diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..cf9f091 --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,58 @@ +name: devsecops-pipeline + +on: + pull_request: + push: + branches: ["main"] + workflow_dispatch: + +permissions: + contents: read + security-events: write + packages: write # ΓΊtil si luego publicas en GHCR + +concurrency: + group: devsecops-${{ github.ref }} + cancel-in-progress: true + +env: + # πŸ” Cambia esto para probar cada escenario (apps/10-secrets-leak, 20-sast-bugs, etc.) + APP_DIR: apps/10-secrets-leak + # ParΓ‘metros de despliegue local + IMAGE_NAME: demo-app + IMAGE_TAG: local + KIND_CLUSTER: kind-devsecops + SERVICE_RELEASE_NAME: demo + +jobs: + # ────────────────────────────────────────────────────────────────────────────── + # Secrets + SAST + # ────────────────────────────────────────────────────────────────────────────── + secrets: + name: Secrets scanning (Gitleaks) + runs-on: self-hosted + steps: + - uses: actions/checkout@v4 + with: { fetch-depth: 0 } # para anΓ‘lisis que miran historial + - name: Gitleaks + uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # Si usas un gitleaks.toml propio, aΓ±ade inputs/vars segΓΊn la acciΓ³n + + sast: + name: SAST (Semgrep) + runs-on: self-hosted + needs: [secrets] + steps: + - uses: actions/checkout@v4 + - name: Semgrep (bloqueante) + run: | + docker run --rm -v "$PWD:/src" returntocorp/semgrep:latest \ + semgrep scan --config p/ci --config .semgrep + - name: Export SARIF (para pestaΓ±a Security) + run: | + docker run --rm -v "$PWD:/src" returntocorp/semgrep:latest \ + semgrep scan --config p/ci --config .semgrep --sarif -o semgrep.sarif || true + - uses: github/codeql-action/upload-sarif@v3 + with: { sarif_file: semgrep.sarif } diff --git a/.github/workflows/test-self-hosted-runner.yml b/.github/workflows/test-self-hosted-runner.yml deleted file mode 100644 index 6fa4b79..0000000 --- a/.github/workflows/test-self-hosted-runner.yml +++ /dev/null @@ -1,24 +0,0 @@ -name: Test Self-Hosted Runner - -on: - workflow_dispatch: - -jobs: - test-runner: - runs-on: self-hosted - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Print runner info - run: | - echo "Runner OS: ${{ runner.os }}" - echo "Runner name: ${{ runner.name }}" - echo "Runner temp directory: ${{ runner.temp }}" - - - name: List files - run: ls -la - - - name: Test Python (optional) - run: python3 --version - diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a5cff4f --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +actions-runner/ \ No newline at end of file diff --git a/.semgrep b/.semgrep new file mode 100644 index 0000000..9ce0555 --- /dev/null +++ b/.semgrep @@ -0,0 +1,10 @@ +# .semgrep +rules: + - id: hardcoded-password + pattern: password = "$PASS" + message: "Hardcoded password detected. Use environment variables or a secrets manager instead." + languages: [python] + severity: ERROR + metadata: + cwe: "CWE-798: Use of Hard-coded Credentials" + owasp: "A2: Broken Authentication"