Feature/snyk

.github/workflows/ci.yml

@@ -0,0 +1,112 @@
+name: CI Checks
+run-name: Running Terraform Checks by ${{ github.actor }}
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  Initial-Checks:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Getting initiator name
+        run: echo "Workflow initiated by ${{ github.actor }} from branch ${{ github.ref_name }}"
+
+  terraform-checks:
+    runs-on: ubuntu-latest
+    needs: Initial-Checks
+    outputs:
+      status: ${{ job.status }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: check current directory
+        run: ls
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - uses: terraform-linters/setup-tflint@v3
+        with:
+          tflint_version: latest
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+
+      - name: Run TFLint
+        run: tflint -f compact
+
+  snyk-checks:
+    runs-on: ubuntu-latest
+    outputs:
+      status: ${{ steps.set-status.outputs.status }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Set up Node.js (for snyk CLI)
+        uses: actions/setup-node@v3
+        with:
+          node-version: "18"
+
+      - name: Install Snyk CLI
+        run: npm install -g snyk
+
+      - name: Authenticate with Snyk
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        run: snyk auth $SNYK_TOKEN
+
+      - name: Snyk Code Test
+        run: snyk code test || true
+
+      - name: Snyk Open Source Test
+        run: snyk test || true
+
+      - name: Snyk IaC Test
+        run: snyk iac test || true
+
+      - name: Snyk Container Test
+        run: snyk container test snyk-image || true
+
+      - name: Set status output
+        id: set-status
+        run: echo "status=success" >> $GITHUB_OUTPUT
+
+  #################################################
+  # Finally, update summary for snyk-check        #
+  # Update needs statement to include snyk-checks #
+  #################################################
+  summary:
+    needs: [terraform-checks, snyk-checks] # add snyk-checks
+    runs-on: ubuntu-latest
+    steps:
+      - name: Adding markdown
+        run: |
+          TF_STATUS=${{ needs.terraform-checks.outputs.status }}
+          SNYK_STATUS=${{ needs.snyk-checks.outputs.status }}
+
+          echo '## 🚀 Preparing Build Summary 🚀' >> $GITHUB_STEP_SUMMARY
+          echo '' >> $GITHUB_STEP_SUMMARY
+
+          echo "| Job Name        | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|-----------------|--------|" >> $GITHUB_STEP_SUMMARY
+          echo "| tf-check       | $TF_STATUS |" >> $GITHUB_STEP_SUMMARY
+          # echo " snyk-check     | $SNYK_STATUS |" >> $GITHUB_STEP_SUMMARY
+          echo '' >> $GITHUB_STEP_SUMMARY
+
+          echo '## Job ran by: ${{ github.actor }}' >> $GITHUB_STEP_SUMMARY

.github/workflows/package-scan.yml

@@ -2,8 +2,7 @@ name: Package Scan With Serverless Lambda
 run-name: ${{ github.actor }} is performing package vulnerability scans for serverless application
 
 on:
-  push:
-  workflow_dispatch:
+  workflow_dispatch: # Allows manual triggering
 
 jobs:
   pre-deploy:
@@ -39,7 +38,7 @@ jobs:
   # Ensure that you have registered for a Snyk account
   # Grab the API key from your username > API Key
   # Insert the API key in Github Actions Secret called "SNYK_TOKEN"
-  
+
   package-osc-scan-snyk-scan:
     runs-on: ubuntu-latest
     needs: install-dependencies
@@ -55,7 +54,7 @@ jobs:
         with:
           args: --severity-threshold=high
 
-  # We will also use Snyk to perform application code scanning 
+  # We will also use Snyk to perform application code scanning
 
   package-app-scan-snyk-scan:
     runs-on: ubuntu-latest
@@ -88,12 +87,18 @@ jobs:
           args: "--report --severity-threshold=high --scan=resource-changes"
 
   terraform-create:
-    needs: [package-scan-npm-audit, package-osc-scan-snyk-scan, package-app-scan-snyk-scan, package-iac-scan-snyk-scan]
+    needs:
+      [
+        package-scan-npm-audit,
+        package-osc-scan-snyk-scan,
+        package-app-scan-snyk-scan,
+        package-iac-scan-snyk-scan,
+      ]
     runs-on: ubuntu-latest
 
     steps:
       - uses: actions/checkout@v2
-      
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v1
 
@@ -111,7 +116,7 @@ jobs:
         run: terraform fmt
 
       - name: Terraform plan
-        run: terraform plan 
+        run: terraform plan
 
       - name: Terraform apply
         run: terraform apply -auto-approve
@@ -130,7 +135,7 @@ jobs:
 
     steps:
       - uses: actions/checkout@v2
-      
+
       - name: Set up Terraform
         uses: hashicorp/setup-terraform@v1
 
@@ -140,7 +145,7 @@ jobs:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
-      
+
       - name: Terraform init
         run: terraform init
 

Dockerfile

@@ -1,7 +1,7 @@
 FROM node:20-alpine
 WORKDIR /my-app 
 COPY package*.json ./
-RUN npm install
+RUN npm install -g npm@11.3.0
 COPY . .
 EXPOSE 3000
 CMD ["node", "index.js"]

README.md

@@ -2,18 +2,18 @@
 
 ## What is package vulnerability scan?
 
-Package vulnerability scanning refers to the process of analyzing software packages, dependencies, libraries, or modules to identify security vulnerabilities within them. 
+Package vulnerability scanning refers to the process of analyzing software packages, dependencies, libraries, or modules to identify security vulnerabilities within them.
 
