From 6d3f7a5e8b0c5e49afb92edd26cb5bd70563e698 Mon Sep 17 00:00:00 2001 From: Lukej-git Date: Thu, 17 Apr 2025 10:44:41 +0800 Subject: [PATCH 1/3] Edited files and CI --- .github/workflows/ci.yaml | 97 ++++++++++++++++++++++++++++----------- Dockerfile | 2 +- backend.tf | 2 +- provider.tf | 4 +- variable.tf | 6 +-- 5 files changed, 77 insertions(+), 34 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 75c08b3..7be2969 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,17 +2,17 @@ name: CI Checks run-name: Running Terraform Checks by ${{ github.actor }} on: - pull_request: - branches: - - main + pull_request: + branches: + - main jobs: Initial-Checks: runs-on: ubuntu-latest steps: - - name: Getting initiator name - run: echo "Workflow initiated by ${{ github.actor }} from branch ${{ github.ref_name }}" + - name: Getting initiator name + run: echo "Workflow initiated by ${{ github.actor }} from branch ${{ github.ref_name }}" terraform-checks: runs-on: ubuntu-latest @@ -20,32 +20,35 @@ jobs: outputs: status: ${{ job.status }} steps: - - name: Checkout - uses: actions/checkout@v3 + - name: Checkout + uses: actions/checkout@v3 - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 - - name: Terraform fmt - id: fmt - run: terraform fmt -check + - name: check current directory + run: ls - - name: Terraform Validate - id: validate - run: terraform validate -no-color + - name: Terraform fmt + id: fmt + run: terraform fmt -check - - uses: terraform-linters/setup-tflint@v3 - with: - tflint_version: latest - - - name: Show version - run: tflint --version + - name: Terraform Validate + id: validate + run: terraform validate -no-color - - name: Init TFLint - run: tflint --init + - uses: terraform-linters/setup-tflint@v3 + with: + tflint_version: latest - - name: Run TFLint - run: tflint -f compact + - name: Show version + run: tflint --version + + - name: Init TFLint + run: tflint --init + + - name: Run TFLint + run: tflint -f compact ######################################## # Add a job for snyk scan of your code # @@ -60,22 +63,60 @@ jobs: # - snyk container test # Also, enable: # outputs: - # status: ${{ job.status }} + # status: # for use in the summary ######################################## + snyk-checks: + runs-on: ubuntu-latest + outputs: + status: ${{ steps.set-status.outputs.status }} + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Set up Node.js (for snyk CLI) + uses: actions/setup-node@v3 + with: + node-version: "18" + + - name: Install Snyk CLI + run: npm install -g snyk + + - name: Authenticate with Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: snyk auth $SNYK_TOKEN + + - name: Snyk Code Test + run: snyk code test || true + + - name: Snyk Open Source Test + run: snyk test || true + + - name: Snyk IaC Test + run: snyk iac test || true + + - name: Snyk Container Test + # Replace with the actual image name you want to scan + run: snyk container test snyk-image || true + + - name: Set status output + id: set-status + run: echo "status=success" >> $GITHUB_OUTPUT + ################################################# # Finally, update summary for snyk-check # # Update needs statement to include snyk-checks # ################################################# summary: - needs: [terraform-checks] # add snyk-checks + needs: [terraform-checks, snyk-checks] # add snyk-checks runs-on: ubuntu-latest steps: - name: Adding markdown run: | TF_STATUS=${{ needs.terraform-checks.outputs.status }} - # SNYK_STATUS=${{ needs.snyk-checks.outputs.status }} + SNYK_STATUS=${{ needs.snyk-checks.outputs.status }} echo '## 🚀 Preparing Build Summary 🚀' >> $GITHUB_STEP_SUMMARY echo '' >> $GITHUB_STEP_SUMMARY diff --git a/Dockerfile b/Dockerfile index b73cce4..345858b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM node:20-alpine WORKDIR /my-app COPY package*.json ./ -RUN npm install +RUN npm install -g npm@11.3.0 COPY . . EXPOSE 3000 CMD ["node", "index.js"] \ No newline at end of file diff --git a/backend.tf b/backend.tf index fc474ab..11e2a0e 100644 --- a/backend.tf +++ b/backend.tf @@ -3,7 +3,7 @@ terraform { backend "s3" { bucket = "sctp-ce9-tfstate" - key = "package-vul-scan-luqman.tfstate" #Change the value of this to .tfstate for example + key = "package-vul-scan-luke.tfstate" #Change the value of this to .tfstate for example region = "us-east-1" } } \ No newline at end of file diff --git a/provider.tf b/provider.tf index 932fc88..c38103a 100644 --- a/provider.tf +++ b/provider.tf @@ -8,4 +8,6 @@ terraform { } # Configure the AWS Provider -provider "aws" {} \ No newline at end of file +provider "aws" { + region="us-east-1" + } \ No newline at end of file diff --git a/variable.tf b/variable.tf index 7ca9c38..65c6cd3 100644 --- a/variable.tf +++ b/variable.tf @@ -1,7 +1,7 @@ variable lambda_function_name { description = "Name of lambda function" type = string - default = "luqman-package-scan-lambda-fn" + default = "luke-package-scan-lambda-fn" } variable lambda_file_name { @@ -19,11 +19,11 @@ variable "iam_name" { variable "vpc_name" { description = "The ID of the VPC" type = string - default = "luqman-vpc-tf-module" + default = "luke-vpc-tf-module" } variable "created_by" { description = "The name of vpc creator" type = string - default = "luqman" + default = "luke" } From 2d31ba4872cadc8255f61df0364800733f6d31a8 Mon Sep 17 00:00:00 2001 From: Lukej-git Date: Thu, 17 Apr 2025 10:46:01 +0800 Subject: [PATCH 2/3] Edited files and CI --- .github/workflows/package-scan.yml | 20 +++++++++++------- README.md | 33 ++++++++++++++++++++---------- index.js | 8 ++++---- 3 files changed, 39 insertions(+), 22 deletions(-) diff --git a/.github/workflows/package-scan.yml b/.github/workflows/package-scan.yml index 7ead14f..3e0faab 100644 --- a/.github/workflows/package-scan.yml +++ b/.github/workflows/package-scan.yml @@ -39,7 +39,7 @@ jobs: # Ensure that you have registered for a Snyk account # Grab the API key from your username > API Key # Insert the API key in Github Actions Secret called "SNYK_TOKEN" - + package-osc-scan-snyk-scan: runs-on: ubuntu-latest needs: install-dependencies @@ -55,7 +55,7 @@ jobs: with: args: --severity-threshold=high - # We will also use Snyk to perform application code scanning + # We will also use Snyk to perform application code scanning package-app-scan-snyk-scan: runs-on: ubuntu-latest @@ -88,12 +88,18 @@ jobs: args: "--report --severity-threshold=high --scan=resource-changes" terraform-create: - needs: [package-scan-npm-audit, package-osc-scan-snyk-scan, package-app-scan-snyk-scan, package-iac-scan-snyk-scan] + needs: + [ + package-scan-npm-audit, + package-osc-scan-snyk-scan, + package-app-scan-snyk-scan, + package-iac-scan-snyk-scan, + ] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - + - name: Set up Terraform uses: hashicorp/setup-terraform@v1 @@ -111,7 +117,7 @@ jobs: run: terraform fmt - name: Terraform plan - run: terraform plan + run: terraform plan - name: Terraform apply run: terraform apply -auto-approve @@ -130,7 +136,7 @@ jobs: steps: - uses: actions/checkout@v2 - + - name: Set up Terraform uses: hashicorp/setup-terraform@v1 @@ -140,7 +146,7 @@ jobs: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} aws-region: us-east-1 - + - name: Terraform init run: terraform init diff --git a/README.md b/README.md index 80ee68c..dd62981 100644 --- a/README.md +++ b/README.md @@ -2,18 +2,18 @@ ## What is package vulnerability scan? -Package vulnerability scanning refers to the process of analyzing software packages, dependencies, libraries, or modules to identify security vulnerabilities within them. +Package vulnerability scanning refers to the process of analyzing software packages, dependencies, libraries, or modules to identify security vulnerabilities within them. Software often relies on various third-party packages or libraries to provide functionality, and vulnerabilities within these dependencies can pose significant security risks to the overall application. ### Process -Package Vulnerability Scanning Process: +Package Vulnerability Scanning Process: -- Identification: Tools or services scan through the dependencies used in a project, checking against databases of known vulnerabilities. -- Analysis: The scanning process assesses the versions of these dependencies against a database of known vulnerabilities, determining if any matches are found. -- Report Generation: The scanning tools generate reports highlighting identified vulnerabilities, their severity levels, and recommended actions to mitigate the risks. -- Mitigation: Once vulnerabilities are identified, developers can take action to address these issues. Solutions might include updating to patched versions, finding alternative packages, implementing workarounds, or applying security patches. +- Identification: Tools or services scan through the dependencies used in a project, checking against databases of known vulnerabilities. +- Analysis: The scanning process assesses the versions of these dependencies against a database of known vulnerabilities, determining if any matches are found. +- Report Generation: The scanning tools generate reports highlighting identified vulnerabilities, their severity levels, and recommended actions to mitigate the risks. +- Mitigation: Once vulnerabilities are identified, developers can take action to address these issues. Solutions might include updating to patched versions, finding alternative packages, implementing workarounds, or applying security patches. ### Popular solutions @@ -24,25 +24,30 @@ Software often relies on various third-party packages or libraries to provide fu GitHub Dependabot: Built-in