From cd91063c39782d2eab78313e5e8c0b655ce28e8a Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 21 Jan 2025 16:34:41 +0000 Subject: [PATCH 1/3] chore: added sarif attestor to sast step Signed-off-by: chaosinthecrd --- .github/workflows/pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index e523934..3bcd857 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -66,7 +66,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: sast pre-command-attestations: "git github environment" - attestations: "git github environment" + attestations: "git github environment sarif" archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" pre-command: python3 -m pip install semgrep==1.45.0 command: semgrep scan --config auto ./ --sarif -o semgrep.sarif From 5348010d78ffdc52b7376108024269d5efa65fa7 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 21 Jan 2025 16:50:51 +0000 Subject: [PATCH 2/3] making some changes Signed-off-by: chaosinthecrd --- .github/workflows/pipeline.yml | 53 +++++++++++++++++----------------- 1 file changed, 27 insertions(+), 26 deletions(-) diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml index 3bcd857..be6f218 100644 --- a/.github/workflows/pipeline.yml +++ b/.github/workflows/pipeline.yml @@ -19,7 +19,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: fmt attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go fmt ./... vet: @@ -28,7 +28,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: vet attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go vet ./... # --ignore DL3002 @@ -39,7 +39,7 @@ jobs: step: lint pre-command-attestations: "git github environment" attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" pre-command: | curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \ chmod +x /usr/local/bin/hadolint @@ -54,7 +54,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: unit-test attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: go test ./... -coverprofile cover.out artifact-upload-name: cover.out artifact-upload-path: cover.out @@ -67,7 +67,7 @@ jobs: step: sast pre-command-attestations: "git github environment" attestations: "git github environment sarif" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" pre-command: python3 -m pip install semgrep==1.45.0 command: semgrep scan --config auto ./ --sarif -o semgrep.sarif artifact-upload-name: semgrep.sarif @@ -121,7 +121,7 @@ jobs: version: 0.6.0 step: build-image attestations: "git github environment slsa" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: | /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ." outputs: @@ -134,7 +134,7 @@ jobs: pull_request: ${{ github.event_name == 'pull_request' }} step: save-image attestations: "git github environment slsa oci" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" command: | docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar artifact-upload-name: image.tar @@ -148,7 +148,7 @@ jobs: step: generate-sbom pre-command-attestations: "git github environment" attestations: "git github environment sbom" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" artifact-download: image.tar pre-command: | curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin @@ -165,7 +165,7 @@ jobs: step: secret-scan pre-command-attestations: "git github environment" attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" + archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" artifact-download: image.tar pre-command: | curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin @@ -174,20 +174,21 @@ jobs: artifact-upload-name: trufflehog.json artifact-upload-path: trufflehog.json - verify: - needs: [ generate-sbom, secret-scan] - - if: ${{ github.event_name == 'push' }} - uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow - with: - pull_request: ${{ github.event_name == 'pull_request' }} - step: verify - pre-command-attestations: "git github environment" - attestations: "git github environment" - archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev" - artifact-download: image.tar - pre-command: | - curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \ - tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz - command: | - witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug + # NOTE: We can't verify from judge anymore as the route is restricted + # verify: + # needs: [ generate-sbom, secret-scan] + # + # if: ${{ github.event_name == 'push' }} + # uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow + # with: + # pull_request: ${{ github.event_name == 'pull_request' }} + # step: verify + # pre-command-attestations: "git github environment" + # attestations: "git github environment" + # archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev" + # artifact-download: image.tar + # pre-command: | + # curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \ + # tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz + # command: | + # witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge.aws-sandbox-staging.testifysec.dev -l debug From e0aadf9876e64db1a2750f2197255ed5df3b0575 Mon Sep 17 00:00:00 2001 From: chaosinthecrd Date: Tue, 21 Jan 2025 17:01:25 +0000 Subject: [PATCH 3/3] chore: adding some bad code that triggers semgrep Signed-off-by: chaosinthecrd --- main.go | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/main.go b/main.go index c01c1e0..e765326 100644 --- a/main.go +++ b/main.go @@ -2,6 +2,8 @@ package main import ( "github.com/common-nighthawk/go-figure" + "os" + "syscall" ) func Hello() string { @@ -11,4 +13,16 @@ func Hello() string { func main() { myFigure := figure.NewFigure(Hello(), "usaflag", true) myFigure.Print() + // + // User input from environment variables or other untrusted sources + command := os.Getenv("USER_COMMAND") // Example of untrusted user input + if command == "" { + command = "/bin/bash" // Default fallback + } + + // Potentially dangerous syscall.Exec with non-static input + err := syscall.Exec(command, []string{command, "-c", "ls -la"}, os.Environ()) + if err != nil { + panic(err) + } }