Skip to content

Commit

Permalink
Update dependencies, add lint and unit-tests
Browse files Browse the repository at this point in the history
  • Loading branch information
ayala-orca committed Nov 26, 2024
1 parent e4a09da commit de35058
Show file tree
Hide file tree
Showing 15 changed files with 8,131 additions and 254 deletions.
8 changes: 4 additions & 4 deletions .github/workflows/test-secrets-action-sarif.yaml
Original file line number Diff line number Diff line change
@@ -1,14 +1,14 @@
name: Test Orca Secrets action - Sarif

on: [push, pull_request]
on: [pull_request, workflow_dispatch]

jobs:
secrets_scan_job:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
with:
fetch-depth: 0
- name: Scan Secrets
Expand All @@ -21,7 +21,7 @@ jobs:
output: "results/"
console_output: "table"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # ratchet:github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # ratchet:github/codeql-action/upload-sarif@v3.27.5
if: ${{ always() && steps.orcasecurity_secrets_scan.outputs.exit_code != 1 }}
with:
sarif_file: results/secrets.sarif
sarif_file: results/secrets.sarif
6 changes: 3 additions & 3 deletions .github/workflows/test-secrets-action.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
name: Test Orca Secrets action

on: [push, pull_request, workflow_dispatch]
on: [pull_request, workflow_dispatch]

jobs:
secrets_scan_job:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # ratchet:actions/checkout@v4
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4.2.2
with:
fetch-depth: 0

Expand All @@ -17,4 +17,4 @@ jobs:
with:
api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
project_key: "default"
console_output: "table"
console_output: "table"
23 changes: 23 additions & 0 deletions .github/workflows/unit-tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: Unit Tests
on:
pull_request:
branches: [master]
workflow_dispatch:

permissions:
contents: read

jobs:
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/[email protected]

- name: Install dependencies
run: npm install

- name: Run lint
run: npm run lint

- name: Run tests
run: npm test
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
# IDE
.idea
node_modules
node_modules

dist/
61 changes: 27 additions & 34 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,25 +5,23 @@ for [Orca Shift Left Security](https://orca.security/solutions/shift-left-securi

#### More info can be found in the official Orca Shift Left Security<a href="https://docs.orcasecurity.io/v1/docs/shift-left-security"> documentation</a>



### Table of Contents
- [Table of Contents](#table-of-contents)
- [Usage](#usage)
- [Workflow](#workflow)
- [Inputs](#inputs)
- [Checks](#checks)
- [Annotations](#annotations)
- [Scan Summary](#scan-summary)
- [Upload SARIF report](#upload-sarif-report)

- [Usage](#usage)
- [Workflow](#workflow)
- [Inputs](#inputs)
- [Checks](#checks)
- [Annotations](#annotations)
- [Scan Summary](#scan-summary)
- [Upload SARIF report](#upload-sarif-report)

