Description

To make it easier for organisations to use the Action by using a Docker image that contains all the code and dependencies without having to download them. This also ensures that the required version of Python is installed.

Propose Solution

https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action

[optional] Alternative Solutions

None right now

Description

We should have the ability to match a package and version data to trigger an criteria match.

Propose Solution

Currently to my knowledge we don't have this data present in the GraphQL API

Only Ranges and some other metadata is present

• https://docs.github.com/en/graphql/reference/objects#securityvulnerability

[optional] Alternative Solutions

Description

We need some introductional docs on how to setup and use this Action using a GitHub App.

Related:

• #50
  • #51

+cc @4bg0P

Propose Solution

• New Document
• Reasoning for using GitHub App versus a PAT
• Full example workflow
  • Using peter-murray/workflow-application-token-action?

Describe the bug
Code scanning fails for new branch when there's an alert for master branch. The fix for the alert is in the new branch.

To Reproduce
Steps to reproduce the behavior:

1. Hard code a password in master and run the action against it. It will generate a code scanning alert
2. Open a pull request with a fix for the hard coded password
3. Action will fail in the new pull request even if there's a fix for the issue in there

Expected behavior
Action should succeed in the new pull request as there's a fix for the code scanning alert

Screenshots
Error in master:

Just master is an option here:

Action still fails in fix pull request :

Change that fixes the issue:

Description

We should add the ability to cache some content if multiple checks use the same data.

Caching should be optional and enabled by default.

Propose Solution

Easiest way into cache the content in the .compliance folder.

Example:

if getContent('codescanning'):
    alerts = readContent('codescanning')
else:
    alerts = createRequest('codescanning')
    writeContent(alerts, 'codescanning')

[optional] Alternative Solutions

Using a requests module caching works very well.

Describe the bug
We have updated to the v1.6.3.
This newer version gives the following error
"message": "Field 'dependencyGraphManifests' doesn't exist on type 'Repository'"

We used the following command line options to disable licensing ( --disable-dependency-licensing --disable-dependencies) and got the same error.

We grabbed the GraphQL GRAPHQL_DEPENDENCY_INFO from dependency.py and got the same error calling the GraphQL API directly.

We compared the GitHub Cloud API (https://docs.github.com/en/graphql/overview/schema-previews) with the GitHut Enterprise API (https://docs.github.com/en/[email protected]/graphql/overview/schema-previews).

GitHub Cloud API has a section called 'Access to a repositories dependency graph preview'.
GitHub Enterprise API does NOT have this section.

Are we correct in assuming this functionality has not been released for GitHub Enterprise yet?

Is this functionality required for dependabot policy functionality?
If it is, which GitHub Enterprise version will support 'Access to a repositories dependency graph preview'?

To Reproduce
Steps to reproduce the behavior:

1. Run action with dependabot enabled on GitHub Enterprise @3.6.2

Expected behavior
Dependabot policy functionality works as it already does on GitHub Cloud

Description

Currently the policy file validation is done with a number of checks verses using a well structured Python dataclass data models

Propose Solution

Move to using dataclass.

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

Describe the bug
Licensing: Condition ID check not implemented
When a licensing policy with only condition ids such as:

licensing:
  conditions:
    ids:
      - GPL*

The GraphQL query on line 56 of ghascompliace/octokit/dependabot.py doesn't currently pull the spdxId, the short identifier specified by https://spdx.org/licenses.
The function checkViolationAgainstPolicy in ghascompliance/policy.py processes the results. The spdxId included when running matchContents, resulting in checks passing when they should fail.

To Reproduce
Steps to reproduce the behavior:

1. Add only a condition check on ids to the licenses policy for a known license in the repository.
2. Run a license check.

Expected behavior
License check should fail.

Describe the bug
There is a code scanning severity called note and currently the action doesn't recognize it.

Warning: Unknown Severity used - note

To Reproduce
Steps to reproduce the behavior:

1. Fork this repo
2. Run CodeQL with security-and-quality queries to get note alerts
3. Run GHASC action with severity: notes

Expected behavior
Seems that it should detect the note severity.

