diff --git a/.github/workflows/claws.yml b/.github/workflows/claws.yml new file mode 100644 index 0000000..68e972c --- /dev/null +++ b/.github/workflows/claws.yml @@ -0,0 +1,106 @@ +name: Workflow Static Analyzer + +on: + merge_group: + pull_request: + branches: + - main + +jobs: + changed_workflows: + name: Find New/Updated Github Workflows + runs-on: ubuntu-latest + if: (github.event_name != 'merge_group') && (github.actor != 'dependabot[bot]') + permissions: + pull-requests: read + outputs: + files: ${{ steps.get_files.outputs.changed_files }} + steps: + # We use the API to get changed files instead of using the local + # git checkout. In some contexts the git metadata isn't available + # so we end up with a checkout of the code that we can scan, but + # the missing git metadata means we don't know how to narrow down + # what to scan. This is really only a problem for pull requests + # that are opened via fork of a private repository. Forks under + # the same account, forks of public repositories, and branches on + # origin are fine. + # + # Because the API only lets us see up to 3,000 files, it's + # possible we may miss some changed workflows in a large pull + # request. However, from my testing, the changes are in alphabetical + # order, so they would have to have modified that many files "before" + # `.github/workflows/` for us to start missing any. + - name: Get Changed Workflows + id: get_files + run: | + gh api \ + "/repos/$REPOSITORY/pulls/$PR_NUMBER/files" \ + --paginate \ + --jq '.[] | select(.status != "removed") | .filename' \ + >/tmp/files_changed.txt + + FILES=$( + grep '^\.github\/workflows\/.*\.ya\?ml' > "$GITHUB_OUTPUT" + echo "$FILES" >> "$GITHUB_OUTPUT" + echo "EOF" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ github.token }} + REPOSITORY: ${{ github.repository }} + PR_NUMBER: ${{ github.event.pull_request.number }} + build: + name: Analyze Github Workflows + runs-on: ubuntu-latest + if: (github.event_name != 'merge_group') && (github.actor != 'dependabot[bot]') && (needs.changed_workflows.outputs.files != '') + needs: [changed_workflows] + steps: + - name: Set Up Ruby + uses: ruby/setup-ruby@d8d83c3960843afb664e821fed6be52f37da5267 # v1.231.0 + with: + ruby-version: '3.0' + - name: Get Claws Config + uses: actions/checkout@v4 + with: + repository: betterment/security-configs + path: security-configs/ + # We have to do this `mv` ourselves because for some reason, actions/checkout + # doesn't support absolute paths OR relative paths that point outside of the + # working directory. Absolutely bonkers. + - name: Move Claws Config + run: | + mv security-configs/ /tmp/ + - name: Set Up Shellcheck + run: | + sudo apt-get update + sudo apt-get install -y shellcheck + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Set Up Claws + run: | + gem install claws-scan -v 0.7.3 + - name: Analyze New/Changed Workflows + env: + CHANGED_FILES: ${{ needs.changed_workflows.outputs.files }} + run: | + if [[ "$CHANGED_FILES" == "" ]]; then + echo "No workflows to diff :)" + exit 0 + fi + + flags=() + + while IFS= read -r file; do + echo "Processing $file" + flags+=("-t" "$file") + done <<< "$CHANGED_FILES" + + # Execute the analyze command safely + echo analyze -f github -c /tmp/security-configs/claws/config.yml "${flags[@]}" + analyze -f github -c /tmp/security-configs/claws/config.yml "${flags[@]}" diff --git a/README.md b/README.md index d48961e..58ea084 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,35 @@ # security-configs -configs, but for security + +This is the repository where we keep security related configuration files that +for some reason or other need to be publicly accessible. For example, Github +Actions will not run on public repositories if stored in a private one. We can +keep them here. + +**Reminder**: This repository is public and any changes you make, and even the +ones you don't (i.e. a pull request that doesn't get merged) will be visible to +people outside the company. Pull request descriptions, comments, links, etc are +all going to be visible to strangers! 🔮 + +If you're not a Betterment employee... Hi! Check out our +[responsible disclosure](https://www.betterment.com/legal/security#disclosure) +page to find out how to report a bug :) + +``` +HASHCAT HAS ITS PAWS ON YOUR BUGS + + _ + \`*-. + ) _`-. + . : `. . + : _ ' \ + ; *` _. `*-._ + `-.-' `-. + ; ` `. + :. . \ + . \ . : .-' . + ' `+.; ; ' : + : ' | ; ;-. + ; ' : :`-: _.`* ; + [bug] .*' / .*' ; .*`- +' `*' + `*-* `*-* `*-*' +``` diff --git a/claws/config.yml b/claws/config.yml new file mode 100644 index 0000000..2106453 --- /dev/null +++ b/claws/config.yml @@ -0,0 +1,17 @@ +Enabled: + NoContainers: + approved_images: ["ubuntu-latest"] + SpecialPermissions: + EmptyName: + RiskyTriggers: + UnapprovedRunners: + allowed_runners: ["ubuntu-latest", "macos-12", "macos-15", "macos-latest", "mobile_linux_8_core", "self-hosted"] + CommandInjection: + AutomaticMerge: + UnpinnedAction: + trusted_authors: ["Betterment", "actions"] + UnsafeCheckout: + InheritedSecrets: + BulkPermissions: + Shellcheck: + shellcheck_bin: "/usr/bin/shellcheck"