From 4c2fdec8af517d816ffa1c34f4a614ab5a40d91d Mon Sep 17 00:00:00 2001 From: Alex Nitu Date: Tue, 16 Apr 2024 17:30:04 +0100 Subject: [PATCH] fix: Circle config update, add prodsec orb scans --- .circleci/config.yml | 152 +++++++++++++++----------- src/lib/find-files.ts | 1 + src/scripts/sync/clone-and-analyze.ts | 1 + 3 files changed, 93 insertions(+), 61 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index f66e598a..84c58dbc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,66 +1,96 @@ version: 2.1 orbs: - snyk: snyk/snyk@1.1.2 + prodsec: snyk/prodsec-orb@1.1 + +features_only: &features_only + filters: + branches: + ignore: master + +main_only: &main_only + filters: + branches: + only: master + +defaults: &defaults + resource_class: small + docker: + - image: circleci/node:12 + jobs: - build-test-monitor: - docker: - - image: circleci/node:12 - steps: - - checkout - - run: npm install - - run: npm test - - run: npx semantic-release - build-test: - docker: - - image: circleci/node:12 - steps: - - checkout - - run: npm install - - run: npm test - - run: npx tsc - - run: npm run pkg-binaries-linux - - run: ./snyk-api-import-linux help - build-test-from-fork: - docker: - - image: circleci/node:12 - steps: - - checkout - - run: npm install - - run: npm test - - run: npx tsc + security-scans: + <<: *defaults + steps: + - checkout + - run: npm install + - prodsec/security_scans: + mode: auto + release-branch: master # TODO: remove when master branch is renamed + iac-scan: disabled + open-source-scan: critical # TODO: remove this once Axios vulns are fixed + + build-test-monitor: + <<: *defaults + steps: + - checkout + - run: npm install + - run: npm test + - run: npx semantic-release + + build-test: + <<: *defaults + steps: + - checkout + - run: npm install + - run: npm test + - run: npx tsc + - run: npm run pkg-binaries-linux + - run: ./snyk-api-import-linux help + + build-test-from-fork: + <<: *defaults + steps: + - checkout + - run: npm install + - run: npm test + - run: npx tsc + workflows: - version: 2 - nightly: - triggers: - - schedule: - cron: "0 0 * * *" - filters: - branches: - only: - - master - jobs: - - build-test-monitor: - context: SNYK + version: 2 + + CICD: + jobs: + - security-scans: + name: Security Scans + context: analysis_import + + - prodsec/secrets-scan: + name: Scan repository for secrets + context: snyk-bot-slack + channel: snyk-on-snyk-analysis_import + + nightly: + triggers: + - schedule: + cron: '0 0 * * *' + <<: *main_only + jobs: + - build-test-monitor: + context: snyk-api-import + + build-test-monitor: + jobs: + - build-test-monitor: + context: snyk-api-import + <<: *main_only - build-test-monitor: - jobs: - - build-test-monitor: - context: SNYK - filters: - branches: - only: - - master - build-test: - jobs: - - build-test: - context: SNYK - filters: - branches: - ignore: - - master - - /pull\/[0-9]+/ - - build-test-from-fork: - filters: - branches: - only: - - /pull\/[0-9]+/ + build-test: + jobs: + - build-test: + context: snyk-api-import + <<: *features_only + - build-test-from-fork: + filters: + branches: + only: + - /pull\/[0-9]+/ diff --git a/src/lib/find-files.ts b/src/lib/find-files.ts index 4229ad03..66aef7c7 100644 --- a/src/lib/find-files.ts +++ b/src/lib/find-files.ts @@ -114,6 +114,7 @@ function findFile( return path; } } else { + // deepcode ignore reDOS: path is supplied by trusted user of API (not externally supplied) if (matches(path, ignore)) { return null; } diff --git a/src/scripts/sync/clone-and-analyze.ts b/src/scripts/sync/clone-and-analyze.ts index 264838d3..bb84bef5 100644 --- a/src/scripts/sync/clone-and-analyze.ts +++ b/src/scripts/sync/clone-and-analyze.ts @@ -46,6 +46,7 @@ export async function cloneAndAnalyze( if (!repoPath) { throw new Error('No location returned for clones repo to analyze'); } + // deepcode ignore reDOS: path is supplied by trusted user of API (not externally supplied) const { files } = await find( repoPath, [...defaultExclusionGlobs, ...exclusionGlobs],