Describe the bug
I receive an Unknown Exception within the Dependency Graph section.

Without a token, I receive this info:

Dependency Graph
  Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance
  Error: Query failed to run by returning code of 502. {
      repository(owner: "recurforever", name: "recur-platform") {
          name
          licenseInfo {
              name
          }
          dependencyGraphManifests {
              totalCount
              edges {
                  node {
                      filename
                      dependencies {
                          edges {
                              node {
                                  packageName
                                  packageManager
                                  requirements
                                  repository {
                                      isArchived
                                      isDisabled
                                      isEmpty
                                      isFork
                                      isSecurityPolicyEnabled
                                      isInOrganization
                                      licenseInfo {
                                          name
                                      }
                                  }
                              }
                          }
                      }
                  }
              }
          }
      }
  }

With my GITHUB_TOKEN:

Dependency Graph
  Error: {
    "data": {
      "repository": {
        "name": "recur-platform",
        "licenseInfo": null,
        "dependencyGraphManifests": {
          "totalCount": 0,
          "edges": []
        }
      }
    },
    "errors": [
      {
        "path": [
          "repository",
          "dependencyGraphManifests"
        ],
        "locations": [
          {
            "line": 7,
            "column": 9
          }
        ],
        "message": "timedout"
      }
    ]
  }
  Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance
  Error: Query failed to run

To Reproduce
Steps to reproduce the behavior:

1. Added this as a step in a github workflow with no other steps:

  compliance:
    runs-on: [ubuntu-20.04]
    steps:
      - name: Check Compliance
        uses: GeekMasher/[email protected]
        with:
          policy-path: ghas_compliance.yml
          argvs: '--disable-dependabot --disable-secret-scanning'
          action: break
          token: ${{ secrets.GITHUB_TOKEN }}

Expected behavior
The dependency graph would successfully complete.

Description

Once the Dependency Review API is present we should pull data from a PR on security and licensing.

Propose Solution

NA

[optional] Alternative Solutions

Currently we pull the GraphQL API for the default branch.

Describe the bug
A clear and concise description of what the bug is.

Transitive dependencies are not being scanned as part of the Dependency Graph.

To Reproduce
Steps to reproduce the behavior:

1. Run the compliance Action
2. Check the Insights verses the full count of in the Action logs

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Add any other context about the problem here.

Describe the bug
I've got a sample license and policy file in a repo (see this current PR), but the action run is saying the repo can not be cloned. I'm trying to test this in a single repo in our org to validate that we can scan for licensing issues in dependencies, assuming I can get this to work in a single repo then I would likely move the policy file to our org's .github repo and reference that policy file in other repos but for now have the policy file in the same repo where the licensing action is running. Problem is I'm not sure if I'm referencing the policy file correctly or not. Also not sure after reading the auth docs if we've got a Personal Access Token set up correctly for the ACCESS_TOKEN in the action. So I'm hoping you can take a look at our PR and failed action run to recommend any changes to the licensing action, the policy file and its location, or our access token set up. Once we get it triaged, I'd be happy to help with a PR here to add to the docs for places where I got tripped up.

To Reproduce
Steps to reproduce the behavior:

1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

Description

Have the ability to create security based GitHub Issues in a repository.
This will allow users to track security issues / violations across an organisation in GitHub.

By default this should be disabled, only users that have enabled this should trigger Issue creation.

Propose Solution

On the action event at the end of the compliance checks we should have a trigger on this subject.

Action Items

• Create Issues API call
• Configurations
  • Repository (security repo)
  • Title?
  • Body?
  • Assigning?

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

Description

I am trying to define an allow list of licenses but using * under conditions isn't giving the desired result.

Propose Solution

if I do the below the ignores are not actually ignoring anything as I am still

licensing:
  # The four main rules types to do everything you need to do for all things
  #  compliance

  # Warnings will always occur if the rule applies and continues executing to
  #  other rules.
  warnings:
    ids:
      - other
      - na

  # Ignores are run next so if an ignored rule is hit that matches the level,
  #  it will be skipped
  ignores:
    ids:
      - apache license 2.0
      - bsd 3-clause "new" or "revised" license
      - mit license

  # Conditions will only trigger and raise an error when an exact match is hit
  conditions:
    # note using 'names' here instead of `ids` has the same result
    ids:
      - "*"

Description

We need a configuration file so that each repository can use the same configuration file for an entire organisation.

