diff --git a/examples/security-assessments-guide/README.md b/examples/security-assessments-guide/README.md index efbdc76..beb6460 100644 --- a/examples/security-assessments-guide/README.md +++ b/examples/security-assessments-guide/README.md @@ -1,31 +1,3 @@ -## Readme - -En esta guia se analizaran principalmente tres formas distintas a traves de las cuales podemos realizan un analisis de nuestro proyecto, con el objetivo de evitar posibles vulnerabilidades. Cada una de estas formas sera en un momento distintos de la etapa de desarrollo, con lo cual pretendemos se puedan adoptar segun la estrategia mas conveniente para cada proyecto y equipo. - -Los puntos que se analizaran, seran: - -1. Early stages of Development Workflows - -- Integrar tools existentes con IDEs como VS Code e Intellij -- Git workflow: - - pre-commit/pre-push con Snyk/Trivy - - Linter configurations - - Husky - -2. Continous integration - -- Como realizar los distintos tipos de analisis ya mencionados, en un flujo de CI/CD. -- Stack principal a analizar: Github actions. -- Stack extra: Gitlab CI/CD, AWS Code Pipeline, Jenkins, Bitbucket. -- Analisis de Github Enterprise - Github Security. - -3. Scans - -- Scan de Filesystem (codigo en repositorios) -- Infra as Code -- Kubernetes -- Seguridad en contenedores - # Readme In this guide, we will primarily analyze three different ways through which we can make an analysis of our project with the goal of avoiding potential vulnerabilities. Each of these methods will be applicable at different stages of the development process, allowing them to be adopted based on the most suitable strategy for each project and team. diff --git a/examples/security-assessments-guide/assets/snyk-cicd-check-vulnerabilites.png b/examples/security-assessments-guide/assets/snyk-cicd-check-vulnerabilites.png new file mode 100644 index 0000000..8eb114e Binary files /dev/null and b/examples/security-assessments-guide/assets/snyk-cicd-check-vulnerabilites.png differ diff --git a/examples/security-assessments-guide/assets/snyk-cicd-example.png b/examples/security-assessments-guide/assets/snyk-cicd-example.png new file mode 100644 index 0000000..4fae858 Binary files /dev/null and b/examples/security-assessments-guide/assets/snyk-cicd-example.png differ diff --git a/examples/security-assessments-guide/assets/snyk-github.jpeg b/examples/security-assessments-guide/assets/snyk-github.jpeg new file mode 100644 index 0000000..8a3632e Binary files /dev/null and b/examples/security-assessments-guide/assets/snyk-github.jpeg differ diff --git a/examples/security-assessments-guide/continous-integration-workflow/README.md b/examples/security-assessments-guide/continous-integration-workflow/README.md new file mode 100644 index 0000000..01aead4 --- /dev/null +++ b/examples/security-assessments-guide/continous-integration-workflow/README.md @@ -0,0 +1,163 @@ +# Continuous Integration Workflow + +## Overview + +This guide aims to provide tools that allow us to detect potential vulnerabilities in our projects within a CI/CD workflow. + +## Table of Contents + +- [Github Actions](#github-actions) + - [Snyk](#snyk) + - [Trivy](#trivy) +- [Gitlab CI/CD](#gitlab-ci/cd) + - [Snyk](#gitlab-snyk) + - [Trivy](#gitlab-trivy) +- [AWS Pipeline](#aws-pipeline) + - [Snyk](#aws-snyk) + - [Trivy](#aws-trivy) + +## Github Actions + +## Snyk + +Snyk offers various actions on Github, which can be directly utilized from the Github Marketplace ([Snyk Github Marketplace](https://github.com/marketplace/actions/snyk)) or by referring to the official Snyk documentation ([Snyk Official Documentation](https://github.com/snyk/actions)). + +### Prerequisites + +To use these actions, the first step is to obtain our `SNYK_TOKEN`. For this purpose, consider the following: + +Every Snyk account has this token. Once you create an account ([Snyk Account Creation](https://app.snyk.io/login?utm_medium=Partner&utm_source=GitHub&utm_term=Actions-Marketplace&utm_content=signup)), you can find it in one of two ways: + +1. In the Snyk UI, go to your Snyk account's settings page ([Snyk Account Settings](https://app.snyk.io/account)) and retrieve the API token, as shown in the following [Revoking and Regenerating Snyk API Tokens](https://support.snyk.io/hc/en-us/articles/360004008278-Revoking-and-regenerating-Snyk-API-tokens). + +2. If you're using the Snyk CLI ([Snyk CLI Documentation](https://docs.snyk.io/snyk-cli/getting-started-with-the-cli)) locally, you can retrieve it by running `snyk config get api`. + +### Examples + +Once we have our SNYK_TOKEN, we can start using the actions. Next, we will provide a basic example of one, taking into account an application that uses Node JS: + +```yaml +name: Example workflow using Snyk +on: push +jobs: +security: +runs-on: ubuntu-latest +steps: - uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities +uses: snyk/actions/node@master +env: +SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` + +By integrating this `yml` file to our project, it will cause the following actions to be executed in our project: + +![Snyk CI/CD](examples/security-assessments-guide/assets/snyk-cicd-example.png) +![Snyk CI/CD vulnerabilities](examples/security-assessments-guide/assets/snyk-cicd-check-vulnerabilites.png) + +Note that this example was executed on a React app created with Vite. + +If you want to send data to Snyk, and be alerted when new vulnerabilities are discovered, you can run Snyk monitor like so: + +```yaml +name: Example workflow using Snyk +on: push +jobs: +security: +runs-on: ubuntu-latest +steps: - uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities +uses: snyk/actions/node@master +env: +SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +with: +command: monitor +``` + +### Example of reporting only on high severity vulnerabilities + +By using the args property of the action you can use all of the options and capabilities of the ([Snyk CLI](https://docs.snyk.io/snyk-cli/cli-reference)). This example shows use of the option --severity-threshold=high. + +```yaml +name: Example workflow using Snyk +on: push +jobs: +security: +runs-on: ubuntu-latest +steps: - uses: actions/checkout@master - name: Run Snyk to check for vulnerabilities +uses: snyk/actions/nodemaster +env: +SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +with: +args: --severity-threshold=high +``` + +### Use your own development environment + +The Snyk GitHub Actions for each language automatically install all the required development tools for Snyk to determine the correct dependencies and hence vulnerabilities from different language environments. If you have a workflow where you already have the development tools installed, you can instead use the snyk/actions/setup Action to install only Snyk CLI. An example follows: + +```yaml +name: Snyk example +on: push +jobs: +security: +runs-on: ubuntu-latest +steps: - uses: actions/checkout@master - uses: snyk/actions/setup@master - uses: actions/setup-go@v1 +with: +go-version: '1.19' - name: Snyk test +run: snyk test +env: +SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` + +The example here uses actions/setup-go. You must select the right action to install the relevant development requirements for your project. If you are already using the same pipeline to build and test your application, you are likely already installing the relevant development requirements. + +### Continuing on error + +The above examples will fail the workflow when issues are found. If you want to ensure the Action continues, even if Snyk finds vulnerabilities, then ([continue-on-error](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepscontinue-on-error)) can be used. + +```yaml +name: Example workflow using Snyk with continue on error +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/node@master + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} +``` + +### GitHub Code Scanning support + +> To use this option for private repos you must have GitHub Advanced Security. +> If you see the error `Advanced Security must be enabled for this repository to use code scanning`, check that GitHub Advanced Security is enabled. For more information, see "Managing security and analysis settings for your repository." + +Snyk GitHub Actions support integration with GitHub Code Scanning to show vulnerability information on the GitHub Security tab. The following applies to Snyk GitHub Actions for Open Source languages and package managers. For information on specific languages, package managers, and processes see the pages listed in ([GitHub Actions for Open Source languages and package managers](https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#github-actions-for-open-source-languages-and-package-managers)) and ([GitHub Actions for Snyk Container and Snyk Infrastructure as Code](https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#github-actions-for-snyk-container-and-snyk-infrastructure-as-code)). + +Using `--sarif-file-output` ([Snyk CLI option](https://docs.snyk.io/snyk-cli/cli-reference)) and the ([GitHub SARIF upload action](https://docs.github.com/en/code-security/secure-coding/uploading-a-sarif-file-to-github)), you can upload Snyk scan results to the GitHub Code Scanning as shown in the example that follows. + +The Snyk Action fails when vulnerabilities are found. This would prevent the SARIF upload action from running. Thus you must use a continue-on-error option as shown in the example that follows. + +```yaml +name: Example workflow using Snyk +on: push +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/nodemaster + continue-on-error: true # To make sure that SARIF upload gets called + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --sarif-file-output=snyk.sarif + - name: Upload result to GitHub Code Scanning + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: snyk.sarif +``` + +![Snyk GitHub Code Scanning](examples/security-assessments-guide/assets/snyk-github.jpeg) diff --git a/examples/security-assessments-guide/early-stages-of-development-workflow/README.md b/examples/security-assessments-guide/early-stages-of-development-workflow/README.md index 2664ad2..236c8ea 100644 --- a/examples/security-assessments-guide/early-stages-of-development-workflow/README.md +++ b/examples/security-assessments-guide/early-stages-of-development-workflow/README.md @@ -67,7 +67,7 @@ Here's how you'll see the results obtained in each scan: ## Git Workflow -En esta seccion se mencionaran herramientas que nos permitiran realizar distintos tipos de scans en nuestro git workflow. De esta forma, todavia estando en early stages de nuestro proceso de desarrollo, podremos detectar vulnerabilidades y corregirlas. +In this section we will mention tools that will allow us to perform different types of scans in our git workflow. This way, even being in early stages of our development process, we will be able to detect vulnerabilities and fix them. ### Pre-commit/Pre-push with Snyk/Trivy