 'main'
+    secrets:
+      GH_TOKEN:
+        required: false
+
+jobs:
+  msdo:
+    name: Microsoft Security DevOps
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Manually checkout repository (internal-safe)
+        run: |
+          git clone https://github.com/${{ github.repository }} .
+          git checkout ${{ inputs.branch }}
+
+      - name: Set environment variables for tools
+        shell: pwsh
+        run: |
+          $TOOLS = ""
+
+          if ((Get-ChildItem -Recurse -Include *.js, *.jsx, *.ts, *.tsx  | Measure-Object).Count -gt 0) {
+            $TOOLS += "eslint,"
+            echo "ESLint enabled - JS/JSX/TS/TSX files detected."
+          } else {
+            echo "ESLint skipped - No JS/JSX/TS/TSX files found."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.exe, *.dll | Measure-Object).Count -gt 0) {
+            $TOOLS += "binskim,"
+            echo "BinSkim enabled - EXE/DLL files detected."
+          } else {
+            echo "BinSkim skipped - No EXE/DLL files found."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.py | Measure-Object).Count -gt 0) {
+            $TOOLS += "bandit,"
+            echo "Bandit enabled - Python files detected."
+          } else {
+            echo "Bandit skipped - No Python files found."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml, *.dockerfile, *.template, *.bicep | Measure-Object).Count -gt 0) {
+            $TOOLS += "checkov,"
+            echo "Checkov enabled - Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files detected."
+          } else {
+            echo "Checkov skipped - No Terraform/JSON/YML/YAML/Dockerfiles/Templates/Bicep files found."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.json | Select-String 'resources' | Measure-Object).Count -gt 0) {
+            $TOOLS += "templateanalyzer,"
+            echo "Template Analyzer enabled - ARM templates detected."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.bicep | Measure-Object).Count -gt 0) {
+            $TOOLS += "templateanalyzer,"
+            echo "Template Analyzer enabled - Bicep files detected."
+          }
+
+          if ((Get-ChildItem -Recurse -Include *.tf, *.json, *.yml, *.yaml | Measure-Object).Count -gt 0) {
+            $TOOLS += "terrascan,"
+            echo "Terrascan enabled - Terraform/JSON/YML/YAML files detected."
+          }
+
+          if ((Get-ChildItem -Recurse -Include Dockerfile | Measure-Object).Count -gt 0) {
+            $TOOLS += "trivy,"
+            echo "Trivy enabled - Dockerfiles detected."
+          }
+
+          $TOOLS = $TOOLS.TrimEnd(',')
+
+          if ($TOOLS -eq "") {
+            echo "No applicable tools found. The MSDO scan will be skipped."
+            exit 0
+          }
+
+          echo "TOOLS=$TOOLS" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8
+
+      - name: Run Microsoft Security DevOps
+        uses: theangrytech-git/security-devops-action@main
+        id: msdo
+        with:
+          tools: ${{ env.TOOLS }}
+
+      - name: Check Repository Visibility
+        shell: bash
+        run: |
+          if [ "${{ github.repository_visibility }}" == "private" ]; then
+            echo "This is a private repository. Code Scanning is not available unless GitHub Advanced Security (GHAS) is enabled."
+            exit 0
+          fi
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public'
+        run: |
+          echo "Compressing and uploading SARIF..."
+          sarif_file="${{ steps.msdo.outputs.sarifFile }}"
+          if [ ! -f "$sarif_file" ]; then
+            echo "SARIF file not found at $sarif_file"
+            exit 0
+          fi
+
+          gzip -c "$sarif_file" | base64 -w 0 > msdo.sarif.base64
+          encoded_sarif=$(cat msdo.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d @- <<EOF
+            {
+          "commit_sha": "${{ github.sha }}",
+          "ref": "${{ github.ref }}",
+          "sarif": "$encoded_sarif",
+          "checkout_uri": "https://github.com/${{ github.repository }}",
+          "tool_name": "MSDO"
+          }
+          EOF
diff --git a/msdo-gitleaks.yml b/msdo-gitleaks.yml
@@ -0,0 +1,78 @@
+name: msdo-secret-scanning-gitleaks
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: false
+        type: string
+        default: 'main'
+    secrets:
+      GH_TOKEN:
+        required: false
+
+jobs:
+  gitleaks-scan:
+    name: Gitleaks Secret Scan
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository manually
+        run: |
+          git clone https://github.com/${{ github.repository }} .
+          git checkout ${{ github.ref_name }}
+
+      - name: Fetch Gitleaks config from MSDO
+      #This section will need to be edited to match wherever the repo will be copied to
+        run: |
+          echo "Fetching .gitleaks.toml from MSDO repo..."
+          curl -sSL https://raw.githubusercontent.com/theangrytech-git/MSDO/main/gitleaks.toml -o .gitleaks.toml
+
+      - name: Run Gitleaks
+        run: |
+          echo "Downloading Gitleaks..."
+          curl -sSL https://github.com/gitleaks/gitleaks/releases/download/v8.18.2/gitleaks_8.18.2_linux_x64.tar.gz -o gitleaks.tar.gz
+          tar -xzf gitleaks.tar.gz gitleaks
+          chmod +x gitleaks
+          ./gitleaks version
+
+          echo " Running Gitleaks scan..."
+          ./gitleaks detect \
+          --source=. \
+          --config=.gitleaks.toml \
+          --report-format sarif \
+          --report-path=gitleaks.sarif \
+          --exit-code 0
+
+      - name: Upload SARIF to GitHub Code Scanning
+        if: github.repository_visibility == 'public'
+        run: |
+          echo "Compressing and uploading SARIF..."
+          if [ ! -f "gitleaks.sarif" ]; then
+            echo "SARIF file not found"
+            exit 0
+          fi
+
+          gzip -c gitleaks.sarif | base64 -w 0 > gitleaks.sarif.base64
+          encoded_sarif=$(cat gitleaks.sarif.base64)
+
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            https://api.github.com/repos/${{ github.repository }}/code-scanning/sarifs \
+            -d @- <<EOF
+          {
+            "commit_sha": "${{ github.sha }}",
+            "ref": "${{ github.ref }}",
+            "sarif": "$encoded_sarif",
+            "checkout_uri": "https://github.com/${{ github.repository }}",
+            "tool_name": "Gitleaks"
+          }
+          EOF
diff --git a/msdo-main-pipeline.yml b/msdo-main-pipeline.yml
@@ -0,0 +1,46 @@
+name: msdo-main-pipeline
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+jobs:
+  msdo-dynamic-scanning:
+    uses: ./.github/workflows/msdo-dynamic-scanning.yml
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+    with:
+      branch: main
+    secrets:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  secret-scan-credscan:
+    uses: ./.github/workflows/msdo-credscan.yml
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+    needs: msdo-dynamic-scanning
+
+  secret-scan-trufflehog:
+    uses: ./.github/workflows/msdo-trufflehog.yml
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+    needs: secret-scan-credscan
+
+  secret-scan-gitleaks:
+    uses: ./.github/workflows/msdo-gitleaks.yml
+    permissions:
+      contents: read
+      id-token: write
+      actions: read
+      security-events: write
+    needs: secret-scan-trufflehog
diff --git a/msdo-trufflehog.yml b/msdo-trufflehog.yml
