From cc490bf549d9142cb3a6007f78864dab3bf8c788 Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 11:39:17 +0100 Subject: [PATCH 1/8] Test of AquaSec API --- .github/workflows/trivy_repository_scan.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/trivy_repository_scan.yml b/.github/workflows/trivy_repository_scan.yml index dfe3a26..a030b1b 100644 --- a/.github/workflows/trivy_repository_scan.yml +++ b/.github/workflows/trivy_repository_scan.yml @@ -30,7 +30,11 @@ jobs: trivy fs . \ --format sarif \ --scanners vuln,secret,misconfig,license \ + --sast \ --output trivy_repository_report.sarif + env: + AQUA_KEY: ${{ secrets.AQUA_KEY }} + AQUA_SECRET: ${{ secrets.AQUA_SECRET }} - name: Upload SARIF to GitHub Security Hub uses: github/codeql-action/upload-sarif@v4 From 345b1afcb18962a4d409e17d3c69be70a61f9267 Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 14:45:40 +0100 Subject: [PATCH 2/8] Test of AquaSec API --- .github/workflows/aquasec_repository_scan.yml | 79 ++++++++++ .github/workflows/trivy_repository_scan.yml | 147 ------------------ 2 files changed, 79 insertions(+), 147 deletions(-) create mode 100644 .github/workflows/aquasec_repository_scan.yml delete mode 100644 .github/workflows/trivy_repository_scan.yml diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml new file mode 100644 index 0000000..078a94f --- /dev/null +++ b/.github/workflows/aquasec_repository_scan.yml @@ -0,0 +1,79 @@ +name: AquaSec Full Repository Scan + +on: + workflow_dispatch: + pull_request: + types: [ opened, synchronize ] + +permissions: + contents: read + issues: write + pull-requests: write + security-events: write + +jobs: + aquasec: + name: AquaSec Full Repository Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + persist-credentials: false + fetch-depth: 0 + + - name: Retrieve AquaSec Scan Results + env: + AQUA_KEY: ${{ secrets.AQUA_KEY }} + AQUA_SECRET: ${{ secrets.AQUA_SECRET }} + run: | + echo "=== Authenticating with AquaSec ===" + + TIMESTAMP=$(date +%s) + AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" + METHOD="POST" + POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}' + STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" + SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g') + + AUTH_RESPONSE=$(curl -s -X POST "$AUTH_ENDPOINT" \ + -H "Content-Type: application/json" \ + -H "X-API-Key: $AQUA_KEY" \ + -H "X-Timestamp: $TIMESTAMP" \ + -H "X-Signature: $SIGNATURE" \ + -d "$POST_BODY") + + RESPONSE_STATUS=$(echo AUTH_RESPONSE | jq -r '.status') + + if [ $RESPONSE_STATUS -eq 200 ]; then + echo "Login successful." + BEARER_TOKEN=$(echo $AUTH_RESPONSE | jq -r '.data') + else + echo "Login failed. Status: $AUTH_RESPONSE" + exit 1 + fi + + echo "=== Getting Repository ID from GitHub ===" + + REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id') + + if [ -z "$REPO_ID" ] || [ "$REPO_ID" == "null" ]; then + echo "Failed to get repository ID from GitHub" + exit 1 + fi + + echo "=== Receiving AquaSec Scan Results ===" + + SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results" + SCAN_RESULTS=$(curl -s -X GET \ + "$SCAN_RESULTS_ENDPOINT?repositoryIds=$REPO_ID" \ + -H "Authorization: Bearer $BEARER_TOKEN" \ + -H "Accept: application/json") + + if [ -z "$SCAN_RESULTS" ]; then + echo "Failed to retrieve scan results" + exit 1 + fi + + echo "=== Scan Results ===" + echo "$SCAN_RESULTS" | jq '.' diff --git a/.github/workflows/trivy_repository_scan.yml b/.github/workflows/trivy_repository_scan.yml deleted file mode 100644 index a030b1b..0000000 --- a/.github/workflows/trivy_repository_scan.yml +++ /dev/null @@ -1,147 +0,0 @@ -name: Trivy Full Repository Scan - -on: - workflow_dispatch: - pull_request: - types: [ opened, synchronize ] - -permissions: - contents: read - issues: write - pull-requests: write - security-events: write - -jobs: - trivy: - name: Trivy Full Repository Scan - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v5 - with: - persist-credentials: false - fetch-depth: 0 - - - name: Setup Trivy - uses: aquasecurity/setup-trivy@v0.2.4 - - - name: Run Trivy filesystem scan - run: | - trivy fs . \ - --format sarif \ - --scanners vuln,secret,misconfig,license \ - --sast \ - --output trivy_repository_report.sarif - env: - AQUA_KEY: ${{ secrets.AQUA_KEY }} - AQUA_SECRET: ${{ secrets.AQUA_SECRET }} - - - name: Upload SARIF to GitHub Security Hub - uses: github/codeql-action/upload-sarif@v4 - with: - sarif_file: trivy_repository_report.sarif - - - name: Create scan summary table - id: scan_summary_table - run: | - python <<'PY' - import os - import json - import sys - from collections import defaultdict, Counter - - SARIF_PATH = "trivy_repository_report.sarif" - SEVERITIES = ["CRITICAL", "HIGH", "MEDIUM", "LOW"] - CATEGORIES = ["vulnerability", "secret", "misconfiguration", "license"] - - try: - # Parse results from SARIF - with open(SARIF_PATH, "r", encoding="utf-8") as f: - sarif = json.load(f) - - # Validate SARIF structure - if "runs" not in sarif or not sarif["runs"]: - raise ValueError("SARIF file contains no runs") - - run = sarif["runs"][0] - if "tool" not in run or "driver" not in run["tool"]: - raise ValueError("SARIF structure missing expected tool/driver keys") - - rules = run["tool"]["driver"].get("rules", []) - results = run.get("results", []) - category_severity_counts = defaultdict(Counter) - - except (IOError, json.JSONDecodeError, KeyError, ValueError) as e: - print(f"Error processing SARIF file: {e}", file=sys.stderr) - sys.exit(1) - - # Count results by category and severity - for result in results: - try: - rule_idx = result.get("ruleIndex") - if rule_idx is None or rule_idx >= len(rules): - continue - rule = rules[rule_idx] - tags = rule.get("properties", {}).get("tags", []) - # Find category and severity - category = next((c for c in CATEGORIES if c in tags), None) - severity = next((s for s in SEVERITIES if s in tags), None) - if category and severity: - category_severity_counts[category][severity] += 1 - except (KeyError, IndexError, TypeError) as e: - print(f"Warning: Error processing result: {e}", file=sys.stderr) - continue - - # Build Markdown summary table - headers = ["TRIVY"] + SEVERITIES + ["TOTAL"] - summary_table = "| " + " | ".join(headers) + " |\n" - summary_table += "|---|---|---|---|---|---|\n" - - # Rows with counts for each category - total_severity = Counter() - total_all = 0 - for category in CATEGORIES: - row = [category] - category_total = 0 - for severity in SEVERITIES: - count = category_severity_counts[category][severity] - row.append(str(count)) - total_severity[severity] += count - category_total += count - row.append(f"**{category_total}**") - total_all += category_total - summary_table += "| " + " | ".join(row) + " |\n" - - total_row = ["**➡️ Total**"] + [f"**{total_severity[sev]}**" for sev in SEVERITIES] + [f"**{total_all}**"] - summary_table += "| " + " | ".join(total_row) + " |" - - # Set summary table output - try: - if "GITHUB_OUTPUT" in os.environ: - with open(os.environ["GITHUB_OUTPUT"], "a", encoding="utf-8") as f: - f.write("table< Date: Thu, 27 Nov 2025 14:57:43 +0100 Subject: [PATCH 3/8] Test of AquaSec API --- .github/workflows/aquasec_repository_scan.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index 078a94f..41783ad 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -28,7 +28,7 @@ jobs: AQUA_SECRET: ${{ secrets.AQUA_SECRET }} run: | echo "=== Authenticating with AquaSec ===" - + TIMESTAMP=$(date +%s) AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" METHOD="POST" @@ -42,22 +42,23 @@ jobs: -H "X-Timestamp: $TIMESTAMP" \ -H "X-Signature: $SIGNATURE" \ -d "$POST_BODY") - - RESPONSE_STATUS=$(echo AUTH_RESPONSE | jq -r '.status') - if [ $RESPONSE_STATUS -eq 200 ]; then - echo "Login successful." - BEARER_TOKEN=$(echo $AUTH_RESPONSE | jq -r '.data') + RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status') + + if [ "$RESPONSE_STATUS" = "200" ]; then + echo "Login successful." + BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data') + echo "::add-mask::$BEARER_TOKEN" else - echo "Login failed. Status: $AUTH_RESPONSE" - exit 1 + echo "Login