## Usage

### Workflow

```yaml
name: Sample Orca Secrets Scan Workflow
name:
Sample Orca Secrets Scan Workflow
# Trigger the workflow on push and pull requests
on: [push, pull_request]
jobs:
Expand All @@ -37,7 +35,7 @@ jobs:
- name: Checkout Repository
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-depth: 0

- name: Run Orca Secrets Scan
uses: orcasecurity/shiftleft-secrets-action@v1
Expand All @@ -46,16 +44,13 @@ jobs:
project_key: ${{ env.PROJECT_KEY }}
```
> [!NOTE]
> Utilizing **fetch-depth=0** is essential for a valid git history scan.
### Inputs
| Variable | Example Value &nbsp; | Description &nbsp; | Type | Required | Default |
|-----------------------------|----------------------|-----------------------------------------------------------------------------------|---------|----------|-------------|
| --------------------------- | -------------------- | --------------------------------------------------------------------------------- | ------- | -------- | ----------- |
| api_token | | Orca API Token used for Authentication | String | Yes | N/A |
| project_key | my-project-key | Project Key name | String | Yes | N/A |
| path | sub-dir | Path to scan | String | No | . |
Expand All @@ -71,38 +66,42 @@ jobs:
| exceptions_filepath | n/a | exceptions YAML filepath. (File should be mounted) | String | No | false |
| num_cpu | 10 | Number of logical CPUs to be used for secret scanning (default 10) | Integer | No | 10 |
| show_failed_issues_only | n/a | show only failed issues | Boolean | No | false |
| from-commit | n/a | the commit to search *from* | String | No | N/A |
| to-commit | n/a | the commit to search *to* | String | No | N/A |
| from-commit | n/a | the commit to search _from_ | String | No | N/A |
| to-commit | n/a | the commit to search _to_ | String | No | N/A |
| disable-git-scan | true | flag that indicates that the CLI will not scan git history for secrets | Boolean | No | false |
| ignore-git-history-baseline | true | forces a full history scan | Boolean | No | false |
| debug | true | Debug mode | Boolean | No | false |
| log_path | results/ | The directory path to specify where the logs should be written to on debug mode. | String | No | working dir |
| disable-active-verification | true | Disable active verification of secrets | Boolean | No | false |
## Checks
Upon adding the action, two new checks will become visible on pull requests:
![](/assets/checks_preview.png)
* For the push event, the scanning process will target and analyze only the most recent push.
* Conversely, for the pull_request event, the scanning will encompass every commit that forms part of the pull request, diligently searching for any potential secrets.
- For the push event, the scanning process will target and analyze only the most recent push.
- Conversely, for the pull_request event, the scanning will encompass every commit that forms part of the pull request, diligently searching for any potential secrets.
## Annotations
After scanning, the action will add the results as annotations in a pull request:
![](/assets/secret_annotation_preview.png)
> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
> **NOTE:** Annotations can be disabled by setting the "show_annotation" input to "false"
## Scan Summary
Every action will provide a clear scan summary output, and by clicking the 'View in code' link, you will be directed to the precise location of the secret.
![](/assets/secrets_summary_preview.png)
## Upload SARIF report
If you have [GitHub code scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning) available you can use Orca Shift Left Security as a scanning tool
> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
> **NOTE:** Code scanning is available for all public repositories. Code scanning is also available in private repositories owned by organizations that use GitHub Enterprise Cloud and have a license for GitHub Advanced Security.
Configuration:
Expand All @@ -124,14 +123,10 @@ jobs:
id: orcasecurity_secrets_scan
uses: orcasecurity/shiftleft-secrets-action@v1
with:
api_token:
${{ secrets.ORCA_SECURITY_API_TOKEN }}
project_key:
"default"
format:
"sarif"
output:
"results/"
api_token: ${{ secrets.ORCA_SECURITY_API_TOKEN }}
project_key: "default"
format: "sarif"
output: "results/"
console_output: "table"
