Skip to content

Pr/GitHub security #1783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
moshloop wants to merge 14 commits into
base: main
Choose a base branch
from
Open

Pr/GitHub security #1783

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
b335958
wip: azure updates
moshloop May 9, 2025
d600c63
chore: misc aws fixes
moshloop Oct 30, 2025
4e94b2f
feat: add GitHub Security and OpenSSF Scorecard scrapers foundation
moshloop Oct 30, 2025
71904a8
feat: implement OpenSSF Scorecard scraper and complete GitHub Security
moshloop Oct 30, 2025
219dae2
chore: add Type() support for GitHub Security and OpenSSF scrapers
moshloop Oct 30, 2025
7aeb942
test: add fixture files for GitHub Security and OpenSSF scrapers
moshloop Oct 30, 2025
ed8e91d
docs: add README documentation for test fixtures
moshloop Oct 30, 2025
4387422
perf: add incremental scraping and comprehensive logging
moshloop Oct 30, 2025
11d830e
refactor: extract OpenSSF checks as ConfigAnalysis insights
moshloop Oct 31, 2025
9cc0c08
fix(azure): remove duplicate methods and unused imports
moshloop Oct 31, 2025
cdf3c86
feat(sql): add debug logging for query and response
moshloop Dec 1, 2025
cd3a3f5
fix: azure devops pipelines with none string template vars
moshloop Dec 10, 2025
0fc3ff1
fix: item scraping
moshloop Dec 12, 2025
6922ccd
chore: improve pretty printing
moshloop Dec 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,8 @@ external/diffgen/target

# For AI agents
TODO.md
.envrc
.db/
db/
.DS_Store
out/
bin/
4 changes: 4 additions & 0 deletions api/context.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -161,3 +161,7 @@ func (ctx ScrapeContext) Namespace() string {
func (ctx ScrapeContext) IsTrace() bool {
return ctx.scrapeConfig.Spec.IsTrace()
}

func (ctx ScrapeContext) IsDebug() bool {
return ctx.scrapeConfig.Spec.IsDebug()
}
Comment on lines +165 to +167
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Add nil guard to prevent panic.

Both IsDebug() and IsTrace() (line 162) access ctx.scrapeConfig.Spec without checking if ctx.scrapeConfig is nil. Since ScrapeConfig() (line 140) can return nil, calling these methods will panic if the scrape config hasn't been set.

Apply this diff to add nil guards:

 func (ctx ScrapeContext) IsTrace() bool {
+	if ctx.scrapeConfig == nil {
+		return false
+	}
 	return ctx.scrapeConfig.Spec.IsTrace()
 }

 func (ctx ScrapeContext) IsDebug() bool {
+	if ctx.scrapeConfig == nil {
+		return false
+	}
 	return ctx.scrapeConfig.Spec.IsDebug()
 }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In api/context.go around lines 162–167, both IsTrace() and IsDebug() dereference
ctx.scrapeConfig.Spec without guarding for a nil scrapeConfig (ScrapeConfig()
can return nil) which can cause a panic; update both methods to first check if
ctx.scrapeConfig == nil or ctx.scrapeConfig.Spec == nil and return false in that
case, otherwise call and return ctx.scrapeConfig.Spec.IsTrace() / IsDebug().

34 changes: 34 additions & 0 deletions api/v1/azure_ad.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package v1

type AzureAD struct {
BaseScraper `json:",inline"`
AzureConnection `yaml:",inline" json:",inline"`
Users AzureUsers `yaml:"users,omitempty" json:"users,omitempty"`
Groups AzureGroups `yaml:"groups,omitempty" json:"groups,omitempty"`
AppRegistrations AzureAppRegistrations `yaml:"appRegistrations,omitempty" json:"appRegistrations,omitempty"`
Logins AzureLogins `yaml:"logins,omitempty" json:"logins,omitempty"`
}

