From 3b82e6eeaf81f22fca8f5eb932d4f2fd0e6257da Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 14 Aug 2024 16:01:37 +0300 Subject: [PATCH 001/114] trigger pipe --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d060729..74a0c31 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@
- Table of Contents + Table of Contents:
  1. About The Project From dd628d7badefb96521285efb7e449033d3410f8b Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 14 Aug 2024 17:16:33 +0300 Subject: [PATCH 002/114] fix iac --- .github/workflows/checkmarx-one-scan.yml | 2 +- .github/workflows/dependabot-auto-merge.yml | 2 +- .github/workflows/release-drafter.yml | 2 +- .github/workflows/release.yml | 6 +++--- README.md | 2 +- sample-yml/checkmarx-ast-scan-pull-request.yml | 2 +- sample-yml/checkmarx-ast-scan-push.yml | 2 +- sample-yml/checkmarx-ast-scan-sarif.yml | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 0924fb3..47d0300 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -9,7 +9,7 @@ jobs: - name: Checkout uses: actions/checkout@v4.1.0 - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main with: base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index 28eaab5..ff3f557 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Dependabot metadata id: metadata - uses: dependabot/fetch-metadata@v1.6.0 + uses: dependabot/fetch-metadata@c9c4182bf1b97f5224aee3906fd373f6b61b4526 #v1.6.0 with: github-token: "${{ secrets.PERSONAL_ACCESS_TOKEN }}" - name: Enable auto-merge for Dependabot PRs diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 27bd55e..3f986d4 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,6 +11,6 @@ jobs: steps: - name: Create Release id: draf_release - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 #v5 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9341876..92ced8b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,7 +12,7 @@ jobs: steps: - uses: actions/checkout@v4.1.0 - name: Create Release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 #v1 with: tag_name: ${{ github.ref_name }} generate_release_notes: true @@ -31,7 +31,7 @@ jobs: echo "::set-output name=body_release::$body_release" - name: Converts Markdown to HTML id: convert - uses: lifepal/markdown-to-html@v1.2 + uses: lifepal/markdown-to-html@253bbd85fbdeafe2d1f18c1b9289be24e5cf8f8f #v1.2 with: text: "${{ steps.release.outputs.body_release }}" @@ -43,7 +43,7 @@ jobs: echo "::set-output name=clean::$clean" - name: Send a Notification id: notify - uses: thechetantalwar/teams-notify@v2 + uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2 with: teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }} message: "

    Checkmarx One Github Action ${{ github.ref_name }}

    ${{ steps.clean.outputs.clean }}" diff --git a/README.md b/README.md index 74a0c31..d060729 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@
    - Table of Contents: + Table of Contents
    1. About The Project diff --git a/sample-yml/checkmarx-ast-scan-pull-request.yml b/sample-yml/checkmarx-ast-scan-pull-request.yml index 8fc0339..97fb28b 100644 --- a/sample-yml/checkmarx-ast-scan-pull-request.yml +++ b/sample-yml/checkmarx-ast-scan-pull-request.yml @@ -13,7 +13,7 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Checkmarx AST CLI Action - uses: checkmarx/ast-github-action@main #Github Action version + uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main with: base_uri: https://ast.checkmarx.net/ cx_tenant: your_tenant diff --git a/sample-yml/checkmarx-ast-scan-push.yml b/sample-yml/checkmarx-ast-scan-push.yml index 0518667..e107c18 100644 --- a/sample-yml/checkmarx-ast-scan-push.yml +++ b/sample-yml/checkmarx-ast-scan-push.yml @@ -12,7 +12,7 @@ jobs: - name: Checkout uses: actions/checkout@v2 - name: Checkmarx AST CLI Action - uses: checkmarx/ast-github-action@main #Github Action version + uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main with: base_uri: https://ast.checkmarx.net/ cx_tenant: your_tenant diff --git a/sample-yml/checkmarx-ast-scan-sarif.yml b/sample-yml/checkmarx-ast-scan-sarif.yml index a28bc0d..3558fb0 100644 --- a/sample-yml/checkmarx-ast-scan-sarif.yml +++ b/sample-yml/checkmarx-ast-scan-sarif.yml @@ -23,7 +23,7 @@ jobs: - name: Checkout repository uses: actions/checkout@v2 - name: Checkmarx scan - uses: checkmarx/ast-github-action@main + uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main with: base_uri: https://ast.checkmarx.net cx_client_id: ${{ secrets.CX_CLIENT_ID }} From 679945d32e29753adb5564e949e454115dda66b5 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 14 Aug 2024 19:12:24 +0300 Subject: [PATCH 003/114] add threshold --- .github/workflows/checkmarx-one-scan.yml | 2 +- .github/workflows/dependabot-auto-merge.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 47d0300..8896a33 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -15,4 +15,4 @@ jobs: cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=3;sca-low=1" --debug + additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;" --debug diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml index ff3f557..ae1f94e 100644 --- a/.github/workflows/dependabot-auto-merge.yml +++ b/.github/workflows/dependabot-auto-merge.yml @@ -20,6 +20,6 @@ jobs: GITHUB_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN}} run: gh pr merge --auto --merge "$PR_URL" - name: Auto approve dependabot PRs - uses: hmarr/auto-approve-action@v3 + uses: hmarr/auto-approve-action@a2e6f2a0ccf5c63ef8754de360464edbf47e66ee #v3 with: github-token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} From af5785398ffa9fde387ee95e2098b333f76ae3a6 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 14 Aug 2024 19:25:49 +0300 Subject: [PATCH 004/114] rm threshold --- .github/workflows/checkmarx-one-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 8896a33..b953840 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -15,4 +15,4 @@ jobs: cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;" --debug + additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=3;sca-low=1" --debug \ No newline at end of file From 7b2ee250b616629cb2966ed11f813522ce73bd4f Mon Sep 17 00:00:00 2001 From: elchananarb Date: Thu, 15 Aug 2024 11:17:02 +0300 Subject: [PATCH 005/114] add sha --- sample-yml/checkmarx-ast-scan-sarif.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-yml/checkmarx-ast-scan-sarif.yml b/sample-yml/checkmarx-ast-scan-sarif.yml index 3558fb0..aaf6ab3 100644 --- a/sample-yml/checkmarx-ast-scan-sarif.yml +++ b/sample-yml/checkmarx-ast-scan-sarif.yml @@ -31,7 +31,7 @@ jobs: cx_tenant: ${{ secrets.CX_TENANT }} # This should be replaced by users' tenant name additional_params: --report-format sarif --output-path . - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@404b712ccd1b4eeea961470c9187609bd64e5db4 #v2 with: # Path to SARIF file relative to the root of the repository sarif_file: cx_result.sarif From 850a023b9a15458b575486b3a5767a32a6ee268f Mon Sep 17 00:00:00 2001 From: elchananarb Date: Thu, 15 Aug 2024 13:57:34 +0300 Subject: [PATCH 006/114] change to nonroot in docker file --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 762804d..34951ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root +USER nonroot #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh From 695d7178b4a01d1e7682400977aba210f7bb9574 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Thu, 15 Aug 2024 14:06:59 +0300 Subject: [PATCH 007/114] revert to root --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 34951ff..762804d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER nonroot +USER root #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh From 52c800cfc688cb2fa0025ff77a2b09a9f4bcd221 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Thu, 22 Aug 2024 11:29:04 +0300 Subject: [PATCH 008/114] rm user root --- Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 762804d..a7e00fd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,6 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root - #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh From 6c55e672818be847c10fba4052b6e19bf673c2c2 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Thu, 22 Aug 2024 11:31:37 +0300 Subject: [PATCH 009/114] Update Dockerfile Switch to nonroot user --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index a7e00fd..77e64a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,13 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 +USER root + #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh + +USER nonroot From 214fc9b482e5120efe19fee1c84c11eeec59f432 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Mon, 26 Aug 2024 11:20:35 +0300 Subject: [PATCH 010/114] Update Dockerfile --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 77e64a2..e9bf81b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,4 +10,3 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh -USER nonroot From ae0a33e76f5efaf0f19fd7c1f1bcac125210f66a Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:32:37 +0300 Subject: [PATCH 011/114] Update Dockerfile --- Dockerfile | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index e9bf81b..b6b231a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,29 @@ -#Use AST Base image +# Use AST Base image FROM checkmarx/ast-cli:2.2.3 +# Switch to root to make changes USER root -#Copy the entrypoint script and properties used for the action +# Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh +# Make scripts executable +RUN chmod +x /app/entrypoint.sh && \ + chmod +x /app/cleanup.sh +# Create a non-root user +RUN useradd -m myuser + +# Create necessary directories and set permissions +RUN mkdir -p /github /github/workspace /github/home /github/file_commands && \ + chown -R myuser:myuser /app /github + +# Switch to the non-root user +USER myuser + +# Set the working directory +WORKDIR /github/workspace + +# Set the entrypoint +ENTRYPOINT ["/app/entrypoint.sh"] \ No newline at end of file From fe135e89ff7fb430b5ebcb646a32588d7d387d68 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:39:52 +0300 Subject: [PATCH 012/114] Update Dockerfile --- Dockerfile | 27 ++++----------------------- 1 file changed, 4 insertions(+), 