Merge branch 'main' into henrykie/scoutsuite

aws-games · Jul 12, 2024 · 7c97c9c · 7c97c9c
2 parents d495c79 + 5c8b983
commit 7c97c9c
Show file tree

Hide file tree

Showing 19 changed files with 469 additions and 356 deletions.
diff --git a/.github/workflows/checkov.yml b/.github/workflows/checkov.yml
@@ -0,0 +1,27 @@
+name: Checkov
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  scan:
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Checkov GitHub Action
+        uses: bridgecrewio/checkov-action@v12
+        with:
+          output_format: sarif
+          output_file_path: results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        if: success() || failure()
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,5 +1,6 @@
 name: "CodeQL"
 on:
+  workflow_call:
   push:
     branches: main
   pull_request:

diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml
@@ -29,7 +29,7 @@ jobs:
           publish_results: true # Publish results to OpenSSF REST API for easy access by consumers
           repo_token: ${{ secrets.SCORECARD_TOKEN }}  # read-only fine-grained token to read branch protection settings
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,21 @@
+# This workflow can be used as needed and is triggered manually to consolidate the security scans.
+
+name: Security
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  actions: read
+  security-events: write
+
+jobs:
+  trivy-scan:
+    uses: ./.github/workflows/trivy.yml
+    secrets: inherit
+  codeql-analysis:
+    uses: ./.github/workflows/codeql-analysis.yml
+    secrets: inherit
+  checkov:
+    uses: ./.github/workflows/checkov.yml
+    secrets: inherit
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -4,6 +4,7 @@ on:
     branches:
       - main
   pull_request:
+  workflow_call:
 jobs:
   trivy_scan:
     name: Trivy Scan
@@ -13,13 +14,13 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.23.0
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           scan-type: 'repo'
           ignore-unfixed: true
           format: 'sarif'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
+          severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3

diff --git a/assets/packer/build-agents/linux/amazon-linux-2023-arm64.pkr.hcl b/assets/packer/build-agents/linux/amazon-linux-2023-arm64.pkr.hcl
@@ -24,6 +24,16 @@ variable "subnet_id" {
   type = string
 }
 
+variable "associate_public_ip_address" {
+  type = bool
+  default = true
+}
+
+variable "ssh_interface" {
+  type = string
+  default = "public_ip"
+}
+
 variable "ami_prefix" {
   type    = string
   default = "jenkins-builder-amazon-linux-2023-arm64"
@@ -41,7 +51,6 @@ source "amazon-ebs" "al2023" {
   ami_name      = "${var.ami_prefix}-${local.timestamp}"
   instance_type = "t4g.small"
   region        = var.region
-  profile       = var.profile
   source_ami_filter {
     filters = {
       name                = "al2023-ami-2023.*-arm64"
@@ -63,7 +72,8 @@ source "amazon-ebs" "al2023" {
   # network specific details
   vpc_id = var.vpc_id
   subnet_id = var.subnet_id
-  associate_public_ip_address = true
+  associate_public_ip_address = var.associate_public_ip_address
+  ssh_interface = var.ssh_interface
 }
 
 build {
@@ -77,21 +87,23 @@ build {
     destination = "/tmp/install_common.al2023.sh"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-cloud-init status --wait
-sudo chmod 755 /tmp/install_common.al2023.sh
-/tmp/install_common.al2023.sh
-EOF
+    inline = [
+      <<-EOF
+      cloud-init status --wait
+      sudo chmod 755 /tmp/install_common.al2023.sh
+      /tmp/install_common.al2023.sh
+      EOF
     ]
   }
 
   # add the public key
   provisioner "shell" {
-    inline = [ <<-EOF
-echo "${var.public_key}" >> ~/.ssh/authorized_keys
-chmod 700 ~/.ssh
-chmod 600 ~/.ssh/authorized_keys
-EOF
+    inline = [
+      <<-EOF
+      echo "${var.public_key}" >> ~/.ssh/authorized_keys
+      chmod 700 ~/.ssh
+      chmod 600 ~/.ssh/authorized_keys
+      EOF
     ]
   }
 
@@ -100,10 +112,11 @@ EOF
     destination = "/tmp/install_mold.sh"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-sudo chmod 755 /tmp/install_mold.sh
-/tmp/install_mold.sh
-EOF
+    inline = [
+      <<-EOF
+      sudo chmod 755 /tmp/install_mold.sh
+      /tmp/install_mold.sh
+      EOF
     ]
   }
 