type CELFilter string

type MsGraphFilter struct {
Filter []CELFilter `yaml:"filter,omitempty" json:"filter,omitempty"`
// MS.Graph query string
Query string `yaml:"query,omitempty" json:"query,omitempty"`
}

type AzureLogins struct {
MsGraphFilter `yaml:",inline" json:",inline"`
}

type AzureUsers struct {
MsGraphFilter `yaml:",inline" json:",inline"`
}

type AzureGroups struct {
MsGraphFilter `yaml:",inline" json:",inline"`
}

type AzureAppRegistrations struct {
MsGraphFilter `yaml:",inline" json:",inline"`
}
62 changes: 62 additions & 0 deletions api/v1/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,14 @@ import (
"regexp"
"strings"

"github.com/flanksource/clicky"
"github.com/flanksource/clicky/api"
"github.com/flanksource/duty"
"github.com/flanksource/duty/connection"
"github.com/flanksource/duty/models"
"github.com/flanksource/duty/types"
"github.com/flanksource/gomplate/v3"
"github.com/samber/lo"
)

// List of types which should not have scraper_id
Expand Down Expand Up @@ -63,6 +66,34 @@ func (s Script) String() string {
return ""
}

func (s Script) PrettyShort() api.Text {
t := clicky.Text("")
if s.GoTemplate != "" {
t = t.Append("go: ", "text-green-600").Append(clicky.CodeBlock("go", lo.Ellipsis(s.GoTemplate, 200)))
} else if s.JSONPath != "" {
t = t.Append("jsonpath: ", "text-blue-600").Append(clicky.CodeBlock("jsonpath", lo.Ellipsis(s.JSONPath, 200)))
} else if s.Expression != "" {
t = t.Append("expr: ", "text-yellow-600").Append(clicky.CodeBlock("cel", lo.Ellipsis(s.Expression, 200)))
} else if s.Javascript != "" {
t = t.Append("js: ", "text-purple-600").Append(clicky.CodeBlock("javascript", lo.Ellipsis(s.Javascript, 200)))
}
return t
}

func (s Script) Pretty() api.Text {
t := clicky.Text("")
if s.GoTemplate != "" {
t = t.Append("go: ", "text-green-600").Append(clicky.CodeBlock("go", s.GoTemplate))
} else if s.JSONPath != "" {
t = t.Append("jsonpath: ", "text-blue-600").Append(clicky.CodeBlock("jsonpath", s.JSONPath))
} else if s.Expression != "" {
t = t.Append("expr: ", "text-yellow-600").Append(clicky.CodeBlock("cel", s.Expression))
} else if s.Javascript != "" {
t = t.Append("js: ", "text-purple-600").Append(clicky.CodeBlock("javascript", s.Javascript))
}
return t
}

type Mask struct {
// Selector is a CEL expression that selects on what config items to apply the mask.
Selector string `json:"selector,omitempty"`
Expand Down Expand Up @@ -361,6 +392,28 @@ func (aws AWSConnection) ToDutyAWSConnection(region string) *connection.AWSConne
}
}

// GCPConnection ...
type GCPConnection struct {
Endpoint string `yaml:"endpoint" json:"endpoint,omitempty"`
Credentials *types.EnvVar `yaml:"credentials" json:"credentials,omitempty"`
}

func (gcp GCPConnection) GetModel() *models.Connection {
return &models.Connection{
URL: gcp.Endpoint,
Certificate: gcp.Credentials.String(),
}
}

type AzureConnection struct {
ConnectionName string `yaml:"connection,omitempty" json:"connection,omitempty"`
SubscriptionID string `yaml:"subscriptionID" json:"subscriptionID"`
Organisation string `yaml:"organisation" json:"organisation"`
ClientID types.EnvVar `yaml:"clientID,omitempty" json:"clientID,omitempty"`
ClientSecret types.EnvVar `yaml:"clientSecret,omitempty" json:"clientSecret,omitempty"`
TenantID string `yaml:"tenantID,omitempty" json:"tenantID,omitempty"`
}

type Connection struct {
// Connection is either the name of the connection to lookup
// or the connection string itself.
Expand Down Expand Up @@ -389,6 +442,15 @@ func (c Connection) GetEndpoint() string {
return sanitizeEndpoints(c.Connection)
}

func (c Connection) Pretty() api.Text {
t := clicky.Text("")
if c.Connection != "" {
clicky.RedactSecretValues()
t = t.Append(sanitizeEndpoints(c.Connection))
}
return t
}

