Skip to content

Commit

Permalink
Add Security Scanners
Browse files Browse the repository at this point in the history
Fix semgrep warnings
  • Loading branch information
milkrage committed Jun 26, 2024
1 parent 089f1b2 commit 78f2f16
Show file tree
Hide file tree
Showing 8 changed files with 88 additions and 20 deletions.
64 changes: 64 additions & 0 deletions .github/workflows/secure.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
name: Secure

on: push

jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
#
# CLI Reference:
# https://semgrep.dev/docs/cli-reference
semgrep:
runs-on: ubuntu-24.04
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error --severity=WARNING
env:
SEMGREP_RULES: >-
p/bandit
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitlab-bandit
p/gitleaks
p/insecure-transport
p/owasp-top-ten
p/python
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()

# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'sarif'
output: 'trivy.sarif'
exit-code: '1'
severity: 'MEDIUM,CRITICAL,HIGH'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()
17 changes: 10 additions & 7 deletions .github/workflows/checks.yml → .github/workflows/verify.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,23 @@
name: Checks
name: Verify

on: push

jobs:
flake8:
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- run: pip install -r requirements.txt -r test-requirements.txt
- run: flake8 .

pytest:
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- run: pip install -r requirements.txt -r test-requirements.txt
Expand Down
2 changes: 2 additions & 0 deletions .semgrepignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
env.example.bat
env.example.sh
6 changes: 0 additions & 6 deletions selvpcclient/resources/tokens.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,6 @@
import logging

from selvpcclient import base
from selvpcclient.exceptions.base import ClientException

log = logging.getLogger(__name__)


class Token(base.Resource):
"""Represents a token."""
Expand Down Expand Up @@ -46,8 +42,6 @@ def delete_many(self, token_ids, raise_if_not_found=True):
for token_id in token_ids:
try:
self.delete(token_id)
log.info("Token %s has been deleted", token_id)
except ClientException as err:
if raise_if_not_found:
raise err
log.error("%s %s", err, token_id)
10 changes: 6 additions & 4 deletions selvpcclient/util.py
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,7 @@ def make_curl(url, method, data):
v = str()
if value:
v = value.encode('utf-8')
h = hashlib.sha1(v)
h = hashlib.sha256(v)
d = h.hexdigest()
value = "{SHA1}%s" % d
header = ' -H "%s: %s"' % (key, value)
Expand All @@ -225,15 +225,17 @@ def make_curl(url, method, data):
def is_url(data):
"""Checks if getting value is valid url and path exists."""
try:
r = requests.head(data)
except Exception:
r = requests.head(data, timeout=15)
r.raise_for_status()
except requests.RequestException:
return False
return r.status_code == requests.codes.ok


def process_logo_by_url(url):
"""Download and encode image by url."""
res = requests.get(url)
res = requests.get(url, timeout=15)
res.raise_for_status()
encoded_logo = base64.b64encode(res.content)
return encoded_logo

Expand Down
4 changes: 3 additions & 1 deletion tests/cli/__init__.py
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
import json

import mock
from unittest import mock

from selvpcclient.client import Client
from selvpcclient.shell import CLI


# nosemgrep: python.lang.best-practice.pass-body.pass-body-fn
def prepare_to_run_command(cmd):
pass

Expand Down
3 changes: 1 addition & 2 deletions tests/rest/__init__.py
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
import mock

from datetime import datetime, timedelta
from unittest import mock

from selvpcclient.httpclient import HTTPClient, RegionalHTTPClient

Expand Down
2 changes: 2 additions & 0 deletions tests/test_util.py
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ def function_that_takes_theme_params(logo=None, color=""):


def test_process_theme_params_invalid_logo():
# nosemgrep: python.lang.best-practice.pass-body.pass-body-fn
@process_theme_params
def function_that_takes_theme_params(logo=None, color=''):
pass
Expand All @@ -105,6 +106,7 @@ def function_that_takes_theme_params(logo=None, color=''):


def test_process_theme_params_wrong_path():
# nosemgrep: python.lang.best-practice.pass-body.pass-body-fn
@process_theme_params
def function_that_takes_theme_params(logo=None, color=''):
pass
Expand Down

0 comments on commit 78f2f16

Please sign in to comment.