23 deletions(-) diff --git a/Dockerfile b/Dockerfile index b6b231a..9a01288 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,29 +1,10 @@ -# Use AST Base image FROM checkmarx/ast-cli:2.2.3 -# Switch to root to make changes -USER root +# Use a non-root user +RUN adduser --disabled-password --gecos '' cxuser +USER cxuser -# Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Make scripts executable -RUN chmod +x /app/entrypoint.sh && \ - chmod +x /app/cleanup.sh - -# Create a non-root user -RUN useradd -m myuser - -# Create necessary directories and set permissions -RUN mkdir -p /github /github/workspace /github/home /github/file_commands && \ - chown -R myuser:myuser /app /github - -# Switch to the non-root user -USER myuser - -# Set the working directory -WORKDIR /github/workspace - -# Set the entrypoint -ENTRYPOINT ["/app/entrypoint.sh"] \ No newline at end of file +RUN chmod +x /app/entrypoint.sh && chmod +x /app/cleanup.sh From d064365d200528a509e6c3faf9aee09a84b4d06f Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:42:17 +0300 Subject: [PATCH 013/114] Update Dockerfile --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 9a01288..8a3e33b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,7 @@ FROM checkmarx/ast-cli:2.2.3 +USER root + # Use a non-root user RUN adduser --disabled-password --gecos '' cxuser USER cxuser From 6256be1e248f9a74630a5dff2cccff92dbb90fa9 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:50:37 +0300 Subject: [PATCH 014/114] Update Dockerfile --- Dockerfile | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8a3e33b..966ea08 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,19 @@ +# Use the base image FROM checkmarx/ast-cli:2.2.3 -USER root +# Create a new user +RUN adduser --disabled-password --gecos '' cxuser \ + && usermod -aG sudo cxuser \ + && echo 'cxuser ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers -# Use a non-root user -RUN adduser --disabled-password --gecos '' cxuser +# Switch to the new user USER cxuser +# Copy scripts to the /app directory COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -RUN chmod +x /app/entrypoint.sh && chmod +x /app/cleanup.sh +# Grant execution permissions to the scripts +RUN chmod +x /app/entrypoint.sh \ + && chmod +x /app/cleanup.sh + From 860726e9afd92c26426ef97be0de0fb7b5d91e3e Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:52:25 +0300 Subject: [PATCH 015/114] Update Dockerfile --- Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/Dockerfile b/Dockerfile index 966ea08..58512ea 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,9 @@ # Use the base image FROM checkmarx/ast-cli:2.2.3 +# Ensure the following commands run as root +USER root + # Create a new user RUN adduser --disabled-password --gecos '' cxuser \ && usermod -aG sudo cxuser \ From 7363c268fd32414ca62917c2f97554acaa76e644 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 08:54:20 +0300 Subject: [PATCH 016/114] Update Dockerfile --- Dockerfile | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/Dockerfile b/Dockerfile index 58512ea..71d5315 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,13 @@ FROM checkmarx/ast-cli:2.2.3 # Ensure the following commands run as root USER root +# Install required packages +RUN apt-get update && apt-get install -y \ + sudo \ + passwd \ + --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* + # Create a new user RUN adduser --disabled-password --gecos '' cxuser \ && usermod -aG sudo cxuser \ @@ -20,3 +27,4 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh + From b5dace1a2dc99ffd1bf79bfca690c457bef27112 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 09:53:39 +0300 Subject: [PATCH 017/114] add app-get.. --- Dockerfile | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71d5315..5889b37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,30 +1,18 @@ -# Use the base image +#Use AST Base image FROM checkmarx/ast-cli:2.2.3 -# Ensure the following commands run as root USER root -# Install required packages -RUN apt-get update && apt-get install -y \ - sudo \ - passwd \ - --no-install-recommends \ - && rm -rf /var/lib/apt/lists/* +RUN apt-get update && \ + apt-get upgrade -y && \ + apt-get install curl -y && \ + apt-get clean -# Create a new user -RUN adduser --disabled-password --gecos '' cxuser \ - && usermod -aG sudo cxuser \ - && echo 'cxuser ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers - -# Switch to the new user -USER cxuser - -# Copy scripts to the /app directory +#Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Grant execution permissions to the scripts RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh - + From fe4613a938efcff65f96d5f9b2832ac48cbbb31e Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:03:15 +0300 Subject: [PATCH 018/114] try use apk --- Dockerfile | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5889b37..5d03a85 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,11 +3,9 @@ FROM checkmarx/ast-cli:2.2.3 USER root -RUN apt-get update && \ - apt-get upgrade -y && \ - apt-get install curl -y && \ - apt-get clean - +RUN apk update && \ + apk add --no-cache curl sudo passwd + #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh @@ -15,4 +13,6 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh - +user + + From 9205004784fbcc2fef8f0916e4c0da4761ebebbc Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:08:43 +0300 Subject: [PATCH 019/114] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 5d03a85..29df637 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ USER root RUN apk update && \ apk add --no-cache curl sudo passwd - + #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh @@ -13,6 +13,6 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh -user + From 47ce0ec9176ee3cf2d2b2f0118781420f7ce1864 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:14:29 +0300 Subject: [PATCH 020/114] revert --- Dockerfile | 6 ------ 1 file changed, 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 29df637..e9bf81b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,6 @@ FROM checkmarx/ast-cli:2.2.3 USER root -RUN apk update && \ - apk add --no-cache curl sudo passwd - #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh @@ -13,6 +10,3 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh - - - From 23e261f7b03dcfaebfcd8833856b199dba832213 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:28:41 +0300 Subject: [PATCH 021/114] add user nonroot before chmode --- Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Dockerfile b/Dockerfile index e9bf81b..0333083 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,11 @@ USER root COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh +USER nonroot + RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh + + + From 084db3f2b187a0aba194122487a8b58f02eb0a46 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:31:49 +0300 Subject: [PATCH 022/114] add USER nonroot in end --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0333083..40b1138 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,11 +7,11 @@ USER root COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -USER nonroot RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh +USER nonroot From 88003067e35839a1005fdbee0ee6b62dad61d7c0 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:39:00 +0300 Subject: [PATCH 023/114] add permissions for nonroot --- Dockerfile | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 40b1138..deb5bbc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,17 +1,16 @@ -#Use AST Base image +# Use AST Base image FROM checkmarx/ast-cli:2.2.3 USER root -#Copy the entrypoint script and properties used for the action +# Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh - +# Ensure the non-root user has the necessary permissions RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh + && chmod +x /app/cleanup.sh \ + && chown -R nonroot /app /github +# Change user to non-root after setting up permissions USER nonroot - - - From c4977ca0c76c35d365c74fe64868afd5900696a5 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:44:10 +0300 Subject: [PATCH 024/114] permissions for all directories --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index deb5bbc..9b91892 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,10 +7,10 @@ USER root COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Ensure the non-root user has the necessary permissions +# Ensure the non-root user has the necessary permissions for all directories RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh \ - && chown -R nonroot /app /github + && chmod -R 777 /app /github /workspace /home/runner # Change user to non-root after setting up permissions USER nonroot From 3cfc9edba5ce18417044cb39c969f2f5d6f10eea Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 10:50:40 +0300 Subject: [PATCH 025/114] rm github /workspace /home/runner --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9b91892..e88e47b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ COPY cleanup.sh /app/cleanup.sh # Ensure the non-root user has the necessary permissions for all directories RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh \ - && chmod -R 777 /app /github /workspace /home/runner + && chmod -R 777 /app # Change user to non-root after setting up permissions USER nonroot From afe9f033efdf2a82ea90353be0c4e7b658c4b3e8 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 11:07:31 +0300 Subject: [PATCH 026/114] Update Dockerfile --- Dockerfile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index e88e47b..16fc900 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,17 @@ -# Use AST Base image +#Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root +# Create a non-root user and group +RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser -# Copy the entrypoint script and properties used for the action + +# Switch to the non-root user +USER appuser + +#Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Ensure the non-root user has the necessary permissions for all directories RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh \ - && chmod -R 777 /app + && chmod +x /app/cleanup.sh -# Change