// Obfuscate passwords of the form ' password=xxxxx ' from connectionString since
// connectionStrings are used as metric labels and we don't want to leak passwords
// Returns the Connection string with the password replaced by '###'
Expand Down
53 changes: 53 additions & 0 deletions api/v1/github_security.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
package v1

import (
"time"

"github.com/flanksource/duty/types"
)

// GitHubSecurity scraper fetches security alerts from GitHub repositories
// including Dependabot alerts, code scanning alerts, secret scanning alerts,
// and security advisories.
type GitHubSecurity struct {
BaseScraper `json:",inline" yaml:",inline"`

// Repositories is the list of repositories to scan
Repositories []GitHubSecurityRepository `yaml:"repositories" json:"repositories"`

// PersonalAccessToken for GitHub API authentication
// Required scopes: repo (full) or security_events (read)
PersonalAccessToken types.EnvVar `yaml:"personalAccessToken,omitempty" json:"personalAccessToken,omitempty"`

// ConnectionName, if provided, will be used to populate personalAccessToken
ConnectionName string `yaml:"connection,omitempty" json:"connection,omitempty"`

// Filters for security alerts
Filters GitHubSecurityFilters `yaml:"filters,omitempty" json:"filters,omitempty"`
}

// GitHubSecurityRepository specifies a repository to scan
type GitHubSecurityRepository struct {
Owner string `yaml:"owner" json:"owner"`
Repo string `yaml:"repo" json:"repo"`
}

// GitHubSecurityFilters defines filtering options for security alerts
type GitHubSecurityFilters struct {
// Severity filters: critical, high, medium, low
Severity []string `yaml:"severity,omitempty" json:"severity,omitempty"`

// State filters: open, closed, dismissed, fixed
State []string `yaml:"state,omitempty" json:"state,omitempty"`

// MaxAge filters alerts by age (e.g., "90d", "30d")
MaxAge string `yaml:"maxAge,omitempty" json:"maxAge,omitempty"`
}

// ParseMaxAge converts the MaxAge string to a time.Duration
func (f GitHubSecurityFilters) ParseMaxAge() (time.Duration, error) {
if f.MaxAge == "" {
return 0, nil
}
return time.ParseDuration(f.MaxAge)
}
Comment on lines +47 to +53
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Fix duration parsing to support documented format.

The ParseMaxAge() method uses time.ParseDuration(), which doesn't support the "d" (days) suffix mentioned in the comment on line 43. time.ParseDuration() only accepts units like "ns", "us", "ms", "s", "m", "h". Specifying "90d" will cause a parse error.

Consider implementing custom parsing or updating the documentation to use hours (e.g., "2160h" for 90 days):

 // ParseMaxAge converts the MaxAge string to a time.Duration
 func (f GitHubSecurityFilters) ParseMaxAge() (time.Duration, error) {
 	if f.MaxAge == "" {
 		return 0, nil
 	}
-	return time.ParseDuration(f.MaxAge)
+	// Support days suffix (e.g., "90d")
+	if strings.HasSuffix(f.MaxAge, "d") {
+		days, err := strconv.Atoi(strings.TrimSuffix(f.MaxAge, "d"))
+		if err != nil {
+			return 0, fmt.Errorf("invalid duration format: %w", err)
+		}
+		return time.Duration(days) * 24 * time.Hour, nil
+	}
+	return time.ParseDuration(f.MaxAge)
 }

Loading
Loading