enh: add CICD

.github/python-ci.yml → .github/workflows/python-ci.yml

@@ -2,13 +2,24 @@ name: Connector CI
 on:
   pull_request:
 
+concurrency:
+  group: ghas-security-scan-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
+  infra-scan:
+    permissions:
+      contents: read
+      pull-requests: write
+      security-events: write
+    uses: notdodo/github-actions/.github/workflows/infra-security-scan.yml@infra-scan-v0
+
   python-ci-pulumi:
     permissions:
       contents: read
     uses: notdodo/github-actions/.github/workflows/python-ci.yml@python-ci-v0
     with:
-      working-directory: "."
+      working-directory: '.'
 
   build-docker-image:
     permissions:
@@ -21,4 +32,9 @@ jobs:
     with:
       image: digintlab/opencti-connector
       platforms: linux/amd64, linux/amd64
+      egress-policy-allowlist: >
+        deb.debian.org:443
+        deb.debian.org:80
+        files.pythonhosted.org:443
+        pypi.org:443
       push: false

Dockerfile

@@ -26,6 +26,7 @@ HEALTHCHECK NONE
 
 ENV PATH="/app/.venv/bin:${PATH}"
 
+# kics-scan ignore-line
 RUN apt update && apt install -y libmagic-dev
 
 RUN adduser --system --no-create-home app

config.yml.sample

@@ -1,14 +1,14 @@
 opencti:
-  url: http://opencti:8080
-  token: "CHANGE_ME"
+  url: 'http://opencti:8080'
+  token: "ChangeMe"
 
 connector:
   id: ChangeMe
   type: EXTERNAL_IMPORT
   name: DEP Connector
   scope: incident,identity,indicator
   log_level: info
-  interval: 3600
+  interval: 3600 # In seconds
 
 # Connector specific configuration
 # All values can also be provided with environment variables prefixed with
@@ -28,4 +28,4 @@ dep:
   extended_results: true
   enable_site_indicator: true
   enable_hash_indicator: true
-  skip_empty_victim: true
+  skip_empty_victim: true

docker-compose.yml

@@ -1,3 +1,4 @@
+# kics-scan ignore
 services:
   rsa-key-generator:
     image: alpine/openssl:3.5.2