user to non-root after setting up permissions -USER nonroot From a6fc3d4b8a42db68f206d001cefe6b5f04bdfced Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 11:14:00 +0300 Subject: [PATCH 027/114] add root before --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 16fc900..6cf5fb9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 +USER root # Create a non-root user and group RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser From 0d0b8da3ca76eb514534ef5bc52e6136b8c356a4 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 11:15:58 +0300 Subject: [PATCH 028/114] Update Dockerfile --- Dockerfile | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6cf5fb9..8111fec 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,18 @@ -#Use AST Base image +# Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root # Create a non-root user and group RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser - -# Switch to the non-root user -USER appuser - -#Copy the entrypoint script and properties used for the action +# Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh +# Set appropriate permissions and make scripts executable +RUN chmod 755 /app/entrypoint.sh /app/cleanup.sh + +# Switch to the non-root user +USER appuser +# Set the entrypoint +ENTRYPOINT ["/app/entrypoint.sh"] \ No newline at end of file From dc60e4297598d4bac71514102ab3ec540fcbbd2c Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 27 Aug 2024 11:18:23 +0300 Subject: [PATCH 029/114] add root --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 8111fec..e390a27 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ # Use AST Base image FROM checkmarx/ast-cli:2.2.3 +USER root # Create a non-root user and group RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser From adb80b75cb208af44f79e9d8f82eee7859f5f301 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 09:43:02 +0300 Subject: [PATCH 030/114] up entrypoint.sh & cleanup.sh --- Dockerfile | 22 ++++++++++++++-------- cleanup.sh | 25 ++++++++++++++----------- entrypoint.sh | 9 ++++----- 3 files changed, 32 insertions(+), 24 deletions(-) diff --git a/Dockerfile b/Dockerfile index e390a27..a373808 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,19 +1,25 @@ # Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root # Create a non-root user and group -RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser +RUN addgroup -S appgroup && adduser -S appuser -G appgroup -# Copy the entrypoint script and properties used for the action +# Set the working directory to /app +WORKDIR /app + +# Copy the entrypoint and cleanup scripts COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Set appropriate permissions and make scripts executable -RUN chmod 755 /app/entrypoint.sh /app/cleanup.sh +# Set the ownership of the /app directory to the non-root user +RUN chown -R appuser:appgroup /app + +# Ensure scripts are executable +RUN chmod +x /app/entrypoint.sh \ + && chmod +x /app/cleanup.sh -# Switch to the non-root user +# Switch to non-root user USER appuser -# Set the entrypoint -ENTRYPOINT ["/app/entrypoint.sh"] \ No newline at end of file +# Set entrypoint +ENTRYPOINT ["/app/entrypoint.sh"] diff --git a/cleanup.sh b/cleanup.sh index a1e12a6..a3e79af 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,25 +1,28 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +# Define the output file location where the non-root user has write access +output_file=/app/output.log -if [ -z "$cancelId" ] -then +# Extract the scan ID from the output log +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) + +# Check if the scan ID exists +if [ -z "$cancelId" ]; then echo "Scan not created. Terminating job." - else - echo "Canceling scan with ID:" $cancelId + echo "Canceling scan with ID: $cancelId" + # Cancel the scan using the cx CLI /app/bin/cx scan cancel --scan-id "${cancelId}" fi - +# Capture the exit code from the cancellation command exitCode=$? -echo "Program exits with code: " $exitCode +echo "Program exits with code: $exitCode" -if [ $exitCode -eq 0 ] -then +# Check if the cancellation was successful +if [ $exitCode -eq 0 ]; then echo "Job terminated successfully" - else echo "Job Failed" exit $exitCode -fi \ No newline at end of file +fi diff --git a/entrypoint.sh b/entrypoint.sh index b91b39f..5eaacb7 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,7 @@ #!/bin/bash -output_file=./output.log +# Define output file path inside /app, which is writable by non-root user +output_file=/app/output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file @@ -17,11 +18,10 @@ else echo "PR decoration not created." fi - if [ -n "$scanId" ]; then /app/bin/cx results show --scan-id "${scanId}" --report-format markdown - cat ./cx_result.md >$GITHUB_STEP_SUMMARY - rm ./cx_result.md + cat /app/cx_result.md >$GITHUB_STEP_SUMMARY + rm /app/cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT fi @@ -32,4 +32,3 @@ else echo "Scan failed" exit $exitCode fi - From 087f8e00b3960b5e361250486d2af3555a62f683 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 09:45:55 +0300 Subject: [PATCH 031/114] add root also before --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index a373808..dc6f046 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,7 @@ # Use AST Base image FROM checkmarx/ast-cli:2.2.3 +USER root # Create a non-root user and group RUN addgroup -S appgroup && adduser -S appuser -G appgroup From 343e620173f88c62da51c6372459965aeac8de54 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 09:54:41 +0300 Subject: [PATCH 032/114] up the open cx_result.json path --- Dockerfile | 4 ++++ entrypoint.sh | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index dc6f046..ab4433b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,6 +2,7 @@ FROM checkmarx/ast-cli:2.2.3 USER root + # Create a non-root user and group RUN addgroup -S appgroup && adduser -S appuser -G appgroup @@ -15,6 +16,9 @@ COPY cleanup.sh /app/cleanup.sh # Set the ownership of the /app directory to the non-root user RUN chown -R appuser:appgroup /app +# Give write permissions to GitHub Actions file command directories +RUN chmod -R o+w /github/file_commands + # Ensure scripts are executable RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 5eaacb7..463426a 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -19,14 +19,13 @@ else fi if [ -n "$scanId" ]; then - /app/bin/cx results show --scan-id "${scanId}" --report-format markdown + /app/bin/cx results show --scan-id "${scanId}" --report-format markdown --output /app/cx_result.md cat /app/cx_result.md >$GITHUB_STEP_SUMMARY rm /app/cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT fi -if [ $exitCode -eq 0 ] -then +if [ $exitCode -eq 0 ]; then echo "Scan completed" else echo "Scan failed" From 9ee7b3df58629641e89567fb43ddf6bbad4d73ab Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:07:46 +0300 Subject: [PATCH 033/114] rm github/file_commands from docker file --- Dockerfile | 3 --- 1 file changed, 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ab4433b..b68780e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,9 +16,6 @@ COPY cleanup.sh /app/cleanup.sh # Set the ownership of the /app directory to the non-root user RUN chown -R appuser:appgroup /app -# Give write permissions to GitHub Actions file command directories -RUN chmod -R o+w /github/file_commands - # Ensure scripts are executable RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh From b818f15d6990b6bdc8885bd6842486966718fcc7 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:31:17 +0300 Subject: [PATCH 034/114] Adjust permissions for GitHub file commands at runtime --- entrypoint.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 463426a..48b493d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,10 @@ #!/bin/bash +# Adjust permissions for GitHub file commands at runtime +if [ -d "/github/file_commands" ]; then + sudo chmod -R u+w /github/file_commands +fi + # Define output file path inside /app, which is writable by non-root user output_file=/app/output.log @@ -20,7 +25,7 @@ fi if [ -n "$scanId" ]; then /app/bin/cx results show --scan-id "${scanId}" --report-format markdown --output /app/cx_result.md - cat /app/cx_result.md >$GITHUB_STEP_SUMMARY + cat /app/cx_result.md > $GITHUB_STEP_SUMMARY rm /app/cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT fi @@ -28,6 +33,6 @@ fi if [ $exitCode -eq 0 ]; then echo "Scan completed" else - echo "Scan failed" + echo "Scan failed" exit $exitCode fi From 0f871b4ed3c58679921e0da54939616192acdc17 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:38:37 +0300 Subject: [PATCH 035/114] rm sudo --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 48b493d..0bd56cf 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,7 @@ # Adjust permissions for GitHub file commands at runtime if [ -d "/github/file_commands" ]; then - sudo chmod -R u+w /github/file_commands + chmod -R u+w /github/file_commands fi # Define output file path inside /app, which is writable by non-root user From efaf220de19f2030f47de7dcbd5096f58068bde9 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:39:52 +0300 Subject: [PATCH 036/114] Update Dockerfile --- Dockerfile | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index b68780e..a9bce89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,27 +1,17 @@ -# Use AST Base image FROM checkmarx/ast-cli:2.2.3 -USER root - -# Create a non-root user and group +# Set up application user RUN addgroup -S appgroup && adduser -S appuser -G appgroup -# Set the working directory to /app +# Set working directory and copy scripts WORKDIR /app - -# Copy the entrypoint and cleanup scripts COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Set the ownership of the /app directory to the non-root user -RUN chown -R appuser:appgroup /app - -# Ensure scripts are executable -RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh +# Adjust permissions for app directory +RUN chown -R appuser:appgroup /app && chmod +x /app/entrypoint.sh && chmod +x /app/cleanup.sh -# Switch to non-root user USER appuser -# Set entrypoint +# Entrypoint ENTRYPOINT ["/app/entrypoint.sh"] From f45da4f2d43b0438a0551c8be07fc53a634a80b7 