From bbac234cc01a8c6b0d4f86e48649de9d9f04485e Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 12 Jun 2024 13:34:48 +0000 Subject: [PATCH 01/14] fix: Dockerfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-UBUNTU1604-SYSTEMD-1320131 - https://snyk.io/vuln/SNYK-UBUNTU1604-SYSTEMD-1320131 - https://snyk.io/vuln/SNYK-UBUNTU1604-SYSTEMD-1320131 - https://snyk.io/vuln/SNYK-UBUNTU1604-SYSTEMD-1320131 - https://snyk.io/vuln/SNYK-UBUNTU1604-GLIBC-6674193 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index aa79e7f..3ec1e64 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:16.04 +FROM ubuntu:xenial-20210416 RUN apt-get update && apt-get install -y python python-pip RUN pip install flask COPY app.py /opt/ From 4600d712d472a0a0d12be35890db1fa154327c85 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 10:48:02 +0400 Subject: [PATCH 02/14] Create snyk-security.yml --- .github/workflows/snyk-security.yml | 79 +++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 .github/workflows/snyk-security.yml diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml new file mode 100644 index 0000000..1822bfc --- /dev/null +++ b/.github/workflows/snyk-security.yml @@ -0,0 +1,79 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, +# Snyk Container and Snyk Infrastructure as Code) +# The setup installs the Snyk CLI - for more details on the possible commands +# check https://docs.snyk.io/snyk-cli/cli-reference +# The results of Snyk Code are then uploaded to GitHub Security Code Scanning +# +# In order to use the Snyk Action you will need to have a Snyk API token. +# More details in https://github.com/snyk/actions#getting-your-snyk-token +# or you can signup for free at https://snyk.io/login +# +# For more examples, including how to limit scans to only high-severity issues +# and fail PR checks, see https://github.com/snyk/actions/ + +name: Snyk Security + +on: + push: + branches: ["master" ] + pull_request: + branches: ["master"] + +permissions: + contents: read + +jobs: + snyk: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Set up Snyk CLI to check for security issues + # Snyk can be used to break the build when it detects security issues. + # In this case we want to upload the SAST issues to GitHub Code Scanning + uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb + + # For Snyk Open Source you must first set up the development environment for your application's dependencies + # For example for Node + #- uses: actions/setup-node@v3 + # with: + # node-version: 16 + + env: + # This is where you will need to introduce the Snyk API token created with your Snyk account + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Runs Snyk Code (SAST) analysis and uploads result into GitHub. + # Use || true to not fail the pipeline + - name: Snyk Code test + run: snyk code test --sarif > snyk-code.sarif # || true + + # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. + - name: Snyk Open Source monitor + run: snyk monitor --all-projects + + # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. + # Use || true to not fail the pipeline. + - name: Snyk IaC test and report + run: snyk iac test --report # || true + + # Build the docker image for testing + - name: Build a Docker image + run: docker build -t your/image-to-test . + # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. + - name: Snyk Container monitor + run: snyk container monitor your/image-to-test --file=Dockerfile + + # Push the Snyk Code results into GitHub Code Scanning tab + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk-code.sarif From 7edb88ab405f96fa9fa0e370dce28bfb0f4b882d Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 10:56:54 +0400 Subject: [PATCH 03/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 104 +++++++++------------------- 1 file changed, 32 insertions(+), 72 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 1822bfc..1fdfe73 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -1,79 +1,39 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# A sample workflow which sets up Snyk to analyze the full Snyk platform (Snyk Open Source, Snyk Code, -# Snyk Container and Snyk Infrastructure as Code) -# The setup installs the Snyk CLI - for more details on the possible commands -# check https://docs.snyk.io/snyk-cli/cli-reference -# The results of Snyk Code are then uploaded to GitHub Security Code Scanning -# -# In order to use the Snyk Action you will need to have a Snyk API token. -# More details in https://github.com/snyk/actions#getting-your-snyk-token -# or you can signup for free at https://snyk.io/login -# -# For more examples, including how to limit scans to only high-severity issues -# and fail PR checks, see https://github.com/snyk/actions/ - -name: Snyk Security - -on: - push: - branches: ["master" ] - pull_request: - branches: ["master"] - -permissions: - contents: read +name: Example workflow for Python using Snyk +on: push jobs: - snyk: - permissions: - contents: read # for actions/checkout to fetch code - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - name: Set up Snyk CLI to check for security issues - # Snyk can be used to break the build when it detects security issues. - # In this case we want to upload the SAST issues to GitHub Code Scanning - uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb - - # For Snyk Open Source you must first set up the development environment for your application's dependencies - # For example for Node - #- uses: actions/setup-node@v3 - # with: - # node-version: 16 - + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/python@master + continue-on-error: true # To make sure that SARIF upload gets called env: - # This is where you will need to introduce the Snyk API token created with your Snyk account SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Runs Snyk Code (SAST) analysis and uploads result into GitHub. - # Use || true to not fail the pipeline - - name: Snyk Code test - run: snyk code test --sarif > snyk-code.sarif # || true - - # Runs Snyk Open Source (SCA) analysis and uploads result to Snyk. - - name: Snyk Open Source monitor - run: snyk monitor --all-projects - - # Runs Snyk Infrastructure as Code (IaC) analysis and uploads result to Snyk. - # Use || true to not fail the pipeline. - - name: Snyk IaC test and report - run: snyk iac test --report # || true - - # Build the docker image for testing - - name: Build a Docker image - run: docker build -t your/image-to-test . - # Runs Snyk Container (Container and SCA) analysis and uploads result to Snyk. - - name: Snyk Container monitor - run: snyk container monitor your/image-to-test --file=Dockerfile - - # Push the Snyk Code results into GitHub Code Scanning tab - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: snyk-code.sarif + command: code test + args: --sarif-file-output=snyk.sarif + - name: Count total number of vulnerabilities + run: | + RESULTS_LENGTH=$(jq '.runs[0].results | length' snyk.sarif) + echo "RESULTS_LENGTH=$RESULTS_LENGTH" >> $GITHUB_ENV + echo $RESULTS_LENGTH + - name: Pass_or_Fail_the_job + run: | + if [ "$RESULTS_LENGTH" != 0 ]; then + echo "Job Failed" + exit 1 + else + echo "Pass" + fi + + - name: Send notification to Microsoft Teams + uses: devpro/teams-webhook-action@v1 + if: always() + with: + webhook_url: ${{ secrets.TEAMS_WEBHOOK_URL }} + message: | + **The Snyk scan result for repo is:** ${{ job.status }} + **Number of vulnerabilities:** ${{ env.RESULTS_LENGTH }} + **Detail:** https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} From e710ad0ccbaca096efec4d2e9b1e6aaa66c6fbb4 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:01:53 +0400 Subject: [PATCH 04/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 1fdfe73..d28246b 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -29,11 +29,10 @@ jobs: fi - name: Send notification to Microsoft Teams - uses: devpro/teams-webhook-action@v1 if: always() - with: - webhook_url: ${{ secrets.TEAMS_WEBHOOK_URL }} - message: | - **The Snyk scan result for repo is:** ${{ job.status }} - **Number of vulnerabilities:** ${{ env.RESULTS_LENGTH }} - **Detail:** https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + run: | + curl -H 'Content-Type: application/json' -d '{ + "text": "**The Snyk scan result for repo is:** '"${{ job.status }}"'", + "**Number of vulnerabilities:** '"${{ env.RESULTS_LENGTH }}"'", + "**Detail:** https://github.com/'"${{ github.repository }}"'/actions/runs/'"${{ github.run_id }}"'" + }' ${{ secrets.TEAMS_WEBHOOK_URL }} From e24daa93baa283500596332683e44ac9197bd7e5 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:04:30 +0400 Subject: [PATCH 05/14] Update app.py --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index 36721a0..ad36c7d 100644 --- a/app.py +++ b/app.py @@ -4,6 +4,7 @@ @app.route("/") def main(): + api_key = "1234" return "Welcome!" @app.route('/how are you') From e5db4e345385a4e907191aa89cf59856bdf29e76 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:06:17 +0400 Subject: [PATCH 06/14] Update app.py --- app.py | 1 + 1 file changed, 1 insertion(+) diff --git a/app.py b/app.py index ad36c7d..fe8c403 100644 --- a/app.py +++ b/app.py @@ -2,6 +2,7 @@ from flask import Flask app = Flask(__name__) +password = "sdasda" @app.route("/") def main(): api_key = "1234" From 01c94ba10c6bd582baa470eb1f77dd06dff4b882 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:08:07 +0400 Subject: [PATCH 07/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index d28246b..fc85428 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -15,24 +15,27 @@ jobs: command: code test args: --sarif-file-output=snyk.sarif - name: Count total number of vulnerabilities + id: count_vulns run: | RESULTS_LENGTH=$(jq '.runs[0].results | length' snyk.sarif) echo "RESULTS_LENGTH=$RESULTS_LENGTH" >> $GITHUB_ENV echo $RESULTS_LENGTH - name: Pass_or_Fail_the_job run: | - if [ "$RESULTS_LENGTH" != 0 ]; then - echo "Job Failed" - exit 1 - else - echo "Pass" - fi - + if [ "$RESULTS_LENGTH" != 0 ]; then + echo "Job Failed" + exit 1 + else + echo "Pass" + fi + notify: + runs-on: ubuntu-latest + needs: security + steps: - name: Send notification to Microsoft Teams - if: always() run: | curl -H 'Content-Type: application/json' -d '{ - "text": "**The Snyk scan result for repo is:** '"${{ job.status }}"'", + "text": "**The Snyk scan result for repo is:** '"${{ needs.security.result }}"'", "**Number of vulnerabilities:** '"${{ env.RESULTS_LENGTH }}"'", "**Detail:** https://github.com/'"${{ github.repository }}"'/actions/runs/'"${{ github.run_id }}"'" }' ${{ secrets.TEAMS_WEBHOOK_URL }} From a7c67d8168b49c30dfa5d9a919a5404acd55a9e3 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:09:31 +0400 Subject: [PATCH 08/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index fc85428..fc310a5 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -5,10 +5,10 @@ jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@master + - uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/python@master - continue-on-error: true # To make sure that SARIF upload gets called + uses: snyk/actions/python@v1 + continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: @@ -19,15 +19,16 @@ jobs: run: | RESULTS_LENGTH=$(jq '.runs[0].results | length' snyk.sarif) echo "RESULTS_LENGTH=$RESULTS_LENGTH" >> $GITHUB_ENV - echo $RESULTS_LENGTH + echo "::set-output name=results_length::$RESULTS_LENGTH" - name: Pass_or_Fail_the_job run: | - if [ "$RESULTS_LENGTH" != 0 ]; then + if [ "$RESULTS_LENGTH" -ne 0 ]; then echo "Job Failed" exit 1 else echo "Pass" fi + notify: runs-on: ubuntu-latest needs: security @@ -36,6 +37,6 @@ jobs: run: | curl -H 'Content-Type: application/json' -d '{ "text": "**The Snyk scan result for repo is:** '"${{ needs.security.result }}"'", - "**Number of vulnerabilities:** '"${{ env.RESULTS_LENGTH }}"'", + "**Number of vulnerabilities:** '"${{ needs.security.outputs.results_length }}"'", "**Detail:** https://github.com/'"${{ github.repository }}"'/actions/runs/'"${{ github.run_id }}"'" }' ${{ secrets.TEAMS_WEBHOOK_URL }} From 870130eab0775b9eed5ae535fab6f1de7f6b2f71 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:10:27 +0400 Subject: [PATCH 09/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index fc310a5..74697bc 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -7,7 +7,7 @@ jobs: steps: - uses: actions/checkout@v2 - name: Run Snyk to check for vulnerabilities - uses: snyk/actions/python@v1 + uses: snyk/actions/python@master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} From 203f8963a4788a400c7937ade020e9f1b5634f33 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:16:22 +0400 Subject: [PATCH 10/14] Update snyk-security.yml From d49a26f0c682fd0c7494d5a2d529eec46422464e Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:18:48 +0400 Subject: [PATCH 11/14] Update snyk-security.yml --- .github/workflows/snyk-security.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk-security.yml b/.github/workflows/snyk-security.yml index 74697bc..b586ec7 100644 --- a/.github/workflows/snyk-security.yml +++ b/.github/workflows/snyk-security.yml @@ -31,12 +31,13 @@ jobs: notify: runs-on: ubuntu-latest - needs: security + needs: [security] + if: always() steps: - name: Send notification to Microsoft Teams run: | curl -H 'Content-Type: application/json' -d '{ "text": "**The Snyk scan result for repo is:** '"${{ needs.security.result }}"'", - "**Number of vulnerabilities:** '"${{ needs.security.outputs.results_length }}"'", + "**Number of vulnerabilities:** '"${{ needs.security.outputs.count_vulns.results_length }}"'", "**Detail:** https://github.com/'"${{ github.repository }}"'/actions/runs/'"${{ github.run_id }}"'" }' ${{ secrets.TEAMS_WEBHOOK_URL }} From 24b0a94818b6090b1ebf6f96325bf6f06443432e Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:23:32 +0400 Subject: [PATCH 12/14] Update app.py --- app.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/app.py b/app.py index fe8c403..36721a0 100644 --- a/app.py +++ b/app.py @@ -2,10 +2,8 @@ from flask import Flask app = Flask(__name__) -password = "sdasda" @app.route("/") def main(): - api_key = "1234" return "Welcome!" @app.route('/how are you') From 1ba5d42134380e6e2ab60465172b4330b15932fb Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 11:26:23 +0400 Subject: [PATCH 13/14] Update app.py --- app.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app.py b/app.py index 36721a0..6bff9b6 100644 --- a/app.py +++ b/app.py @@ -2,6 +2,8 @@ from flask import Flask app = Flask(__name__) +password = "1231434" +api_key = "23131231" @app.route("/") def main(): return "Welcome!" From 7e28ea0c51f94b7e5a70f9f8212e14f509e99a26 Mon Sep 17 00:00:00 2001 From: Annatar3 <121303940+Annatar3@users.noreply.github.com> Date: Thu, 13 Jun 2024 12:09:43 +0400 Subject: [PATCH 14/14] Update app.py --- app.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/app.py b/app.py index 6bff9b6..36721a0 100644 --- a/app.py +++ b/app.py @@ -2,8 +2,6 @@ from flask import Flask app = Flask(__name__) -password = "1231434" -api_key = "23131231" @app.route("/") def main(): return "Welcome!"