eclipse-tractusx · scherersebastian · Mar 8, 2024 · Feb 9, 2024 · Feb 9, 2024 · Feb 16, 2024
diff --git a/docs/release/trg-8/_category_.json b/docs/release/trg-8/_category_.json
@@ -0,0 +1,3 @@
+{
+  "label": "TRG 8 - Security"
+}
diff --git a/docs/release/trg-8/trg-8-00.md b/docs/release/trg-8/trg-8-00.md
@@ -0,0 +1,82 @@
+---
+title: TRG 8.00 - Security Scanning Toolchain
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 26-Feb-2024 | Initial release                      |
+
+## Why
+
+Our primary aim is to improve security and define best practices across the Tractus-X ecosystem.
+
+## Description
+
+A security scanning toolchain is a collection of tools and processes that are used to scan software applications for security vulnerabilities. These tools can be used at various stages of the software development lifecycle (**SDLC**), from development to deployment and beyond.
+
+### Emphasized Guidelines for Optimizing Security GitHub Actions
+
+Following, here are specific guidelines and best practices for developers:
+
+1.**Action Failures:** Actions should only fail if there is an error with the Action "Engine" itself or if there is a misconfiguration in the workflow. Failures should not occur based solely on high-severity findings.
+
+2.**Manual Execution:** Include the on: workflow_dispatch option in all workflows. This allows you to manually trigger workflows whenever necessary.
+
+3.**Scheduling Workflows:** Workflows should run frequently. Ideally, they should be set to execute once nightly. At a minimum, they should run once per week. Configure the on: schedule option to achieve this frequency.
+
+4.**Exclusions:** Do not exclude files or directories from scans. If false positives are detected, they can be simply ignored. However, when pushing documentation to the main branch, the workflows do not need to be executed. For such cases, configure the exclude option.
+
+5.**Pull Requests (PRs):** It's not mandatory for workflows to run with every PR. Nonetheless, the Secret Scan is strongly recommended and deemed sufficient.
+
+6.**Target Scanning:** Avoid over-scanning. Focusing on scanning the releases and the main branch from which releases are made is adequate.
+
+7.**Issue Reporting:** Should developers encounter issues during scanning or have questions regarding tool usage, they are encouraged to create an issue in our repository. An appropriate issue template has been provided to streamline this process.
+
+By adhering to these guidelines, developers can efficiently integrate GitHub actions into their workflow, ensuring optimal security without compromising productivity.
+
+:::caution
+
+To pass the quality gates, all **critical**, **high** and **medium** security vulnerabilities **must be mitigated**.
+This generic statement may conflict with [TRG 4.02](/docs/release/trg-4/trg-4-02) base images that apply to containers scans.
+The statement from [TRG 4.02](/docs/release/trg-4/trg-4-02) **prevails**.
+
+:::
+
+## Tools that we’re using
+
+- ### SAST (Static Application Security Testing)
+
+Tools analyze source code or compiled binaries to identify potential vulnerabilities
+
+**Open-Source**: [CodeQL](/docs/release/trg-8/trg-8-01), [Snyk](/docs/release/trg-8/trg-8-02)
+
+- ### SCA (Software Composition Analysis)
+
+Tools examine the software components
+
+**Open-Source**: [Snyk](/docs/release/trg-8/trg-8-02)
+
+- ### IaC (Infrastructure as Code)
+
+Tools that check the configuration files that define the infrastructure components of an application
+
+**Open-Source**: [KICS](/docs/release/trg-8/trg-8-03), [Snyk](/docs/release/trg-8/trg-8-02)
+
+- ### Secret Scanning
+
+Tools designed to search for and identify sensitive information, known as secrets, within code repositories
+
+**Open-Source**: [GitGuardian](/docs/release/trg-8/trg-8-04)
+
+- ### Container Scanner
+
+Tools that scan the container images and the running containers
+
+**Open-Source**: [Trivy](/docs/release/trg-8/trg-8-05), [Snyk](/docs/release/trg-8/trg-8-02)
+
+:::tip
+
+Security is not a one-time activity, but a continuous process that requires constant attention and improvement.
+Even if you cannot perform a full **security assessment** for each product every release, you should at least follow basic security practices.
+
+:::
diff --git a/docs/release/trg-8/trg-8-01.md b/docs/release/trg-8/trg-8-01.md
@@ -0,0 +1,136 @@
+---
+title: TRG 8.01 - CodeQL
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 23-Feb-2024 | Initial release                      |
+
+## Why
+
+**CodeQL** can be used to analyze large and complex codebases, making it ideal for organizations of all sizes.It can also be integrated into your existing development workflow, allowing you to catch problems early.
+
+:::info
+
+For any errors, please contact Security Team by creating an issue on GitHub.
+
+:::
+
+## Description
+
+**CodeQL** serves as our core code analysis tool (**SAST**), providing deep code introspection for potential security vulnerabilities and other code quality concerns.
+Below is a technical breakdown of how CodeQL integrates with our **CI/CD** process.
+
+:::info
+
+The CodeQL scan is triggered upon commits to the main branch, based on a CRON schedule set at 01:36 every Sunday, or when manually initiated.
+
+:::
+
+Given the range of languages CodeQL can analyze, the workflow leverages a matrix strategy to dynamically adjust runner settings based on the target language. It currently scans **Java**, **JavaScript**, **Python**, and **Ruby**, but this list is adjustable depending on the repository's dominant languages.
+
+:::info
+
+CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swift', among others. Accordingly, adjustments should be made to the language matrix when different languages are in play.