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:42:16 +0300 Subject: [PATCH 037/114] Update Dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index a9bce89..71c3197 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,6 @@ FROM checkmarx/ast-cli:2.2.3 +USER root # Set up application user RUN addgroup -S appgroup && adduser -S appuser -G appgroup From 783136ceb4b0fce1b8b8d9fe8d1e512dd565b707 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 10:51:05 +0300 Subject: [PATCH 038/114] change to nonroot --- Dockerfile | 17 +++++++++-------- entrypoint.sh | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 71c3197..ad4f464 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,18 +1,19 @@ FROM checkmarx/ast-cli:2.2.3 +# Adjust permissions for any directories or files before switching to nonroot USER root -# Set up application user -RUN addgroup -S appgroup && adduser -S appuser -G appgroup +RUN chmod -R u+w /app && \ + chmod -R o+w /github/file_commands || true # Conditional to avoid errors if the directory doesn't exist -# Set working directory and copy scripts +# Switch back to the nonroot user provided by the base image +USER nonroot + +# Define working directory and copy necessary scripts WORKDIR /app COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Adjust permissions for app directory -RUN chown -R appuser:appgroup /app && chmod +x /app/entrypoint.sh && chmod +x /app/cleanup.sh - -USER appuser +# Ensure scripts have execute permissions +RUN chmod +x /app/entrypoint.sh /app/cleanup.sh -# Entrypoint ENTRYPOINT ["/app/entrypoint.sh"] diff --git a/entrypoint.sh b/entrypoint.sh index 0bd56cf..68961d5 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Adjust permissions for GitHub file commands at runtime +# No need for sudo, as permission should have been handled during the Docker build if [ -d "/github/file_commands" ]; then chmod -R u+w /github/file_commands fi From 4a723fd17257bbbaa4b135e3b9a2c57d0abf53b7 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Sun, 8 Sep 2024 11:03:26 +0300 Subject: [PATCH 039/114] Update Dockerfile --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index ad4f464..a56c1a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ RUN chmod -R u+w /app && \ chmod -R o+w /github/file_commands || true # Conditional to avoid errors if the directory doesn't exist # Switch back to the nonroot user provided by the base image -USER nonroot # Define working directory and copy necessary scripts WORKDIR /app @@ -17,3 +16,5 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh /app/cleanup.sh ENTRYPOINT ["/app/entrypoint.sh"] +USER nonroot + From ea909f1ca3d519fc043b7674a72cc9ad7fe3efad Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 12:50:50 +0300 Subject: [PATCH 040/114] Update Dockerfile --- Dockerfile | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index a56c1a9..8a57614 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,11 @@ +#Use AST Base image FROM checkmarx/ast-cli:2.2.3 -# Adjust permissions for any directories or files before switching to nonroot -USER root -RUN chmod -R u+w /app && \ - chmod -R o+w /github/file_commands || true # Conditional to avoid errors if the directory doesn't exist - -# Switch back to the nonroot user provided by the base image +USER nonroot -# Define working directory and copy necessary scripts -WORKDIR /app +#Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh -# Ensure scripts have execute permissions -RUN chmod +x /app/entrypoint.sh /app/cleanup.sh - -ENTRYPOINT ["/app/entrypoint.sh"] -USER nonroot - +RUN chmod +x /app/entrypoint.sh \ + && chmod +x /app/cleanup.sh \ No newline at end of file From 31d9f332d6c227b69b999c65604fd26ced4495de Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 12:53:27 +0300 Subject: [PATCH 041/114] change 2.2.5 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8a57614..200fac9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.3 +FROM checkmarx/ast-cli:2.2.5 USER nonroot From 44b4e071a66e99df1933c74652f10f27a663de9a Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 13:05:37 +0300 Subject: [PATCH 042/114] change to 555 --- Dockerfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 200fac9..e323bba 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,8 +4,5 @@ FROM checkmarx/ast-cli:2.2.5 USER nonroot #Copy the entrypoint script and properties used for the action -COPY entrypoint.sh /app/entrypoint.sh -COPY cleanup.sh /app/cleanup.sh - -RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh \ No newline at end of file +COPY --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chmod=555 cleanup.sh /app/cleanup.sh From 75b44247a5a9d045c8f58151896016d90cd888e1 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 13:11:17 +0300 Subject: [PATCH 043/114] Update Dockerfile --- Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e323bba..d3d7cdb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.5 +FROM checkmarx/ast-cli:2.2.3 USER nonroot #Copy the entrypoint script and properties used for the action -COPY --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chmod=111 entrypoint.sh /app/entrypoint.sh +COPY --chmod=111 cleanup.sh /app/cleanup.sh + From e05c1f231096263f2270dd35b6a30f5530a0b5a3 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 13:12:30 +0300 Subject: [PATCH 044/114] Update Dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index d3d7cdb..f770956 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,6 @@ FROM checkmarx/ast-cli:2.2.3 USER nonroot #Copy the entrypoint script and properties used for the action -COPY --chmod=111 entrypoint.sh /app/entrypoint.sh -COPY --chmod=111 cleanup.sh /app/cleanup.sh +COPY --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chmod=555 cleanup.sh /app/cleanup.sh From 75e6eb7f0267b37a90a7c2255c8e5f0754332416 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 10 Sep 2024 13:16:18 +0300 Subject: [PATCH 045/114] fix --- cleanup.sh | 27 ++++++++++++--------------- entrypoint.sh | 20 ++++++++------------ 2 files changed, 20 insertions(+), 27 deletions(-) diff --git a/cleanup.sh b/cleanup.sh index a3e79af..05d9dec 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,28 +1,25 @@ #!/bin/bash -# Define the output file location where the non-root user has write access -output_file=/app/output.log +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) -# Extract the scan ID from the output log -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) - -# Check if the scan ID exists -if [ -z "$cancelId" ]; then +if [ -z "$cancelId" ] +then echo "Scan not created. Terminating job." -else - echo "Canceling scan with ID: $cancelId" - # Cancel the scan using the cx CLI + +else + echo "Canceling scan with ID:" $cancelId /app/bin/cx scan cancel --scan-id "${cancelId}" fi -# Capture the exit code from the cancellation command + exitCode=$? -echo "Program exits with code: $exitCode" +echo "Program exits with code: " $exitCode -# Check if the cancellation was successful -if [ $exitCode -eq 0 ]; then +if [ $exitCode -eq 0 ] +then echo "Job terminated successfully" + else echo "Job Failed" exit $exitCode -fi +fi \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 68961d5..dc7f9f9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,12 +1,6 @@ #!/bin/bash -# No need for sudo, as permission should have been handled during the Docker build -if [ -d "/github/file_commands" ]; then - chmod -R u+w /github/file_commands -fi - -# Define output file path inside /app, which is writable by non-root user -output_file=/app/output.log +output_file=./output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file @@ -23,16 +17,18 @@ else echo "PR decoration not created." fi + if [ -n "$scanId" ]; then - /app/bin/cx results show --scan-id "${scanId}" --report-format markdown --output /app/cx_result.md - cat /app/cx_result.md > $GITHUB_STEP_SUMMARY - rm /app/cx_result.md + /app/bin/cx results show --scan-id "${scanId}" --report-format markdown + cat ./cx_result.md >$GITHUB_STEP_SUMMARY + rm ./cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT fi -if [ $exitCode -eq 0 ]; then +if [ $exitCode -eq 0 ] +then echo "Scan completed" else echo "Scan failed" exit $exitCode -fi +fi \ No newline at end of file From 9f841010f1b70e1b7b1084433fd5e26cdb1f203b Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:49:28 +0100 Subject: [PATCH 046/114] fix attempt to permission denied for output.log --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index dc7f9f9..10e8082 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,6 +2,8 @@ output_file=./output.log +chown nonroot:nonroot /output.log + eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 819d6a23237f35ffd4459a9d3f8dddbc67cf2b6e Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 22:58:25 +0100 Subject: [PATCH 047/114] fix attempt 2 --- entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 10e8082..6738f91 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,8 @@ output_file=./output.log -chown nonroot:nonroot /output.log +# Create file and add permissions +touch $output_file && chown nonroot:nonroot $output_file eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From ec5566b5e6981f30c6358149a3c4fa58946fe940 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:00:15 +0100 Subject: [PATCH 048/114] fix attempt 3 --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6738f91..0dab109 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -output_file=./output.log +output_file=./app/output.log # Create file and add permissions touch $output_file && chown nonroot:nonroot $output_file From e5598805e91c8047dc3ac3240575912352e0ffce Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:03:35 +0100 Subject: [PATCH 049/114] fix attempt 3 --- Dockerfile | 6 ++++-- entrypoint.sh | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index f770956..b88139a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,11 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.3 +WORKDIR /app + USER nonroot #Copy the entrypoint script and properties used for the action -COPY --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chown=nonroot:nonroot --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chown=nonroot:nonroot --chmod=555 cleanup.sh /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 0dab109..3a48421 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -output_file=./app/output.log +output_file=/app/output.log # Create file and add permissions touch $output_file && chown nonroot:nonroot $output_file From fc80075afd090c02e8397f6c37664c16e0bab7c9 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:05:13 +0100 Subject: [PATCH 050/114] fix 4 --- Dockerfile | 2 ++ entrypoint.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b88139a..c100ea5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,8 @@ WORKDIR /app USER nonroot +RUN chmod -R nonroot:nonroot /app + #Copy the entrypoint script and properties used for the action COPY --chown=nonroot:nonroot --chmod=555 entrypoint.sh /app/entrypoint.sh COPY --chown=nonroot:nonroot --chmod=555 cleanup.sh /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 3a48421..f530c87 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -3,7 +3,7 @@ output_file=/app/output.log # Create file and add permissions -touch $output_file && chown nonroot:nonroot $output_file +touch $output_file eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From 77b5ca36f34f3c420977825c77f0ad170444c764 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:06:28 +0100 Subject: [PATCH 051/114] my fault --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index c100ea5..cd9c894 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ WORKDIR /app USER nonroot -RUN chmod -R nonroot:nonroot /app +RUN chown -R nonroot:nonroot /app #Copy the entrypoint script and properties used for the action COPY --chown=nonroot:nonroot --chmod=555 entrypoint.sh /app/entrypoint.sh From 3cc24f1372ee55549275622b8d52df8764ab8628 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:07:42 +0100 Subject: [PATCH 052/114] fix attempt 5 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index cd9c894..6d19bb6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,9 @@ FROM checkmarx/ast-cli:2.2.3 WORKDIR /app -USER nonroot - +USER root RUN chown -R nonroot:nonroot /app +USER nonroot #Copy the entrypoint script and properties used for the action COPY --chown=nonroot:nonroot --chmod=555 entrypoint.sh /app/entrypoint.sh From bd10c29a41da17517136b0a2042aa16702f12214 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:12:42 +0100 Subject: [PATCH 053/114] update cleanup.sh --- cleanup.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/cleanup.sh b/cleanup.sh index 05d9dec..3df3305 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,6 +1,8 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +output_file=/app/output.log + +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then From 6ba81c6f3c9c5df9adc248ff6dc7bbd2aa03128c Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:12:58 +0100 Subject: [PATCH 054/114] user needs to write the results --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6d19bb6..52cb830 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,6 @@ RUN chown -R nonroot:nonroot /app USER nonroot #Copy the entrypoint script and properties used for the action -COPY --chown=nonroot:nonroot --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chown=nonroot:nonroot --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chown=nonroot:nonroot --chmod=755 entrypoint.sh /app/entrypoint.sh +COPY --chown=nonroot:nonroot --chmod=755 cleanup.sh /app/cleanup.sh From 715af5f41997927a574ed7f6602e42e9cda784f4 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:22:16 +0100 Subject: [PATCH 055/114] fix attempt n+1 --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index f530c87..f7187d9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -5,6 +5,8 @@ output_file=/app/output.log # Create file and add permissions touch $output_file +cd /app + eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 6c4be33965474176c03adbeb95c8aa2395811a25 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Mon, 16 Sep 2024 23:27:16 +0100 Subject: [PATCH 056/114] fix --- entrypoint.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index f7187d9..66f9974 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,7 @@ output_file=/app/output.log -# Create file and add permissions +# Create file touch $output_file cd /app @@ -11,6 +11,8 @@ eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} +chown nonroot:nonroot $output_file + scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT @@ -25,6 +27,9 @@ fi if [ -n "$scanId" ]; then /app/bin/cx results show --scan-id "${scanId}" --report-format markdown + + chown nonroot:nonroot cx_result.md + cat ./cx_result.md >$GITHUB_STEP_SUMMARY rm ./cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT From 62871185155f84b33a23da27adb9060fe916b13f Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 24 Sep 2024 16:25:38 +0300 Subject: [PATCH 057/114] revert change --- Dockerfile | 10 ++++------ entrypoint.sh | 15 +++------------ 2 files changed, 7 insertions(+), 18 deletions(-) diff --git a/Dockerfile b/Dockerfile index 42e26b2..a59aaa9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,13 +1,11 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.5 -WORKDIR /app - USER root -RUN chown -R nonroot:nonroot /app -USER nonroot #Copy the entrypoint script and properties used for the action -COPY --chown=nonroot:nonroot --chmod=755 entrypoint.sh /app/entrypoint.sh -COPY --chown=nonroot:nonroot --chmod=755 cleanup.sh /app/cleanup.sh +COPY entrypoint.sh /app/entrypoint.sh +COPY cleanup.sh /app/cleanup.sh +RUN chmod +x /app/entrypoint.sh \ + && chmod +x /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 66f9974..6a79c66 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,18 +1,11 @@ #!/bin/bash -output_file=/app/output.log - -# Create file -touch $output_file - -cd /app +output_file=./output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} -chown nonroot:nonroot $output_file - scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT @@ -27,9 +20,6 @@ fi if [ -n "$scanId" ]; then /app/bin/cx results show --scan-id "${scanId}" --report-format markdown - - chown nonroot:nonroot cx_result.md - cat ./cx_result.md >$GITHUB_STEP_SUMMARY rm ./cx_result.md echo "cxScanID=$scanId" >> $GITHUB_OUTPUT @@ -41,4 +31,5 @@ then else echo "Scan failed" exit $exitCode -fi \ No newline at end of file +fi + From c76f359037190e07e065ded1289004299dcb5853 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 24 Sep 2024 16:38:24 +0300 Subject: [PATCH 058/114] revert 2 --- cleanup.sh | 4 +--- entrypoint.sh | 3 +-- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/cleanup.sh b/cleanup.sh index 3df3305..05d9dec 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,8 +1,6 @@ #!/bin/bash -output_file=/app/output.log - -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then diff --git a/entrypoint.sh b/entrypoint.sh index 6a79c66..dc7f9f9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -31,5 +31,4 @@ then else echo "Scan failed" exit $exitCode -fi - +fi \ No newline at end of file From 095ae5bb6d4767690ae0492c0f09866c1e23e6d2 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Tue, 24 Sep 2024 18:14:07 +0300 Subject: [PATCH 059/114] After fips change in cli --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index a59aaa9..200fac9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,11 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.5 -USER root +USER nonroot #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh + && chmod +x /app/cleanup.sh \ No newline at end of file From b26a0d6f74c44435905769ca7eb5c349ba2e13a2 Mon Sep 17 00:00:00 2001 From: elchananarb Date: Wed, 25 Sep 2024 09:45:37 +0300 Subject: [PATCH 060/114] up threshold and change user to 65532 --- .github/workflows/checkmarx-one-scan.yml | 2 +- Dockerfile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index b953840..0e3b3e6 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -15,4 +15,4 @@ jobs: cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-high=1;sca-high=1;sca-medium=3;sca-low=1" --debug \ No newline at end of file + additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;" --debug \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 200fac9..0045aa8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.5 -USER nonroot +USER 65532 #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh From 2a3bfd0ad9364c2f885b7edb356d5ae2d08e5eee Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 12:33:32 +0300 Subject: [PATCH 061/114] Update CLI to 2.2.7 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 0045aa8..59e3d6f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.5 +FROM checkmarx/ast-cli:2.2.7 USER 65532 From 55d8b9ad1441d7b1b5dbc9e917cc24d6aae10454 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 12:41:03 +0300 Subject: [PATCH 062/114] check root --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 59e3d6f..cbea91b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.7 -USER 65532 +USER root #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh From 5fd19eed11fb06bfe99d0ae9540db98b5761aa84 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:09:00 +0300 Subject: [PATCH 063/114] to 65532 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index cbea91b..59e3d6f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.7 -USER root +USER 65532 #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh From 5702b57e11937596e40a08f3b8e90ff2ecc046db Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:12:21 +0300 Subject: [PATCH 064/114] USE 65532 AFTER --- Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 59e3d6f..00a9db9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,13 @@ #Use AST Base image FROM checkmarx/ast-cli:2.2.7 -USER 65532 +USER root #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh \ No newline at end of file + && chmod +x /app/cleanup.sh \ + +USER 65532 \ No newline at end of file From 21e9a07d3cd18df8585ec998ded272dfb1538005 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:13:45 +0300 Subject: [PATCH 065/114] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 00a9db9..4b8e913 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,6 @@ COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh \ + && chmod +x /app/cleanup.sh USER 65532 \ No newline at end of file From 8bb86342b1b95e1b9943fed67b63f27542fc3117 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:17:20 +0300 Subject: [PATCH 066/114] add /app --- Dockerfile | 2 +- cleanup.sh | 2 +- entrypoint.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4b8e913..99e6e1d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,6 @@ COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh + && chmod +x /app/cleanup.sh USER 65532 \ No newline at end of file diff --git a/cleanup.sh b/cleanup.sh index 05d9dec..f10e62a 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,6 +1,6 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./app/output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then diff --git a/entrypoint.sh b/entrypoint.sh index dc7f9f9..53e7dfd 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -output_file=./output.log +output_file=./app/output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From f2f567fa9520af3c753cfd7fef8d379a862ca540 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:20:09 +0300 Subject: [PATCH 067/114] add touch /app/output.log --- entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/entrypoint.sh b/entrypoint.sh index 53e7dfd..180d6ff 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,6 @@ #!/bin/bash +touch /app/output.log output_file=./app/output.log eval "arr=(${ADDITIONAL_PARAMS})" From 199ce0980e022af999d46d168d1dfbeb690599dd Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:26:06 +0300 Subject: [PATCH 068/114] v3 --- Dockerfile | 2 ++ entrypoint.sh | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 99e6e1d..44944c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,7 @@ FROM checkmarx/ast-cli:2.2.7 USER root +RUN touch /app/output.log && chmod 555 /app/output.log #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh @@ -10,4 +11,5 @@ COPY cleanup.sh /app/cleanup.sh RUN chmod +x /app/entrypoint.sh \ && chmod +x /app/cleanup.sh + USER 65532 \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 180d6ff..53e7dfd 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,5 @@ #!/bin/bash -touch /app/output.log output_file=./app/output.log eval "arr=(${ADDITIONAL_PARAMS})" From ad6a757d2a32ef52ff535a09266e412cf8f5da8a Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:28:28 +0300 Subject: [PATCH 069/114] v4 --- Dockerfile | 2 +- cleanup.sh | 2 +- entrypoint.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 44944c1..4a6b400 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM checkmarx/ast-cli:2.2.7 USER root -RUN touch /app/output.log && chmod 555 /app/output.log +RUN touch /output.log && chmod 555 /output.log #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh diff --git a/cleanup.sh b/cleanup.sh index f10e62a..05d9dec 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,6 +1,6 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./app/output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then diff --git a/entrypoint.sh b/entrypoint.sh index 53e7dfd..dc7f9f9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -output_file=./app/output.log +output_file=./output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From 54d6fec2dd89ebeb62a3574f4a1b1cd2ad6ca000 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:31:34 +0300 Subject: [PATCH 070/114] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 4a6b400..4ec4380 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM checkmarx/ast-cli:2.2.7 USER root -RUN touch /output.log && chmod 555 /output.log +RUN touch /output.log && chown 65532:65532 /output.log /output.log #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh From 0f2a3ea7c6ce39e3094e94fec87ab5c96ad0e123 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:33:52 +0300 Subject: [PATCH 071/114] add ls -la --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index dc7f9f9..17e80b8 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/bash output_file=./output.log - +ls -la eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 6fe308adf070cd1f7b4db11f28b88d02b582ee61 Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:36:46 +0300 Subject: [PATCH 072/114] Update entrypoint.sh --- entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 17e80b8..d3c50a5 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,8 @@ #!/bin/bash output_file=./output.log -ls -la +pwd +ls -la / eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 67021f3c3e131cbb0010721ef08f5a03e03c9d0d Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 15:10:24 +0300 Subject: [PATCH 073/114] tag 2.2.7-snapshot-v3 --- Dockerfile | 4 ++-- cleanup.sh | 2 +- entrypoint.sh | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4ec4380..d829ee5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.7 +FROM checkmarx/ast-cli:2.2.7-snapshot-v3 USER root -RUN touch /output.log && chown 65532:65532 /output.log /output.log +RUN touch /app/output.log && chown 65532:65532 /app/output.log #Copy the entrypoint script and properties used for the action COPY entrypoint.sh /app/entrypoint.sh COPY cleanup.sh /app/cleanup.sh diff --git a/cleanup.sh b/cleanup.sh index 05d9dec..f10e62a 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,6 +1,6 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./app/output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then diff --git a/entrypoint.sh b/entrypoint.sh index d3c50a5..299d2f5 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,6 @@ #!/bin/bash -output_file=./output.log +output_file=./app/output.log pwd ls -la / eval "arr=(${ADDITIONAL_PARAMS})" From 6f1b1c9f995317a5679df69d509bc4c62d4770db Mon Sep 17 00:00:00 2001 From: elchnanarbiv <45004411+elchnanarbiv@users.noreply.github.com> Date: Wed, 25 Sep 2024 16:05:20 +0300 Subject: [PATCH 074/114] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d829ee5..bf2da28 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.7-snapshot-v3 +FROM checkmarx/ast-cli:2.2.7-snapshot-v2 USER root From 4d2d60c0ac1dc2a3978033ad1ddf94bc7f496a01 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:50:54 +0100 Subject: [PATCH 075/114] Fix permissions --- Dockerfile | 11 ++++------- entrypoint.sh | 4 ++-- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index bf2da28..efe982d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,12 @@ #Use AST Base image -FROM checkmarx/ast-cli:2.2.7-snapshot-v2 +FROM checkmarx/dev-tests:latest USER root RUN touch /app/output.log && chown 65532:65532 /app/output.log -#Copy the entrypoint script and properties used for the action -COPY entrypoint.sh /app/entrypoint.sh -COPY cleanup.sh /app/cleanup.sh - -RUN chmod +x /app/entrypoint.sh \ - && chmod +x /app/cleanup.sh +# Copy the entrypoint script and properties used for the action +COPY --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chmod=555 cleanup.sh /app/cleanup.sh USER 65532 \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 299d2f5..32045c3 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,8 @@ #!/bin/bash output_file=./app/output.log -pwd -ls -la / + +ls -la /app eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From f7938f0ddf399f83e8ef76846f8aa7168e8de5ea Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:52:27 +0100 Subject: [PATCH 076/114] Update dockerfile --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index efe982d..f852062 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,7 @@ USER root RUN touch /app/output.log && chown 65532:65532 /app/output.log # Copy the entrypoint script and properties used for the action -COPY --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chown=65532:65532 entrypoint.sh /app/entrypoint.sh +COPY --chown=65532:65532 cleanup.sh /app/cleanup.sh USER 65532 \ No newline at end of file From c3bc063d8a4997bbd0dd920106a467b99758f00f Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 16:56:24 +0100 Subject: [PATCH 077/114] Update dockerfile --- Dockerfile | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index f852062..b774b32 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,8 @@ #Use AST Base image FROM checkmarx/dev-tests:latest -USER root - -RUN touch /app/output.log && chown 65532:65532 /app/output.log - # Copy the entrypoint script and properties used for the action -COPY --chown=65532:65532 entrypoint.sh /app/entrypoint.sh -COPY --chown=65532:65532 cleanup.sh /app/cleanup.sh +COPY --chown=555 entrypoint.sh /app/entrypoint.sh +COPY --chown=555 cleanup.sh /app/cleanup.sh USER 65532 \ No newline at end of file From 84cd7849f11241cf30c95371bc6106dd63e16430 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:06:40 +0100 Subject: [PATCH 078/114] My bad --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b774b32..0b9d6e3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM checkmarx/dev-tests:latest # Copy the entrypoint script and properties used for the action -COPY --chown=555 entrypoint.sh /app/entrypoint.sh -COPY --chown=555 cleanup.sh /app/cleanup.sh +COPY --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chmod=555 cleanup.sh /app/cleanup.sh USER 65532 \ No newline at end of file From a7300feab463dced5b4f568762c272a181ab093d Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:08:34 +0100 Subject: [PATCH 079/114] Add output.log --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 0b9d6e3..a498b05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ #Use AST Base image FROM checkmarx/dev-tests:latest +RUN touch /app/output.log + # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh COPY --chmod=555 cleanup.sh /app/cleanup.sh From eccac99f525cb513cf53995d2ad5f720925b8c4c Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:10:20 +0100 Subject: [PATCH 080/114] Update Dockerfile --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a498b05..cae2722 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,9 @@ #Use AST Base image FROM checkmarx/dev-tests:latest -RUN touch /app/output.log +WORKDIR /app + +RUN touch output.log && chmod=555 output.log # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From 9203f95a5d9ef286a0120d7659dc5daaa4d7116e Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:11:43 +0100 Subject: [PATCH 081/114] Add user root --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index cae2722..d74de78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app +USER root RUN touch output.log && chmod=555 output.log # Copy the entrypoint script and properties used for the action From d865f33d30ccba9178e3a4fcdb1929cdabb02bcd Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:13:50 +0100 Subject: [PATCH 082/114] Fix --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d74de78..a0f8f1e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN touch output.log && chmod=555 output.log +RUN touch /app/output.log && chmod=555 output.log # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From 0419eb6c053a4cce5f77fcbd2d77489b5c79c6bd Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:23:31 +0100 Subject: [PATCH 083/114] Fix --- Dockerfile | 3 --- entrypoint.sh | 5 +++++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index a0f8f1e..5125495 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,6 @@ FROM checkmarx/dev-tests:latest WORKDIR /app -USER root -RUN touch /app/output.log && chmod=555 output.log - # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh COPY --chmod=555 cleanup.sh /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 32045c3..b773e5f 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,12 @@ output_file=./app/output.log +cd /app + +touch output.log + ls -la /app + eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 0bdf8f443897dffb7b73e03496ff138c2507470e Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:25:05 +0100 Subject: [PATCH 084/114] Fix entrypoint --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index b773e5f..7daae1c 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,7 +4,7 @@ output_file=./app/output.log cd /app -touch output.log +touch output.log && chmod 555 output.log ls -la /app From 9472c99e9a986eda49e1ce5489ccdc0e213fae71 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:26:32 +0100 Subject: [PATCH 085/114] fix permissions --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7daae1c..7462e3a 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,7 +4,7 @@ output_file=./app/output.log cd /app -touch output.log && chmod 555 output.log +touch output.log && chmod 666 output.log ls -la /app From 00d7527f2b0eb1df4090c7f12d01b0fd0a4c0de7 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:28:04 +0100 Subject: [PATCH 086/114] fix file name --- entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7462e3a..80d9806 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,10 +1,10 @@ #!/bin/bash -output_file=./app/output.log +output_file=output.log cd /app -touch output.log && chmod 666 output.log +touch output.log && chmod 660 output.log ls -la /app From 655b90c210d266a92a13ae9751c01127d2d33f90 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 17:28:57 +0100 Subject: [PATCH 087/114] fix --- entrypoint.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 80d9806..ebb23ec 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,11 @@ output_file=output.log +pwd +ls -la + cd /app +ls -la touch output.log && chmod 660 output.log From 9a7df754907bd02977b7b303427143205605b135 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:07:45 +0100 Subject: [PATCH 088/114] try again with the right binary arch --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index ebb23ec..9960e62 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/bash output_file=output.log - + pwd ls -la From b07103d7bddf6649eb939db14bdfd25f7e1b73c8 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:08:19 +0100 Subject: [PATCH 089/114] try again --- entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 9960e62..d22740f 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/bash output_file=output.log - + pwd ls -la From e3561cde4deb04b61dfc7d47f760b2a789195355 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:16:35 +0100 Subject: [PATCH 090/114] add right permissions to file_commands --- entrypoint.sh | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index d22740f..359107e 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,15 +2,7 @@ output_file=output.log -pwd -ls -la - -cd /app -ls -la - -touch output.log && chmod 660 output.log - -ls -la /app +chmod 660 -R /github/file_commands eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From b6f0e0a88a8f2861aca56bc6690e890eccf01c76 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:18:16 +0100 Subject: [PATCH 091/114] fix --- Dockerfile | 2 ++ entrypoint.sh | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 5125495..f2b84f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,6 +3,8 @@ FROM checkmarx/dev-tests:latest WORKDIR /app +RUN chmod -R 660 /github/file_commands + # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh COPY --chmod=555 cleanup.sh /app/cleanup.sh diff --git a/entrypoint.sh b/entrypoint.sh index 359107e..8f90115 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,7 +2,7 @@ output_file=output.log -chmod 660 -R /github/file_commands +touch output.log && chmod 660 output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From 45cbef2ceb297aea5a7a2c0dc6dfff3a3e6e5df0 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:22:47 +0100 Subject: [PATCH 092/114] try to fix --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f2b84f5..71a26a1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,8 @@ FROM checkmarx/dev-tests:latest WORKDIR /app -RUN chmod -R 660 /github/file_commands +USER root +RUN mkdir /github/file_commands && chmod -R 660 /github/file_commands # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From dc4564c6af153e9ee89ce166eba580bc42d3fb2b Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:24:41 +0100 Subject: [PATCH 093/114] fix --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 71a26a1..b4891b8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir /github/file_commands && chmod -R 660 /github/file_commands +RUN mkdir -p -m 660 /github/file_commands # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From 563367e0732c6e2baaf73db335c977bce6117ace Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 18:25:56 +0100 Subject: [PATCH 094/114] my bad --- entrypoint.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 8f90115..31c005b 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,7 +1,9 @@ #!/bin/bash output_file=output.log - + +cd /app + touch output.log && chmod 660 output.log eval "arr=(${ADDITIONAL_PARAMS})" From 68479daf21956569664c06bbc1f08f1e5af79e41 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:03:56 +0100 Subject: [PATCH 095/114] debug --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 31c005b..7d214ae 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -14,6 +14,8 @@ scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d' echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT +ls -la /github/ + if [ -n "$scanId" ] && [ -n "${PR_NUMBER}" ]; then echo "Creating PR decoration for scan ID:" $scanId /app/bin/cx utils pr github --scan-id "${scanId}" --namespace "${NAMESPACE}" --repo-name "${REPO_NAME}" --pr-number "${PR_NUMBER}" --token "${GITHUB_TOKEN}" From 77bc78edf60e23081e393358beb26451744bc9d7 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:07:23 +0100 Subject: [PATCH 096/114] debug --- entrypoint.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7d214ae..6fb52e4 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,6 +6,10 @@ cd /app touch output.log && chmod 660 output.log +chmod +w -R /github/ +ls -la /github/ + + eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} @@ -14,7 +18,7 @@ scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d' echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT -ls -la /github/ + if [ -n "$scanId" ] && [ -n "${PR_NUMBER}" ]; then echo "Creating PR decoration for scan ID:" $scanId From 8fc32ac03eaa79cff6fa6e8cc52e52c5d095b5fc Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:12:17 +0100 Subject: [PATCH 097/114] debug --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index b4891b8..9718f06 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p -m 660 /github/file_commands +RUN mkdir -p -m 660 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From 2593056e5f62ed50a27b94e1a9ed73faad87bf44 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:13:40 +0100 Subject: [PATCH 098/114] fix entrypoint --- entrypoint.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 6fb52e4..f89c12f 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,7 +6,6 @@ cd /app touch output.log && chmod 660 output.log -chmod +w -R /github/ ls -la /github/ From 9fcfd40344d0d338f208f45a55d7ece706bbb51c Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:15:56 +0100 Subject: [PATCH 099/114] test --- Dockerfile | 2 +- entrypoint.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9718f06..6e4e030 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p -m 660 /github/ +RUN mkdir -p -m 666 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh index f89c12f..43da5c7 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,6 +6,7 @@ cd /app touch output.log && chmod 660 output.log +id ls -la /github/ From b6cd417d46811de6bff715ff7df520a1315f55a8 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:18:17 +0100 Subject: [PATCH 100/114] test 2 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6e4e030..328f412 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p -m 666 /github/ +RUN mkdir -p /github/ && chmod -R 666 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From 770cbd212b30b63608ec7955026c7fa89a056564 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:24:12 +0100 Subject: [PATCH 101/114] test n-1 --- Dockerfile | 2 +- entrypoint.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 328f412..a6c5c89 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p /github/ && chmod -R 666 /github/ +RUN mkdir -p /github/ && chown -R 65532:65532 /github/ && chmod -R 666 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh index 43da5c7..69e995c 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,6 +7,7 @@ cd /app touch output.log && chmod 660 output.log id +ls -la / ls -la /github/ From 2536ab71bab47e183ffa1700288e7b0e734590bc Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:45:58 +0100 Subject: [PATCH 102/114] debug --- Dockerfile | 2 +- entrypoint.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a6c5c89..fd83426 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p /github/ && chown -R 65532:65532 /github/ && chmod -R 666 /github/ +RUN mkdir -p /github/file_commands && chown -R 65532:65532 /github/ && chmod -R 666 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh diff --git a/entrypoint.sh b/entrypoint.sh index 69e995c..7ce473e 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -7,6 +7,7 @@ cd /app touch output.log && chmod 660 output.log id +cat /etc/passwd ls -la / ls -la /github/ From 367d179993b187891e7087079752b0d2c3b32977 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:48:45 +0100 Subject: [PATCH 103/114] 777 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fd83426..10180b4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ FROM checkmarx/dev-tests:latest WORKDIR /app USER root -RUN mkdir -p /github/file_commands && chown -R 65532:65532 /github/ && chmod -R 666 /github/ +RUN mkdir -p /github/file_commands && chown -R 65532:65532 /github/ && chmod -R 777 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From ed8381f22d21585b381750e22de4cd00cc649456 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:58:39 +0100 Subject: [PATCH 104/114] debug --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 10180b4..e5b3e2e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,8 @@ #Use AST Base image FROM checkmarx/dev-tests:latest -WORKDIR /app - USER root -RUN mkdir -p /github/file_commands && chown -R 65532:65532 /github/ && chmod -R 777 /github/ +RUN mkdir -p /github/file_commands && chmod -R 777 /github/ # Copy the entrypoint script and properties used for the action COPY --chmod=555 entrypoint.sh /app/entrypoint.sh From b0b40cae4c5e8b844d92b5d055efb9d36d5f4ac7 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 21:59:55 +0100 Subject: [PATCH 105/114] 777 x2 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e5b3e2e..f5e98c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,7 +5,7 @@ USER root RUN mkdir -p /github/file_commands && chmod -R 777 /github/ # Copy the entrypoint script and properties used for the action -COPY --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chmod=777 entrypoint.sh /app/entrypoint.sh +COPY --chmod=777 cleanup.sh /app/cleanup.sh USER 65532 \ No newline at end of file From c2c30cacf4aa12ab448e97149c165285c532a0a4 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:01:26 +0100 Subject: [PATCH 106/114] debug --- entrypoint.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/entrypoint.sh b/entrypoint.sh index 7ce473e..2392d56 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -8,7 +8,7 @@ touch output.log && chmod 660 output.log id cat /etc/passwd -ls -la / + ls -la /github/ @@ -18,6 +18,8 @@ exitCode=${PIPESTATUS[0]} scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +ls -la /app + echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT From d6bdd7cf78065b1deff9824a9314f6eb37b6234a Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:14:45 +0100 Subject: [PATCH 107/114] final commit --- Dockerfile | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index f5e98c5..0dc4264 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,8 @@ #Use AST Base image FROM checkmarx/dev-tests:latest -USER root -RUN mkdir -p /github/file_commands && chmod -R 777 /github/ - # Copy the entrypoint script and properties used for the action -COPY --chmod=777 entrypoint.sh /app/entrypoint.sh -COPY --chmod=777 cleanup.sh /app/cleanup.sh +COPY entrypoint.sh /app/entrypoint.sh +COPY cleanup.sh /app/cleanup.sh -USER 65532 \ No newline at end of file +USER root \ No newline at end of file From eddfb00bb0b19493eaaef1abb673de21d8ffacf2 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:15:46 +0100 Subject: [PATCH 108/114] add execute permissions --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0dc4264..9e69c5f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM checkmarx/dev-tests:latest # Copy the entrypoint script and properties used for the action -COPY entrypoint.sh /app/entrypoint.sh -COPY cleanup.sh /app/cleanup.sh +COPY --chmod=555 entrypoint.sh /app/entrypoint.sh +COPY --chmod=555 cleanup.sh /app/cleanup.sh USER root \ No newline at end of file From 8213ba6a1844277ff7280e517ae1ef4bd3d36bca Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:16:19 +0100 Subject: [PATCH 109/114] add exec perm --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9e69c5f..9057545 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM checkmarx/dev-tests:latest # Copy the entrypoint script and properties used for the action -COPY --chmod=555 entrypoint.sh /app/entrypoint.sh -COPY --chmod=555 cleanup.sh /app/cleanup.sh +COPY --chmod=500 entrypoint.sh /app/entrypoint.sh +COPY --chmod=500 cleanup.sh /app/cleanup.sh USER root \ No newline at end of file From 6f8133cc965b4cfc0c755e586d095b8649e5eef7 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:39:24 +0100 Subject: [PATCH 110/114] restore everthing --- Dockerfile | 5 +++-- entrypoint.sh | 16 +--------------- 2 files changed, 4 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9057545..94111ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ -#Use AST Base image -FROM checkmarx/dev-tests:latest +# Use AST Base image +FROM checkmarx/ast-cli:2.2.7 # Copy the entrypoint script and properties used for the action COPY --chmod=500 entrypoint.sh /app/entrypoint.sh COPY --chmod=500 cleanup.sh /app/cleanup.sh +# Docker actions must be run by the default Docker user (root). USER root \ No newline at end of file diff --git a/entrypoint.sh b/entrypoint.sh index 2392d56..53e7dfd 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,16 +1,6 @@ #!/bin/bash -output_file=output.log - -cd /app - -touch output.log && chmod 660 output.log - -id -cat /etc/passwd - -ls -la /github/ - +output_file=./app/output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file @@ -18,12 +8,8 @@ exitCode=${PIPESTATUS[0]} scanId=(`grep -E '"(ID)":"((\\"|[^"])*)"' $output_file | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) -ls -la /app - echo "cxcli=$(cat $output_file | tr -d '\r\n')" >> $GITHUB_OUTPUT - - if [ -n "$scanId" ] && [ -n "${PR_NUMBER}" ]; then echo "Creating PR decoration for scan ID:" $scanId /app/bin/cx utils pr github --scan-id "${scanId}" --namespace "${NAMESPACE}" --repo-name "${REPO_NAME}" --pr-number "${PR_NUMBER}" --token "${GITHUB_TOKEN}" From c01aac762b8e512780fcbcd6c22d8026f4660858 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:43:53 +0100 Subject: [PATCH 111/114] add sha --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 94111ed..5a63405 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # Use AST Base image -FROM checkmarx/ast-cli:2.2.7 +FROM checkmarx/ast-cli:2.2.8@sha256:6bdb2d0b18246ca1a269de2860938313ea14ca2d6e443c953c84fbac9ee5df85 # Copy the entrypoint script and properties used for the action COPY --chmod=500 entrypoint.sh /app/entrypoint.sh From abf24879f192c3c6e6dc6b6a839ce57ef5f8543b Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:44:02 +0100 Subject: [PATCH 112/114] create output file --- entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/entrypoint.sh b/entrypoint.sh index 53e7dfd..ec47aef 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,6 +2,8 @@ output_file=./app/output.log +touch $output_file + eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file exitCode=${PIPESTATUS[0]} From 3937734e2c33f090b4861cba75649efaed898203 Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:46:28 +0100 Subject: [PATCH 113/114] fix --- cleanup.sh | 2 +- entrypoint.sh | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/cleanup.sh b/cleanup.sh index f10e62a..05d9dec 100644 --- a/cleanup.sh +++ b/cleanup.sh @@ -1,6 +1,6 @@ #!/bin/bash -cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./app/output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) +cancelId=(`grep -E '"(ID)":"((\\"|[^"])*)"' ./output.log | cut -d',' -f1 | cut -d':' -f2 | tr -d '"'`) if [ -z "$cancelId" ] then diff --git a/entrypoint.sh b/entrypoint.sh index ec47aef..dc7f9f9 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,8 +1,6 @@ #!/bin/bash -output_file=./app/output.log - -touch $output_file +output_file=./output.log eval "arr=(${ADDITIONAL_PARAMS})" /app/bin/cx scan create --project-name "${PROJECT_NAME}" -s "." --branch "${BRANCH#refs/heads/}" --scan-info-format json --agent "Github Action" "${arr[@]}" | tee -i $output_file From 576c98f279e7e155ba5324020a3ce6874ff69c2a Mon Sep 17 00:00:00 2001 From: Andre Macedo <149069722+amacedoo@users.noreply.github.com> Date: Thu, 26 Sep 2024 22:54:34 +0100 Subject: [PATCH 114/114] update cxone scan --- .github/workflows/checkmarx-one-scan.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/checkmarx-one-scan.yml b/.github/workflows/checkmarx-one-scan.yml index 0e3b3e6..adda840 100644 --- a/.github/workflows/checkmarx-one-scan.yml +++ b/.github/workflows/checkmarx-one-scan.yml @@ -1,18 +1,25 @@ name: Checkmarx One Scan -on: [ pull_request, workflow_dispatch ] +on: + workflow_dispatch: + pull_request: + push: + branches: + - main + schedule: + - cron: '00 7 * * *' # Every day at 07:00 jobs: cx-scan: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4.1.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkmarx One CLI Action - uses: checkmarx/ast-github-action@1fe318de2993222574e6249750ba9000a4e2a6cd #main + uses: checkmarx/ast-github-action@9fda5a4a2c297608117a5a56af424502a9192e57 # v.2.0.34 with: base_uri: ${{ secrets.AST_RND_SCANS_BASE_URI }} cx_tenant: ${{ secrets.AST_RND_SCANS_TENANT }} cx_client_id: ${{ secrets.AST_RND_SCANS_CLIENT_ID }} cx_client_secret: ${{ secrets.AST_RND_SCANS_CLIENT_SECRET }} - additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;" --debug \ No newline at end of file + additional_params: --tags phoenix --threshold "sast-critical=1;sast-high=1;sast-medium=1;sast-low=1;sca-critical=1;sca-high=1;sca-medium=1;sca-low=1;iac-security-critical=1;iac-security-high=1;iac-security-medium=1;iac-security-low=1;" \ No newline at end of file