Propose Solution

We need a simple yet powerful configuration file.
These settings are replaced by CLI / Actions arguments or replaced entirely.

name: "Standard Configuration"

policy:
  repository: GeekMasher/advanced-security-compliance
  path: example/path/policy.yml
  branch: main

enabled:
  # Default: true
  code-scanning: false
  dependabot: true
  secret-scanning: false

reporting:
  issues:
    # ...

[optional] Alternative Solutions

NA

Description

Create a configuration check to verify that repositories are using an approved Actions workflow.

The following items would have to be done:

• #22
• Workflow detection
  • Actions used (names can be blank or changed)
• Parameters matching
  • Actions with checking

The following would be a nice to have:

• Language Validation?
• Validate SARIF uploading
  • Using: github/codeql-action/upload-sarif?

Propose Solution

# ... policies

workflows:
  codeql:
    required: true
    action: github/codeql-action/init
    using:
      config-file: GeekMasher/security-queries/config/codeql.yml@main
      queries: security-extended

  eslint:
    required: true
    upload: true
    languages: [ javascript ]
    action: github/ossar-action

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

What do the following messages mean ?

• Code Scanning Results (only CodeQL alerts)
  Warning: Unknown Severity used - note

• Dependabot Results

Error: {"data": {"repository": {"vulnerabilityAlerts": null}}, "errors": [{"type": "FORBIDDEN", "path": ["repository", "vulnerabilityAlerts"], "extensions": {"saml_failure": false}, "locations": [{"line": 3, "column": 9}], "message": "Resource not accessible by integration"}]}
  Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance
  Error: Query failed to run

Source run

Description

As a noob I find confusing the term "conditions" because I don't know if it is a condition to fail or to pass.

Propose Solution

Instead of "ignore" and "conditions", can we find something that clearly states what will happen like allow/disallow or similar?
I understand this will cause a compatibility issue with existing license policies, but you could warn that there will be a breaking change during a time window to allow everyone to change it.

@romanoroth, @Padi-owasp

Describe the bug
The Dependabot scan fails with the default policy. The repository does not have any open dependabot alerts, is that why?

To Reproduce
Steps to reproduce the behavior:

1. Run the default action configuration

jobs:
  compliance:
    name: Compliance
    runs-on: ubuntu-latest
    steps:
    - name: Advanced Security Compliance Action
      uses: GeekMasher/[email protected]

Expected behavior
Dependabot violations should be 0.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
The compliance job is run as a reusable workflow from another repository.

Description

We need the ability to create wildcard support to find conditions that match. to catch more generally rule

Examples

licensing:
  conditions:
    ids:
      - GPL-*

Items

• Wildcards for Rules
  • IDs
  • Names

Describe the bug
The change to support GitHub enterprise missed changing dependabot.py. It is still using direct GitHub cloud reference:
instance = "https://api.github.com/graphql"

To Reproduce
Steps to reproduce the behavior:

1. Code inspection
   dependabot.py
   Line 80 - instance = "https://api.github.com/graphql"

Expected behavior
Dependabot should use the GitHub enterprise URL and not the GitHub Cloud URL

This change was missed with the merge (#31) that added support for GitHub Enterprise.

Description

When using a custom policy located in a private repository with a GitHub App API token, the ghascompliance tool is not able to clone the repository containing the policy.

