[CICD Coverage #1] Create specific CICD parsing#42
[CICD Coverage #1] Create specific CICD parsing#42ChouraquiBen wants to merge 12 commits intomainfrom
Conversation
This comment has been minimized.
This comment has been minimized.
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
6 times, most recently
from
077d971 to
3847b7c
Compare
| run: go mod vendor | ||
| - name: Build datadog-iac-scanner | ||
| run: | | ||
| CGO_ENABLED=1 |
There was a problem hiding this comment.
Tree-sitter uses c packages, thus the need of CGO enabled
| cicdOnRegex = regexp.MustCompile(`\s*on:\s*`) | ||
| cicdJobsRegex = regexp.MustCompile(`\s*jobs:\s*`) | ||
| cicdStepsRegex = regexp.MustCompile(`\s*steps:\s*`) | ||
| dependabotVersionRegex = regexp.MustCompile(`\s*version:\s*`) |
There was a problem hiding this comment.
Check dependabot config files usual patterns to be able to notice one
| switch returnType { | ||
| case "cdkTf": | ||
| return terraform | ||
| case dependabot: |
There was a problem hiding this comment.
Return dependabot config files as part of the cicd platform. This is a choice made not to confuse customers as dependabot can be considered a part of cicd although, it is not a github action
| ${{ runner.OS }}- | ||
| - name: Get Modules | ||
| run: | | ||
| go mod vendor |
There was a problem hiding this comment.
mod vendor does not support CGO dependencies
| @@ -0,0 +1,328 @@ | |||
| /* | |||
There was a problem hiding this comment.
This parser aims to parse expressions specific to github actions
| } | ||
|
|
||
| // ParsedCommand represents a parsed shell command | ||
| type ParsedCommand struct { |
There was a problem hiding this comment.
Create all the structures related to gh-actions and shell parsing
| documents = convertKeysToString(documents) | ||
|
|
||
| // Enhance documents with parsed run blocks | ||
| p.enhanceWithParsedRuns(ctx, documents) |
There was a problem hiding this comment.
Add shell parsing
| p.enhanceWithParsedRuns(ctx, documents) | ||
|
|
||
| // Enhance documents with parsed expressions | ||
| p.enhanceWithParsedExpressions(ctx, documents) |
There was a problem hiding this comment.
Add gh action Expression parsing
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
9 times, most recently
from
dc90c53 to
2d72075
Compare
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
from
2d72075 to
faa31e1
Compare
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
2 times, most recently
from
8edfdd2 to
8fe4424
Compare
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
2 times, most recently
from
890bb12 to
a3f73bb
Compare
refactor: better error handling for expression parser
ChouraquiBen
force-pushed
the
benjamin.chouraqui/add-cicd-coverage-0
branch
from
a3f73bb to
9f2e68a
Compare
2 participants
Motivation
There are only few rules to scan github-actions, which are not enough to cover the flaws hackers may use to attack a codebase. This series of PRs aims to extend the CICD scan coverage.
This first PR changes the go code to add the required features for the rules to be added:
To do so, other changes had to be performed:
Not supported
Author Checklist
QA Instruction
Blast Radius
iac-scanning - CICD findings
Additional Notes
If you need to share anything else along with your PR, please do it here.
I submit this contribution under the Apache-2.0 license.