+
+:::
+
+### The CodeQL analysis consists of several steps
+
+- **Repository Checkout**: The repository content is fetched using actions/checkout@v3.
+
+- **CodeQL Initialization**: The github/codeql-action/init@v2 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary.
+
+- **Auto-build**: The github/codeql-action/autobuild@v2 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup.
+
+- **CodeQL Analysis**: Post build, CodeQL performs its analysis, examining the codebase for vulnerabilities and other concerns. Results are categorized based on the language of analysis.
+
+In the provided CodeQL workflow, specific queries are used to enhance security analysis: +security-extended,security-and-quality. The + symbol ensures that these queries are added to the default set, allowing for a comprehensive security analysis. Developers should be aware of these configured queries as they focus on identifying a broad range of vulnerabilities, ensuring robust code security and quality.
+
+```md
+/********************************************************************************
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "36 1 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java", "javascript", "python", "ruby"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: +security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+      # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup.
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
+ ********************************************************************************/
+ ```
diff --git a/docs/release/trg-8/trg-8-02.md b/docs/release/trg-8/trg-8-02.md
@@ -0,0 +1,27 @@
+---
+title: TRG 8.02 -  SNYK
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 23-Feb-2024 | Initial release                      |
+
+## Why
+
+**SNYK** provides actionable insights and guidance on how to fix vulnerabilities, making it easy for developers to understand and address security concerns.
+
+:::caution
+
+It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub.
+
+:::
+
+## Description
+
+To integrate SNYK with your GitHub repository, you need to follow these steps:
+
+- Login to SNYK using your GitHub account
+- Go to the Integrations page in your SNYK account and click **Connect to GitHub**
+- Grant permissions to SNYK to access your GitHub repositories and authorize the SNYK application
+- Choose which repositories you want to test and monitor with SNYK and click **Add selected repositories to SNYK**
+- Snyk will scan your repositories for vulnerabilities and provide you with security reports, fix pull requests, and alerts
diff --git a/docs/release/trg-8/trg-8-03.md b/docs/release/trg-8/trg-8-03.md
@@ -0,0 +1,92 @@
+---
+title: TRG 8.03 - KICS
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 23-Feb-2024 | Initial release                      |
+
+## Why
+
+**KICS** identifies security vulnerabilities, compliance issues, and infrastructure misconfigurations in your IaC.
+
+:::info
+
+For any errors, please contact Security Team by creating an issue on GitHub.
+
+:::
+
+## Description
+
+**KICS** is an integral tool in our security workflow, specifically targeting infrastructure-as-code (IaC) vulnerabilities. Here's how we've integrated KICS into our process:
+
+:::info
+
+When a push is made to the main branch or once daily (based on a CRON schedule), excluding markdown and text files, the KICS scan is triggered. Additionally, a manual dispatch option is available for on-demand scans.
+
+:::
+
+The job runs on the latest Ubuntu and requires permissions for reading actions and content, as well as writing security events. Upon initiation, the repository is checked out using the actions/checkout@v3 action.
+
+The primary action involves running the KICS scan, which leverages the checkmarx/kics-github-action@v1.7.0. The scan focuses on the root directory, and the results are outputted in the SARIF format, stored in the kicsResults/ directory.
+
+:::info
+
+KICS is configured to exit with a status code of 0, regardless of the scan results, unless there's a KICS engine error. Some paths and specific queries are excluded from the scan, and secret scanning is explicitly disabled.
+
+:::
+
+Subsequently, the SARIF file, which contains the KICS scan results, is uploaded using the github/codeql-action/upload-sarif@v2 action. This ensures that the findings are made available for review and further analysis in the GitHub environment, aiding engineers in addressing potential vulnerabilities effectively.
+
+```md
+/********************************************************************************
+name: Run KICS scan and upload SARIF
+
+on:
+  push:
+    branches: main
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  schedule:
+    - cron: "0 0 * * *" # Once a day
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Run KICS Scan with SARIF result
+        uses: checkmarx/kics-github-action@v1.7.0
+        with:
+          # Scanning directory .
+          path: "."
+          # When provided with a directory on output_path
+          # it will generate the specified reports file named 'results.{extension}'
+          # in this example it will generate: kicsResults/results.sarif
+          output_path: kicsResults/
+          output_formats: "sarif"
+          # If you want KICS to ignore the results and return exit status code 0 unless a KICS engine error happens
+          ignore_on_exit: results
+          # Exclude paths or files from scan
+          # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure"
+          # Exclude accepted queries from the build
+          # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e
+          # No secret scanning
+          disable_secrets: true
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: kicsResults/results.sarif
+ ********************************************************************************/
+ ```
diff --git a/docs/release/trg-8/trg-8-04.md b/docs/release/trg-8/trg-8-04.md
@@ -0,0 +1,27 @@
+---
+title: TRG 8.04 - GitGuardian
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 23-Feb-2024 | Initial release                      |
+
+## Why
+
+**GitGuardian** excels at detecting and preventing leaks of sensitive data in your code repositories, such as API keys, passwords, and other secrets. This can help you avoid security breaches and comply with data privacy regulations.
+
+:::caution
+
+It can be set up **only by Security Team**, so please contact us by creating an issue on GitHub.
+
+:::
+
+## Description
+
+**GitGuardian** is integrated via its GitHub App, enabling automated secret scanning of our codebase. Each pull request (PR) undergoes a scan. If a potential secret is detected, the commit's author receives an immediate email notification.
+
+:::info
+
+The email contains a temporary **link**, allowing the author to either **report** the detected secret or **mark it as a false positive**, streamlining the review process for software engineers.
+
+:::