@@ -135,15 +148,16 @@ EOF
     destination = "/tmp/fsx_automounter.service"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-sudo cp /tmp/fsx_automounter.py /opt/fsx_automounter.py
-sudo dos2unix /opt/fsx_automounter.py
-sudo chmod 755 /opt/fsx_automounter.py
-sudo mkdir -p /etc/systemd/system/
-sudo cp /tmp/fsx_automounter.service /etc/systemd/system/fsx_automounter.service
-sudo chmod 755 /etc/systemd/system/fsx_automounter.service
-sudo systemctl enable fsx_automounter.service
-EOF
+    inline = [
+      <<-EOF
+      sudo cp /tmp/fsx_automounter.py /opt/fsx_automounter.py
+      sudo dos2unix /opt/fsx_automounter.py
+      sudo chmod 755 /opt/fsx_automounter.py
+      sudo mkdir -p /etc/systemd/system/
+      sudo cp /tmp/fsx_automounter.service /etc/systemd/system/fsx_automounter.service
+      sudo chmod 755 /etc/systemd/system/fsx_automounter.service
+      sudo systemctl enable fsx_automounter.service
+      EOF
     ]
   }
 
@@ -157,15 +171,16 @@ EOF
     destination = "/tmp/mount_ephemeral.service"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-sudo cp /tmp/mount_ephemeral.sh /opt/mount_ephemeral.sh
-sudo dos2unix /opt/mount_ephemeral.sh
-sudo chmod 755 /opt/mount_ephemeral.sh
-sudo mkdir -p /etc/systemd/system/
-sudo cp /tmp/mount_ephemeral.service /etc/systemd/system/mount_ephemeral.service
-sudo chmod 755 /etc/systemd/system/mount_ephemeral.service
-sudo systemctl enable mount_ephemeral.service
-EOF
+    inline = [
+      <<-EOF
+      sudo cp /tmp/mount_ephemeral.sh /opt/mount_ephemeral.sh
+      sudo dos2unix /opt/mount_ephemeral.sh
+      sudo chmod 755 /opt/mount_ephemeral.sh
+      sudo mkdir -p /etc/systemd/system/
+      sudo cp /tmp/mount_ephemeral.service /etc/systemd/system/mount_ephemeral.service
+      sudo chmod 755 /etc/systemd/system/mount_ephemeral.service
+      sudo systemctl enable mount_ephemeral.service
+      EOF
     ]
   }
 
@@ -178,15 +193,16 @@ EOF
     destination = "/tmp/create_swap.service"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-sudo cp /tmp/create_swap.sh /opt/create_swap.sh
-sudo dos2unix /opt/create_swap.sh
-sudo chmod 755 /opt/create_swap.sh
-sudo mkdir -p /etc/systemd/system/
-sudo cp /tmp/create_swap.service /etc/systemd/system/create_swap.service
-sudo chmod 755 /etc/systemd/system/create_swap.service
-sudo systemctl enable create_swap.service
-EOF
+    inline = [
+      <<-EOF
+      sudo cp /tmp/create_swap.sh /opt/create_swap.sh
+      sudo dos2unix /opt/create_swap.sh
+      sudo chmod 755 /opt/create_swap.sh
+      sudo mkdir -p /etc/systemd/system/
+      sudo cp /tmp/create_swap.service /etc/systemd/system/create_swap.service
+      sudo chmod 755 /etc/systemd/system/create_swap.service
+      sudo systemctl enable create_swap.service
+      EOF
     ]
   }
 
@@ -199,14 +215,15 @@ EOF
     destination = "/tmp/install_sccache.sh"
   }
   provisioner "shell" {
-    inline = [ <<-EOF
-sudo chmod 755 /tmp/install_sccache.sh
-/tmp/install_sccache.sh
-sudo mkdir -p /etc/systemd/system/
-sudo cp /tmp/sccache.service /etc/systemd/system/sccache.service
-sudo chmod 755 /etc/systemd/system/sccache.service
-sudo systemctl enable sccache.service
-EOF
+    inline = [
+      <<-EOF
+      sudo chmod 755 /tmp/install_sccache.sh
+      /tmp/install_sccache.sh
+      sudo mkdir -p /etc/systemd/system/
+      sudo cp /tmp/sccache.service /etc/systemd/system/sccache.service
+      sudo chmod 755 /etc/systemd/system/sccache.service
+      sudo systemctl enable sccache.service
+      EOF
     ]
   }
 }