This is due to loadFromRepo function which is directly using the API token with https:// scheme, to retrieve the content of the repository containing the custom policy.

def loadFromRepo(self):
        instance = urlparse(self.instance).netloc
        if self.token:
            repo = "https://" + self.token + "@" + instance + "/" + self.repository
        else:
            repo = "https://" + instance + "/" + self.repository

However, GitHub App API token needs to set x-access-token as username when using https:// scheme to clone a repository (see https://docs.github.com/en/developers/apps/building-github-apps/authenticating-with-github-apps#http-based-git-access-by-an-installation). Thus the clone is failing, when the custom policy is placed in a private repository (when using GitHub App generated API token)

Propose Solution

Add a command line parameter to indicate that a GitHub App token is used, so that the x-access-tokenusername is added in the clone HTTPS URL. Here is a quick example of a code that could do so:

        def loadFromRepo(self):
        instance = urlparse(self.instance).netloc
        if self.token:
            if not self.isGitHubAppToken:
                repo = "https://" + self.token + "@" + instance + "/" + self.repository
            else:
                repo = "https://" + "x-access-token:" + self.token + "@" + instance + "/" + self.repository
        else:
            repo = "https://" + instance + "/" + self.repository

Description

Limitation identified using Code Scanning and Secret Scanning checks, they are only supported on the default branch. We had hoped these checks could be performed on branch pushes and PRs to catch alerts before they are propagated to the default branch but that functionality does not seem to be supported.

Propose Solution

Working with this action we like what we see. We are very interested in this concept and the ability to push security checks farther left in the development process. Proposed solution is to modify this action to work on any branch, not just the default branch, so checks catch alerts on branch pushes and PRs before they are propagated to the default branch.

Description

We need documentation describing the requirements and limitations of the current solution.

References:

• #42

Propose Solution

Documentation for the topic on https://geekmasher.github.io/advanced-security-compliance/

Description

We should have the ability to set this up at an organisation level.
When we trigger a workflow we should go through every repository in the org (allow / disallow lists?) and run the standard workflow on each of those repositories.

Propose Solution

For this to work, we need to know all the repos that we want to review and perform the compliance check against.

Action Items:

• Get all repository names
• #20
• allow / disallow lists?
  • Importable from file?

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

Description

PURL is the standard when it comes to dependency formats. This should be supported versus the custom GHASC format.

Propose Solution

Implement the spec standard.

https://github.com/package-url/purl-spec

Describe the bug
Running this action on our workflow we get an error we can't understand.

To Reproduce
Steps to reproduce the behavior:

1. Add action "build-and-test.yaml" to workflow
2. With the following code:
   "
   advancesecurityComplience:
   runs-on: ubuntu-latest
   name: Advanced Security Complience
   steps:
   • name: Advance Security Compliance Action
     uses: GeekMasher/[email protected]
     "
3. See error

Dependabot Results
Error: {"data": {"repository": {"vulnerabilityAlerts": null}}, "errors": [{"type": "FORBIDDEN", "path": ["repository", "vulnerabilityAlerts"], "extensions": {"saml_failure": false}, "locations": [{"line": 3, "column": 9}], "message": "Resource not accessible by integration"}]}
Error: Unknown Exception was hit, please repo this to https://github.com/GeekMasher/advanced-security-Compliance
Error: Query failed to run

Expected behavior
Dependabot to block the PR if finds a critical or high risk vulnerability.

Describe the bug

When a block like Secret Scanning is not present and no check will be performed, the engine shouldn't request those endpoints and perform the tests in the first place. This should act the same as disabling a check using the CLI

To Reproduce
Steps to reproduce the behavior:

1. Create a policy without secretscanning block
2. See that the API and block is still ran

Expected behavior

This block shouldn't be checked

Describe the bug
Action parameter policy-branch is not working as intended. No matter what value is set, it seems to be always using the default branch.

To Reproduce
Setup action with the following params:

security-compliance:
    runs-on: ubuntu-latest
    needs:
      - codeql
    steps:
      - name: Advance Security Compliance Action
        uses: GeekMasher/[email protected]
        with:
          token: ${{ secrets.GITHUB_PERSONAL_TOKEN }}
          policy: myTestRepo/github-actions
          policy-path: security/policies/default.yml
          policy-branch: security

Expected behavior
Action should checkout the branch defined policy-branch

Screenshots

Desktop (please complete the following information):
N/A

Smartphone (please complete the following information):
N/A

Additional context
none

Description

We should build a simple list of dependencies that have known typosquatting and add them to the default list.