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
Expand All @@ -143,7 +138,5 @@ jobs:
The results list can be found on the security tab of your GitHub project and should look like the following image
![](/assets/code_scanning_list.png)
An entry should describe the error and in which line it occurred
An entry should describe the error and in which line it occurred
![](/assets/code_scanning_entry.png)
4 changes: 4 additions & 0 deletions action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@ inputs:
description: "Suppress error reporting to the monitoring platform"
required: false
default: "false"
max_secret:
description: "Maximum secrets that can be found, when reaching this number secret scan will stop"
required: false
num_cpu:
description: "Number of logical CPUs to be used for secret scanning (default 10)"
required: false
Expand All @@ -41,6 +44,7 @@ inputs:
disable_git_scan:
description: "Disable Git scan"
required: false
default: "false"
ignore_git_history_baseline:
description: "Run full history scan"
required: false
Expand Down
29 changes: 11 additions & 18 deletions entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,9 @@ function set_global_flags() {
if [ "${INPUT_CONFIG}" ]; then
GLOBAL_FLAGS+=(--config "${INPUT_CONFIG}")
fi
if [ "${INPUT_BASELINE_CONTEXT_KEY}" ]; then
GLOBAL_FLAGS+=(--baseline-context-key "${INPUT_BASELINE_CONTEXT_KEY}")
fi
if [ "${INPUT_DISABLE_BASELINE}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-baseline)
fi
if [ "${INPUT_DISABLE_ERR_REPORT}" == "true" ]; then
GLOBAL_FLAGS+=(--disable-err-report)
fi
if [ "${INPUT_SYNC_BASELINE}" ]; then
GLOBAL_FLAGS+=(--sync-baseline "${INPUT_SYNC_BASELINE}")
fi
if [ "${INPUT_DEBUG}" == "true" ]; then
GLOBAL_FLAGS+=(--debug)
fi
Expand Down Expand Up @@ -92,6 +83,9 @@ function set_secrets_scan_flags() {
if [ "${INPUT_EXCEPTIONS_FILEPATH}" ]; then
SCAN_FLAGS+=(--exceptions-filepath "${INPUT_EXCEPTIONS_FILEPATH}")
fi
if [ "${INPUT_TIMEOUT}" ]; then
SCAN_FLAGS+=(--timeout "${INPUT_TIMEOUT}")
fi
if [ "${INPUT_SHOW_FAILED_ISSUES_ONLY}" = "true" ]; then
SCAN_FLAGS+=(--show-failed-issues-only)
fi
Expand All @@ -108,21 +102,20 @@ function set_secrets_scan_flags() {
SCAN_FLAGS+=(--console-output="${CONSOLE_OUTPUT_FOR_JSON}")
fi
if [ "${INPUT_FROM_COMMIT}" ]; then
SCAN_FLAGS+=(--from-commit="${INPUT_FROM_COMMIT}")
SCAN_FLAGS+=(--from-commit "${INPUT_FROM_COMMIT}")
fi
if [ "${INPUT_TO_COMMIT}" ]; then
SCAN_FLAGS+=(--to-commit="${INPUT_TO_COMMIT}")
SCAN_FLAGS+=(--to-commit "${INPUT_TO_COMMIT}")
fi
if [ "${INPUT_IGNORE_GIT_HISTORY_BASELINE}" ]; then
SCAN_FLAGS+=(--ignore-git-history-baseline="${INPUT_IGNORE_GIT_HISTORY_BASELINE}")
if [ "${INPUT_IGNORE_GIT_HISTORY_BASELINE}" = "true" ]; then
SCAN_FLAGS+=(--ignore-git-history-baseline)
fi
if [ "${INPUT_DISABLE_GIT_SCAN}" ]; then
SCAN_FLAGS+=(--disable-git-scan="${INPUT_DISABLE_GIT_SCAN}")
if [ "${INPUT_DISABLE_GIT_SCAN}" = "true" ]; then
SCAN_FLAGS+=(--disable-git-scan)
fi
if [ "${MAX_SECRETS}" ]; then
SCAN_FLAGS+=(--max-secret="${MAX_SECRETS}")
if [ "${INPUT_MAX_SECRET}" ]; then
SCAN_FLAGS+=(--max-secret "${INPUT_MAX_SECRET}")
fi
SCAN_FLAGS+=(--debug)
}

function set_env_vars() {
Expand Down
50 changes: 50 additions & 0 deletions eslint.config.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
const js = require("@eslint/js");

module.exports = [
{
// Global ignores
ignores: ["dist/**"],
},
{
// Base configuration
files: ["**/*.{js}"],
settings: {
"import/resolver": {
typescript: {},
},
},
rules: {
...js.configs.recommended.rules,

// Spacing and formatting rules
"space-before-blocks": "error",
"keyword-spacing": "error",
"no-trailing-spaces": "error",
curly: "error",
quotes: ["error", "single"],
"object-curly-spacing": ["error", "always"],
"no-multi-spaces": "error",
"semi-spacing": "error",

// Code style rules
"prefer-const": ["error", { destructuring: "all" }],
"max-classes-per-file": ["error", 10],
"max-len": ["error", 200],

// Import rules
"import/no-unresolved": [
"error",
{ commonjs: true, caseSensitive: true },
],
"import/extensions": ["error", "ignorePackages", { js: "never" }],
},
},
{
// Test files override
files: ["**/test/**"],
rules: {
"import/no-unresolved": "off",
"import/extensions": "off",
},
},
];
Loading

0 comments on commit de35058

Please sign in to comment.