tool in GitHub that automatically checks for and creates pull requests to update dependencies. ## What is Snyk? + ![image](https://github.com/luqmannnn/serverless-package-scan/assets/9068525/f2c190b9-a470-4f85-bd13-2157b8a452a1) Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations. ## Popular Snyk Commands + ### Scanning IAC (e.g. Terraform) -```snyk iac test``` + +`snyk iac test` ### Scanning Code (e.g. JavaScript, Python) -```snyk code test``` + +`snyk code test` ### Scanning Open Source Packages -```snyk test``` + +`snyk test` More detailed information can be found here: https://docs.snyk.io/integrate-with-snyk/snyk-ci-cd-integrations/github-actions-integration ## What does NPM Audit do? -The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. +The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. If any vulnerabilities are found, then the impact and appropriate remediation will be calculated. If the fix argument is provided, then remediations will be applied to the package tree. @@ -53,22 +58,28 @@ The command will exit with a 0 exit code if no vulnerabilities were found. Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected. # Getting Started + ## Register for Snyk account + 1. Sign up for a Snyk account - https://snyk.io/ 2. Once logged in, you can see an overview of linked projects e.g. Github repositories that you import in the Dashboard. -Screenshot 2023-11-25 at 12 19 45 AM + Screenshot 2023-11-25 at 12 19 45 AM 3. Get your AP token by going to the bottom left (your name) > account settings > click to show key under Auth Token > copy token > create a Github Actions Secret in your Github repository called "SNYK_TOKEN" ## Write your lambda function + 1. Refer to files/index.js for sample lambda code to be deployed. 2. There is also a files/lambda_function.py for a python version that can be deployed. Changes will need to be made in variable.tf ## Write your terraform code + 1. Create all the necessary code to build your infrastructure e.g. Lambda, IAM, VPC, Subnets etc. 2. Include your AWS SECRET KEY and AWS ACCESS KEY in Github Actions Secret. ## Write your Github Actions Workflow file + 1. Take a look at the sample .github/workflows/package-scan.yml file on a simple workflow to test IAC, Code and Open Source plugins + npm audit. ## BIG SUCCESS :D + Screenshot 2023-11-25 at 12 24 34 AM diff --git a/index.js b/index.js index 890ecd8..6c13c7d 100644 --- a/index.js +++ b/index.js @@ -1,11 +1,11 @@ -const express = require('express'); +const express = require("express"); const app = express(); const PORT = 3000; // Define a route handler for the root path -app.get('/', (req, res) => { - res.send('Hello, world!'); +app.get("/", (req, res) => { + res.send("Hello, world!"); }); // Start the server @@ -13,4 +13,4 @@ const server = app.listen(PORT, () => { console.log(`Server is running on http://localhost:${PORT}`); }); -module.exports = server; // Export the server instance \ No newline at end of file +module.exports = server; // Export the server instance From a970fe181aca1ccd7518b8a526b15f1bd9ae59bd Mon Sep 17 00:00:00 2001 From: Lukej-git Date: Thu, 17 Apr 2025 10:59:57 +0800 Subject: [PATCH 3/3] snyk test1 --- .github/workflows/{ci.yaml => ci.yml} | 18 ------------------ .github/workflows/package-scan.yml | 3 +-- 2 files changed, 1 insertion(+), 20 deletions(-) rename .github/workflows/{ci.yaml => ci.yml} (85%) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yml similarity index 85% rename from .github/workflows/ci.yaml rename to .github/workflows/ci.yml index 7be2969..690a578 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yml @@ -50,23 +50,6 @@ jobs: - name: Run TFLint run: tflint -f compact - ######################################## - # Add a job for snyk scan of your code # - ######################################## - - ######################################## - # job name: snyk-checks - # Enable: - # - snyk code test - # - snyk test - # - snyk iac test - # - snyk container test - # Also, enable: - # outputs: - # status: - # for use in the summary - ######################################## - snyk-checks: runs-on: ubuntu-latest outputs: @@ -98,7 +81,6 @@ jobs: run: snyk iac test || true - name: Snyk Container Test - # Replace with the actual image name you want to scan run: snyk container test snyk-image || true - name: Set status output diff --git a/.github/workflows/package-scan.yml b/.github/workflows/package-scan.yml index 3e0faab..f23e617 100644 --- a/.github/workflows/package-scan.yml +++ b/.github/workflows/package-scan.yml @@ -2,8 +2,7 @@ name: Package Scan With Serverless Lambda run-name: ${{ github.actor }} is performing package vulnerability scans for serverless application on: - push: - workflow_dispatch: + workflow_dispatch: # Allows manual triggering jobs: pre-deploy: