diff --git a/.github/workflows/scan-test.yml b/.github/workflows/scan-test.yml index 7dbeb245..79f0b7ba 100644 --- a/.github/workflows/scan-test.yml +++ b/.github/workflows/scan-test.yml @@ -15,85 +15,6 @@ permissions: id-token: write # Required for OIDC jobs: - azure-devops-pipelines: - name: Azure DevOps Pipelines - runs-on: ubuntu-latest - # Run on pull_request for same-repo PRs, pull_request_target for fork PRs - if: | - (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || - (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) - steps: - - name: Azure Login (OIDC) - uses: azure/login@v2 - with: - client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }} - tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }} - allow-no-subscriptions: true - - name: Get Azure DevOps Token - id: azure-token - run: | - token=$(az account get-access-token \ - --resource 499b84ac-1321-427f-aa17-267ca6975798 \ - --query accessToken -o tsv) - echo "token=$token" >> $GITHUB_OUTPUT - echo "::add-mask::$token" - - name: Checkout scanner registry - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Need full history to detect changes - ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} - - name: Run Tests - uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00 - with: - provider: azure-devops - provider-config: | - { - "token": "${{ steps.azure-token.outputs.token }}", - "organization": "BoostSecurity", - "project": "cicd-tools", - "pipeline_id": 1 - } - registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}" - base-ref: "${{ github.base_ref }}" - fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" - bitbucket-action: - name: Bitbucket Pipelines - runs-on: ubuntu-latest - # Run on pull_request for same-repo PRs, pull_request_target for fork PRs - if: | - (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || - (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) - steps: - - name: Generate Bitbucket OAuth Token - id: bitbucket-token - run: | - response=$(curl -s -X POST \ - "https://bitbucket.org/site/oauth2/access_token" \ - -u "${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_ID }}:${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_SECRET }}" \ - -d "grant_type=client_credentials") - - token=$(echo "$response" | jq -r '.access_token') - echo "token=$token" >> $GITHUB_OUTPUT - echo "::add-mask::$token" - - name: Checkout scanner registry - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Need full history to detect changes - ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} - - name: Run Tests - uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00 - with: - provider: bitbucket - provider-config: | - { - "token": "${{ steps.bitbucket-token.outputs.token }}", - "workspace": "boostsecurityio", - "repo_slug": "scan-test-runner-bitbucket-pipelines" - } - registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}" - base-ref: "${{ github.base_ref }}" - fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" - github-action: name: Github Actions runs-on: ubuntu-latest @@ -124,34 +45,8 @@ jobs: "token": "${{ steps.github-token.outputs.token }}", "owner": "boostsecurityio", "repo": "scan-test-runner-gitbub-actions", - "workflow_id": "test-scanner.yml" - } - registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}" - base-ref: "${{ github.base_ref }}" - fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" - - gitlab-ci: - name: Gitlab-CI - runs-on: ubuntu-latest - # Run on pull_request for same-repo PRs, pull_request_target for fork PRs - if: | - (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || - (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) - steps: - - name: Checkout scanner registry - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Need full history to detect changes - ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || '' }} - - name: Run Tests - uses: boostsecurityio/scan-test-action@b61411c3651a93be06e3f31490ff6a94e901ae00 - with: - provider: gitlab-ci - provider-config: | - { - "trigger_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_TRIGGER_TOKEN }}", - "api_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_READ_TOKEN }}", - "project_id": "boostsecurityio/scan-test-runner-gitlab-ci" + "workflow_id": "test-scanner.yml", + "ref": "BST-17994-fix-main-branch-detection" } registry-repo: "${{ github.repository_owner }}/${{ github.event.repository.name }}" base-ref: "${{ github.base_ref }}" diff --git a/scanners/boostsecurityio/composition/tests.yaml b/scanners/boostsecurityio/composition/tests.yaml new file mode 100644 index 00000000..fca4a333 --- /dev/null +++ b/scanners/boostsecurityio/composition/tests.yaml @@ -0,0 +1,7 @@ +version: "1.0" +tests: + - name: "hounddog-test-healthcare" + type: "source-code" + source: + url: "https://github.com/hounddogai/hounddog-test-healthcare-app.git" + ref: "main" diff --git a/scanners/boostsecurityio/npm-audit/tests.yaml b/scanners/boostsecurityio/npm-audit/tests.yaml new file mode 100644 index 00000000..9dfbff04 --- /dev/null +++ b/scanners/boostsecurityio/npm-audit/tests.yaml @@ -0,0 +1,7 @@ +version: "1.0" +tests: + - name: "docusaurus" + type: "source-code" + source: + url: "https://github.com/facebook/docusaurus.git" + ref: "v3.2.1"