 Software often relies on various third-party packages or libraries to provide functionality, and vulnerabilities within these dependencies can pose significant security risks to the overall application.
 
 ### Process
 
-<b>Package Vulnerability Scanning Process:</b> 
+<b>Package Vulnerability Scanning Process:</b>
 
-- <b>Identification:</b>  Tools or services scan through the dependencies used in a project, checking against databases of known vulnerabilities.
-- <b>Analysis:</b>  The scanning process assesses the versions of these dependencies against a database of known vulnerabilities, determining if any matches are found.
-- <b>Report Generation:</b>  The scanning tools generate reports highlighting identified vulnerabilities, their severity levels, and recommended actions to mitigate the risks.
-- <b>Mitigation:</b>  Once vulnerabilities are identified, developers can take action to address these issues. Solutions might include updating to patched versions, finding alternative packages, implementing workarounds, or applying security patches.
+- <b>Identification:</b> Tools or services scan through the dependencies used in a project, checking against databases of known vulnerabilities.
+- <b>Analysis:</b> The scanning process assesses the versions of these dependencies against a database of known vulnerabilities, determining if any matches are found.
+- <b>Report Generation:</b> The scanning tools generate reports highlighting identified vulnerabilities, their severity levels, and recommended actions to mitigate the risks.
+- <b>Mitigation:</b> Once vulnerabilities are identified, developers can take action to address these issues. Solutions might include updating to patched versions, finding alternative packages, implementing workarounds, or applying security patches.
 
 ### Popular solutions
 
@@ -24,25 +24,30 @@ Software often relies on various third-party packages or libraries to provide fu
 <b>GitHub Dependabot:</b> Built-in tool in GitHub that automatically checks for and creates pull requests to update dependencies.
 
 ## What is Snyk?
+
 ![image](https://github.com/luqmannnn/serverless-package-scan/assets/9068525/f2c190b9-a470-4f85-bd13-2157b8a452a1)
 
 Snyk is a platform that allows you to scan, prioritize, and fix security vulnerabilities in your code, open-source dependencies, container images, and infrastructure as code configurations.
 
 ## Popular Snyk Commands
+
 ### Scanning IAC (e.g. Terraform)
-```snyk iac test```
+
+`snyk iac test`
 
 ### Scanning Code (e.g. JavaScript, Python)
-```snyk code test```
+
+`snyk code test`
 
 ### Scanning Open Source Packages
-```snyk test```
+
+`snyk test`
 
 More detailed information can be found here: https://docs.snyk.io/integrate-with-snyk/snyk-ci-cd-integrations/github-actions-integration
 
 ## What does NPM Audit do?
 
-The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities. 
+The audit command submits a description of the dependencies configured in your project to your default registry and asks for a report of known vulnerabilities.
 
 If any vulnerabilities are found, then the impact and appropriate remediation will be calculated. If the fix argument is provided, then remediations will be applied to the package tree.
 
@@ -53,22 +58,28 @@ The command will exit with a 0 exit code if no vulnerabilities were found.
 Also note that since npm audit fix runs a full-fledged npm install under the hood, all configs that apply to the installer will also apply to npm install -- so things like npm audit fix --package-lock-only will work as expected.
 
 # Getting Started
+
 ## Register for Snyk account
+
 1. Sign up for a Snyk account - https://snyk.io/
 2. Once logged in, you can see an overview of linked projects e.g. Github repositories that you import in the Dashboard.
-<img width="1440" alt="Screenshot 2023-11-25 at 12 19 45 AM" src="https://github.com/luqmannnn/serverless-package-scan/assets/9068525/7f1a9968-f8d6-44bc-adfa-0c82cf1600b2">
+   <img width="1440" alt="Screenshot 2023-11-25 at 12 19 45 AM" src="https://github.com/luqmannnn/serverless-package-scan/assets/9068525/7f1a9968-f8d6-44bc-adfa-0c82cf1600b2">
 3. Get your AP token by going to the bottom left (your name) > account settings > click to show key under Auth Token > copy token > create a Github Actions Secret in your Github repository called "SNYK_TOKEN"
 
 ## Write your lambda function
+
 1. Refer to files/index.js for sample lambda code to be deployed.
 2. There is also a files/lambda_function.py for a python version that can be deployed. Changes will need to be made in variable.tf
 
 ## Write your terraform code
+
 1. Create all the necessary code to build your infrastructure e.g. Lambda, IAM, VPC, Subnets etc.
 2. Include your AWS SECRET KEY and AWS ACCESS KEY in Github Actions Secret.
 
 ## Write your Github Actions Workflow file
+
 1. Take a look at the sample .github/workflows/package-scan.yml file on a simple workflow to test IAC, Code and Open Source plugins + npm audit.
 
 ## BIG SUCCESS :D
+
 <img width="1440" alt="Screenshot 2023-11-25 at 12 24 34 AM" src="https://github.com/luqmannnn/serverless-package-scan/assets/9068525/fc3b8321-d1ab-4b5f-8378-d26c87d27c5c">

backend.tf

@@ -3,7 +3,7 @@
 terraform {
   backend "s3" {
     bucket = "sctp-ce9-tfstate"
-    key    = "package-vul-scan-luqman.tfstate" #Change the value of this to <your suggested name>.tfstate for  example
+    key    = "package-vul-scan-luke.tfstate" #Change the value of this to <your suggested name>.tfstate for  example
     region = "us-east-1"
   }
 }