failed" + exit 1 fi echo "=== Getting Repository ID from GitHub ===" REPO_ID=$(curl -s "https://api.github.com/repos/${{ github.repository }}" | jq -r '.id') - if [ -z "$REPO_ID" ] || [ "$REPO_ID" == "null" ]; then + if [ -z "$REPO_ID" ] || [ "$REPO_ID" = "null" ]; then echo "Failed to get repository ID from GitHub" exit 1 fi @@ -76,4 +77,4 @@ jobs: fi echo "=== Scan Results ===" - echo "$SCAN_RESULTS" | jq '.' + echo "$SCAN_RESULTS" | jq '.' \ No newline at end of file From 66f5c8959d611a5e083cbf7a47cea82ddbd6d27d Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 15:01:55 +0100 Subject: [PATCH 4/8] AquaSec workflow fix --- .github/workflows/aquasec_repository_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index 41783ad..d213ac3 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -30,7 +30,7 @@ jobs: echo "=== Authenticating with AquaSec ===" TIMESTAMP=$(date +%s) - AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" + AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/" METHOD="POST" POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" From 77f0e240b2ff7b5835957d4ce9be2ffcfcb65a07 Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 15:15:52 +0100 Subject: [PATCH 5/8] AquaSec workflow fix --- .github/workflows/aquasec_repository_scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index d213ac3..4494099 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -29,14 +29,14 @@ jobs: run: | echo "=== Authenticating with AquaSec ===" - TIMESTAMP=$(date +%s) + TIMESTAMP=$(date -u +%s) AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/" METHOD="POST" - POST_BODY='{"validity":240,"allowed_endpoints":["GET"]}' + POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g') - AUTH_RESPONSE=$(curl -s -X POST "$AUTH_ENDPOINT" \ + AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \ -H "Content-Type: application/json" \ -H "X-API-Key: $AQUA_KEY" \ -H "X-Timestamp: $TIMESTAMP" \ From 2713be6af852c44273f4a21f5cbcee2b2baa162c Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 15:24:46 +0100 Subject: [PATCH 6/8] AquaSec workflow fix --- .github/workflows/aquasec_repository_scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index 4494099..f3d166d 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@v6 with: persist-credentials: false fetch-depth: 0 @@ -28,9 +28,9 @@ jobs: AQUA_SECRET: ${{ secrets.AQUA_SECRET }} run: | echo "=== Authenticating with AquaSec ===" - + TIMESTAMP=$(date -u +%s) - AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/" + AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" METHOD="POST" POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" From 83308262330f55c1659a5b220575c4bf5736d4f4 Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 15:26:45 +0100 Subject: [PATCH 7/8] AquaSec workflow fix --- .github/workflows/aquasec_repository_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index f3d166d..d615f6b 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -30,7 +30,7 @@ jobs: echo "=== Authenticating with AquaSec ===" TIMESTAMP=$(date -u +%s) - AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens" + AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens" METHOD="POST" POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}" From 8d1b523cf01898522500309c5c052ce1adc66419 Mon Sep 17 00:00:00 2001 From: "Tobias.Mikula" Date: Thu, 27 Nov 2025 15:28:56 +0100 Subject: [PATCH 8/8] AquaSec workflow fix --- .github/workflows/aquasec_repository_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/aquasec_repository_scan.yml b/.github/workflows/aquasec_repository_scan.yml index d615f6b..b17def9 100644 --- a/.github/workflows/aquasec_repository_scan.yml +++ b/.github/workflows/aquasec_repository_scan.yml @@ -30,7 +30,7 @@ jobs: echo "=== Authenticating with AquaSec ===" TIMESTAMP=$(date -u +%s) - AUTH_ENDPOINT="https://api.cloudsploit.com/v2/tokens" + AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com" METHOD="POST" POST_BODY='{"validity":240,"allowed_endpoints":["GET","POST"]}' STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"