Backend optimization

.dockerignore

@@ -4,15 +4,17 @@
 .mypy_cache
 .scannerwork
 .vscode
-.src/flake8
 .pre-commit-config.yaml
 .gitleaksignore
 .coveragerc
-src/mypy.ini
+.semgrepignore
+src/backend/.mypy.ini
+src/backend/requirements-dev.txt
+src/backend/tests/*
 *.md
-src/reports/
-src/wordlists/
-src/logs/
+LICENSE.txt
+reports/
+wordlists/
+logs/
 src/frontend/node_modules/*
-src/backend/testing/*
 .DS_Store

.github/workflows/code-style.yml

@@ -0,0 +1,76 @@
+name: Code style
+on:
+  workflow_dispatch:
+  pull_request:
+
+jobs:
+  backend:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - tool: black
+            arguments: --check src/backend/
+            working_directory: .
+          - tool: isort
+            arguments: src/backend/ --check-only
+            working_directory: .
+          - tool: mypy
+            arguments: --namespace-packages --package backend --install-types --non-interactive
+            working_directory: ./src
+          - tool: flake8
+            arguments: --ignore=E501 src/backend
+            working_directory: .
+    name: ${{ matrix.tool }}
+    steps:      
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.11'
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install -U pip
+          python -m pip install -r src/backend/requirements-dev.txt
+
+      - uses: dorny/paths-filter@3c49e64ca26115121162fb767bc6af9e8d059f1a
+        id: changes
+        with:
+          filters: |
+            backend:
+              - 'src/backend/**'
+
+      - name: Check
+        working-directory: ${{ matrix.working_directory }}
+        if: ${{ steps.changes.outputs.backend == 'true' || github.event_name != 'pull_request' }}
+        run: ${{ matrix.tool }} ${{ matrix.arguments }}
+
+  frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Install ESLint
+        working-directory: src/frontend
+        run: |
+          npm install .
+          npm install -g eslint
+
+      - uses: dorny/paths-filter@3c49e64ca26115121162fb767bc6af9e8d059f1a
+        id: changes
+        with:
+          filters: |
+            frontend:
+              - 'src/frontend/**'
+
+      - name: ESLint check
+        if: ${{ steps.changes.outputs.frontend == 'true' || github.event_name != 'pull_request' }} 
+        run: eslint src/frontend/ --ext .js,.jsx,.ts,.tsx

.github/workflows/desktop.yml

@@ -1,4 +1,4 @@
-name: Desktop app
+name: Desktop
 on:
   release:
     types: [published]

.github/workflows/security-containers.yml

@@ -21,31 +21,31 @@ jobs:
 
       - name: Scan Nginx image with Trivy
         continue-on-error: true
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
         with:
           image-ref: rekono-nginx
           format: table
           exit-code: 1
 
       - name: Scan Kali image with Trivy
         continue-on-error: true
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
         with:
           image-ref: rekono-kali
           format: table
           exit-code: 1
 
       - name: Scan Backend image with Trivy
         continue-on-error: true
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
         with:
           image-ref: rekono-backend
           format: table
           exit-code: 1
 
       - name: Scan Frontend image with Trivy
         continue-on-error: true
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
         with:
           image-ref: rekono-frontend
           format: table
@@ -77,7 +77,7 @@ jobs:
 
       - name: Scan Debian image with Trivy
         continue-on-error: true
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601
         with:
           image-ref: rekono-debian
           format: table

.github/workflows/security-sast.yml

@@ -2,38 +2,79 @@ name: SAST
 on:
   workflow_dispatch:
   pull_request:
-    paths:
-      - '.github/workflows/**'
-      - 'src/**'
 
 jobs:
-  semgrep:
-    name: Semgrep
+  gitleaks:
+    name: GitLeaks
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
-
+
+      - uses: gitleaks/gitleaks-action@4df650038e2eb9f7329218df929c2780866e61a3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITLEAKS_NOTIFY_USER_LIST: "@pablosnt"
+          GITLEAKS_ENABLE_COMMENTS: true
+          GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true
+          GITLEAKS_ENABLE_SUMMARY: true
+
+  sast:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - name: Semgrep Backend
+            tool: semgrep
+            path: src/backend
+            report: semgrep-backend.json
+            arguments: --config=auto --error --json
+          - name: Semgrep CI/CD
+            tool: semgrep
+            path: .github/workflows
+            report: semgrep-cicd.json
+            arguments: --config=auto --error --json
+          - name: Bandit
+            tool: bandit
+            path: src/backend
+            report: bandit.json
+            arguments: -r -f json
+    name: ${{ matrix.name }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
       - name: Setup Python 3
         uses: actions/setup-python@v4
         with:
-          python-version: 3.7
-
-      - name: Install Semgrep
-        run: pip install semgrep
+          python-version: 3.11
 
-      - name: Scan code
-        run: semgrep --config=auto --error --json -o semgrep_code.json src/
+      - uses: dorny/paths-filter@3c49e64ca26115121162fb767bc6af9e8d059f1a
+        id: changes
+        name: Path filter
+        with:
+          filters: |
+            path:
+              - '${{ matrix.path }}/**'
+
+      - name: Installation
+        if: ${{ steps.changes.outputs.path == 'true' || github.event_name != 'pull_request' }}
+        run: pip install ${{ matrix.tool }}
 
-      - name: Scan workflows
-        run: semgrep --config=auto --error --json -o semgrep_cicd.json .github/workflows/
+      - name: Scan
+        if: ${{ steps.changes.outputs.path == 'true' || github.event_name != 'pull_request' }}
+        run: ${{ matrix.tool }} ${{ matrix.arguments }} -o ${{ matrix.report }} ${{ matrix.path }}
 
-      - name: Upload Semgrep report as GitHub artifact
-        if: ${{ always() }}
+      - name: Upload report as GitHub artifact
+        if: ${{ !cancelled() && (steps.changes.outputs.path == 'true' || github.event_name != 'pull_request') }}
         uses: actions/upload-artifact@v3
         with:
-          name: Semgrep
-          path: semgrep_*.json
-          if-no-files-found: warn
+          name: ${{ matrix.tool }}
+          path: ${{ matrix.report }}
+          if-no-files-found: warn
+

.github/workflows/security-ssc.yml

@@ -0,0 +1,19 @@
+name: Software Supply Chain
+on:
+    workflow_dispatch:
+    schedule:
+      - cron: '0 0 * * *'
+    pull_request:
+
+jobs:
+  legitify:
+    name: Legitify
+    runs-on: ubuntu-latest
+    environment: github
+    steps:
+      - name: Legitify
+        uses: Legit-Labs/legitify@d64d18810d9093458f11731c3a0a36d7e573187e
+        with:
+          github_token: ${{ secrets.ADMIN_PAT }}
+          analyze_self_only: true
+          artifact_name: legitify