Merge pull request #344 from alanjino/pre-commit

Enhance Code Security with Pre-Commit Hooks
intelops · Apr 9, 2024 · 7c82675 · 7c82675
2 parents 87457b8 + 748b6d6
commit 7c82675
Show file tree

Hide file tree

Showing 61 changed files with 273 additions and 150 deletions.
diff --git a/.github/workflows/agent-container-pr.yml b/.github/workflows/agent-container-pr.yml
@@ -20,11 +20,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -35,8 +35,8 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
-            
+
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -48,4 +48,4 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/container-agent:pr-${{ github.event.pull_request.number }}
           build-args: |
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
- 
+
diff --git a/.github/workflows/agent-container.yml b/.github/workflows/agent-container.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -56,7 +56,7 @@ jobs:
           file:  ./dockerfiles/agent/container/Dockerfile
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/container-agent:${{ github.run_id }}
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -67,12 +67,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/container-agent:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ github.repository }}/container-agent:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-container.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/agent-git-pr.yml b/.github/workflows/agent-git-pr.yml
@@ -20,11 +20,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -35,7 +35,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -47,4 +47,4 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/git-agent:pr-${{ github.event.pull_request.number }}
           build-args: |
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
- 
+
diff --git a/.github/workflows/agent-git.yml b/.github/workflows/agent-git.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -56,7 +56,7 @@ jobs:
           file:  ./dockerfiles/agent/git/Dockerfile
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/git-agent:${{ github.run_id }}
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -67,12 +67,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/git-agent:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ github.repository }}/git-agent:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-git.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/agent-kubviz-image.yml b/.github/workflows/agent-kubviz-image.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -56,7 +56,7 @@ jobs:
           file: ./dockerfiles/agent/kubviz/Dockerfile
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/kubviz-agent:${{ github.run_id }}
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -67,12 +67,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/kubviz-agent:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ github.repository }}/kubviz-agent:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/agent-kubviz-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/agent-kubviz-pr.yml b/.github/workflows/agent-kubviz-pr.yml
@@ -20,11 +20,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -35,7 +35,7 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -47,4 +47,4 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/kubviz-agent:pr-${{ github.event.pull_request.number }}
           build-args: |
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
- 
+
diff --git a/.github/workflows/apisec-scan.yml b/.github/workflows/apisec-scan.yml
@@ -3,8 +3,8 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# APIsec addresses the critical need to secure APIs before they reach production. 
-# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs. 
+# APIsec addresses the critical need to secure APIs before they reach production.
+# APIsec provides the industry’s only automated and continuous API testing platform that uncovers security vulnerabilities and logic flaws in APIs.
 # Clients rely on APIsec to evaluate every update and release, ensuring that no APIs go to production with vulnerabilities.
 
 # How to Get Started with APIsec.ai

diff --git a/.github/workflows/client-image.yml b/.github/workflows/client-image.yml
@@ -25,7 +25,7 @@ jobs:
     steps:
       - name: Checkout GitHub Action
         uses: actions/checkout@v3
-        
+
       - name: Set up Docker Buildx
         id: buildx
         uses: docker/setup-buildx-action@v2
@@ -56,7 +56,7 @@ jobs:
           file: ./dockerfiles/client/Dockerfile
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/client:${{ github.run_id }}
           labels: ${{ steps.metadata.outputs.labels }}
-        
+
           push: true
 
       - name: Install cosign
@@ -67,12 +67,12 @@ jobs:
           cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/client:${{ github.run_id }}
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Verify the pushed tags
         run: cosign verify ${{ env.REGISTRY }}/${{ github.repository }}/client:${{ github.run_id }} --certificate-identity ${{ env.GH_URL }}/${{ github.repository }}/.github/workflows/client-image.yml@refs/heads/main  --certificate-oidc-issuer https://token.actions.githubusercontent.com
         env:
           COSIGN_EXPERIMENTAL: 1
-      
+
       - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
         uses: aquasecurity/trivy-action@master
         with:

diff --git a/.github/workflows/client-pr.yml b/.github/workflows/client-pr.yml
@@ -20,11 +20,11 @@ jobs:
         uses: actions/checkout@v3
         with:
             fetch-depth: 0
-          
+
       -
         name: Set up QEMU
         uses: docker/setup-qemu-action@v2
-        
+
       - uses: docker/setup-buildx-action@v1
         name: Set up Docker Buildx
 
@@ -35,8 +35,8 @@ jobs:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-    
-            
+
+
       -
         name: Build and push on PR
         uses: docker/build-push-action@v4
@@ -48,4 +48,4 @@ jobs:
           tags: ${{ env.REGISTRY }}/${{ github.repository }}/client:pr-${{ github.event.pull_request.number }}
           build-args: |
             "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}"
- 
+
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -48,11 +48,11 @@ jobs:
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
-        
+
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-        
+
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
@@ -61,7 +61,7 @@ jobs:
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
 
     # - run: |

diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -27,7 +27,7 @@ jobs:
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@v1
-        
+
       - name: Upload DevSkim scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:

diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml
@@ -13,15 +13,15 @@ jobs:
 
     steps:
     - uses: actions/checkout@v3
-    
+
     - name: configure
       run: ./configure
-      
+
     - name: Install dependencies
       run: make
-      
+
     - name: Run check
       run: make check
-      
+
     - name: Run distcheck
       run: make distcheck
diff --git a/.github/workflows/neuralegion.yml b/.github/workflows/neuralegion.yml
@@ -50,7 +50,7 @@
 #
 # `restart_scan`
 #
-# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.    
+# **Required** when restarting an existing scan by its ID. You can get the scan ID in the Scans section on [nexploit.app](https://nexploit.app/login).<br> Please make sure to only use the necessary parameters. Otherwise, you will get a response with the parameter usage requirements.
 #
 # _Example:_ `restart_scan: ai3LG8DmVn9Rn1YeqCNRGQ)`
 #
@@ -95,7 +95,7 @@
 #
 # `hosts_filter`
 #
-# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan. 
+# **Required** when the the discovery type is set to `archive`. Allows selecting specific hosts for a scan.
 #
 # Outputs
 #

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -22,7 +22,7 @@ jobs:
       # Needs for private repositories.
       contents: read
       actions: read
-    
+
     steps:
       - name: "Checkout code"
         uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3.0.0
@@ -41,8 +41,8 @@ jobs:
           # repo_token: ${{ secrets.SCORECARD_READ_TOKEN }}
 
           # Publish the results for public repositories to enable scorecard badges. For more details, see
-          # https://github.com/ossf/scorecard-action#publishing-results. 
-          # For private repositories, `publish_results` will automatically be set to `false`, regardless 
+          # https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories, `publish_results` will automatically be set to `false`, regardless
           # of the value entered here.
           publish_results: true
 
@@ -54,7 +54,7 @@ jobs:
           name: SARIF file
           path: results.sarif
           retention-days: 5
-      
+
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
         uses: github/codeql-action/upload-sarif@5f532563584d71fdef14ee64d17bafb34f751ce5 # v1.0.26