Propose Solution

Create a typosquatting.txt file to use to import to the default under names.

Examples:

# https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/
pip/jeilyfish
pip/python3-dateutil

This requires the work done for #12.

[optional] Alternative Solutions

NA

As per the issue title.

The examples in the documentation are as follows:

# Compliance
- name: Advance Security Compliance Action
  uses: GeekMasher/[email protected]

Should be:

# Compliance
- name: Advance Security Compliance Action
  uses: GeekMasher/[email protected]

Its a tiny bit confusing.

Description

It would be awesome to define a "time to remediate" or SLA (service-level agreement) policy that only brings up an alert if certain criteria is meet. By default, this mode should not be present and can be enabled by the policy.

Example Scenario

• Dependabot opens a High security issue
• I define that High Security issues have to be fixed within 1 day
• Before then, the Action can be run and does not break the workflow
• After 1 day, the Action with start breaking the workflow

Propose Solution

A clear and concise description of what you want to happen.

# Applies everywhere
general:
  remediate:
    errors: 7
    warnings: 30
    all: 90

codescanning:
  # Applies only to codescanning
  remediate:
    # Break when detected when set to `0`
    errors: 0
  # ...
  conditions:
    ids:
      - */sql-injection

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

Other suggestions are welcome.

Description

Create a number of common examples and use cases for using this Action.

• #46

Propose Solution

• https://github.com/GeekMasher/advanced-security-compliance/tree/main/examples/policies
• https://github.com/GeekMasher/advanced-security-compliance/tree/main/examples/workflows
• https://github.com/GeekMasher/advanced-security-compliance/tree/main/examples/scripts

Dependabot sometimes fails to get the license information as it is not well documented in a repository for example:

• https://github.com/pugjs/pug
• https://github.com/jrburke/amdefine

The idea would be to:

• each time we do a test and the licence is unknown:
  • log an issue/contribution in the source repository to allow Dependabot to recognize the license
  • add an entry in a this Action project that will be the list of project/url without license
  • use the information in the policy management with clear information about the fact that it is coming from local scann

Describe the bug

The API endpoint that is formed at https://github.com/GeekMasher/advanced-security-compliance/blob/main/ghascompliance/octokit/octokit.py#L41 is hardcoded for GitHub.com. However, GitHub Enterprise Server (GHES) and GitHub AE (GHAE) use the /api/graphql endpoint route for the GraphQL API.

To Reproduce

Steps to reproduce the behavior:

1. Set the --github-instance flag to either a GHES or GHAE instance
2. Run the action

Expected behavior

Action works as advertised.

Screenshots

Desktop (please complete the following information):

N/A

Smartphone (please complete the following information):

N/A

Additional context

N/A

Description

We need to match CWE IDs from Code Scanning and Dependabot (not OWASP data).

Propose Solution

Code Scanning:

This data isn't in the API, we will need to pull the SARIF file and match results between the two sources.

Dependabot:

This data is present for CWE but just need the match and check in place.

[optional] Alternative Solutions

NA

Description

We need documentation on how to use Actions reusable workflows.

Cross reference from #21

Propose Solution

• Documentation

[optional] Alternative Solutions

A clear and concise description of any alternative solutions or features you've considered.

This repository has been moved to a new policy-as-code repository.

Please migrate all workflows to using the new repository as this repository is no longer receiving updates.

Describe the bug
If a secret exists in one branch of the repository, the advanced compliance action will alert on that secret on every other branch in that repository. This can inhibit the ability to merge pull requests on branches where the secret does not exist.

To Reproduce
Steps to reproduce the behavior:

1. Set up the advanced-security-compliance action setup to detect secrets.
2. Create a branch and introduce a secret (ex. String API_TOKEN = "AIzaSyAQfxPJiounkhOjODEO5ZieffeBv6yft2Q";)
3. Create a pull request against main. This pull request will fail security compliance.
4. Create another branch off main that does not have the secret.
5. Create a pull request against main. This pull request will also fail, even though the secret doesn't exist in this branch/PR.

Expected behavior
Only the branch where the secret exists should be prohibited from merging into main.