allero-io / allero Goto Github PK

Trying to fetch a repo with a "." in the name will result in an error message stating the repo can't be fetched

This is a precaution due to the way we parse the json repos file. We use dot separation to differentiate between entities (owner, repo, workflow, etc.)
https://github.com/allero-io/allero/blob/main/pkg/rulesConfig/rulesConfig.go#L130

Need to come up with a better solution for dot-separate repositories

Suggestion:
Use escaping for dot in repo name to be able to save the repo and then unescape the same character when running validate

Snyk allows it to not fail the workflow when it finds a vulnerability. This means a vulnerability could make it to production.
When using Snyk Action, prevent: continue-on-error: true

Example:

on: push
jobs:
  security:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Run Snyk to check for vulnerabilities
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

Name of the rule you'd like to add
ensure-dependencies-manager

Describe the rule
At least one pipeline in each repository should run a dependency manager to update dependencies and lock files.

What triggers the rule
In case that all the following tools are missing. (currently one):
Renovate

Failure message should the rule fail
Dependencies manager was not detected in the repository pipelines. It is highly recommended to add one to keep your dependencies and lock files.

What SCMs is this rule eligible for
Github, Gitlab.

Will this rule work in local run
Eligible for local as well with the same behavior.

What CI/CD platforms is this rule eligible for
Github Actions, GitlabCI, JFrog Pipelines.

Should this rule be enabled by default
No.

Sample repos/orgs to test the rule
example how to use Renovate

Allero currently supports GitLab Cloud. Add support for a Self-Hosted GitLab.
Allow configuring the url a private GitLab for the fetch command.

To support CircleCI, the following should be implemented:

1. Detect a CircleCI Yaml file in the repo. (regardless the SCM type - Local/GitHub/GitLab)
2. As part of the Fetch command: CircleCI files should be fetched as well
3. As part of the local validation, the validation should support CIrcleCI files as well
4. Review the exiting rules and Update/create new rules to support CircleCI. Some of the existing rules are relevant for any CI/CD and some are more CI/CD specific

I have xcode 13.4.1 and I get the above message (m1 mac)

brew install allero-io/allero/allero

Already downloaded: /Users/erlichmen/Library/Caches/Homebrew/downloads/77842b251463ee9e209d38ca837db6ea724d3bf06e3b86129a001760b26156c7--allero_0.0.1_Darwin_x86_64.zip
Warning: Cannot verify integrity of '77842b251463ee9e209d38ca837db6ea724d3bf06e3b86129a001760b26156c7--allero_0.0.1_Darwin_x86_64.zip'.
No checksum was provided for this resource.
For your reference, the checksum is:
  sha256 "315c14bc1781c9fa39c598f355eae1c80b32fe3f4956c95fe7254f026f0752bb"
==> Installing allero from allero-io/allero
Error: Your Command Line Tools are too outdated.
Update them from Software Update in System Preferences or run:
  softwareupdate --all --install --force

If that doesn't show you any updates, run:
  sudo rm -rf /Library/Developer/CommandLineTools
  sudo xcode-select --install

Alternatively, manually download them from:
  https://developer.apple.com/download/all/.
You should download the Command Line Tools for Xcode 13.4.

PS: curl install gives me the following:

curl https://get.allero.io | /bin/bash
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1294  100  1294    0     0   6158      0 --:--:-- --:--:-- --:--:--  6343
Installing Allero...

but it doesn't instal anything

Is your feature request related to a problem? Please describe.
When running allero validate it ignores rules compiled in the binary if same rule exists in the filesystem. This makes it tough to further enhance the cli capabilities since every change to the existing set of rules forces the user to manually delete the ones already exist in their filesystem

Describe the solution you'd like
Per UniqueId of each rule: override the existing rules

Describe alternatives you've considered
Manually deleting the existing rules

Additional context
We need to make sure not to delete any custom rules

Is your feature request related to a problem? Please describe.
PR titles should align to the same standards

Describe the solution you'd like
A Github workflow that runs on every PR that enforces commit message conventions as described here
For example:
build: support docker push
refactor: improve unit tests
feat: create json output flag

workflow should do the following:

1. enforce all in lowercase
2. make sure valid prefix exists (build, feat, bug, etc.)

Name of the rule you'd like to add
Ensure JFrog Xray runs in JFrog pipelines

Describe the rule
Make sure that JFrog Xray scans the code for SCA.

What triggers the rule
The absence of JFrog Xray in all pipelines in a repo (must run in at least one pipeline)

Failure message should the rule fail
I believe this should be part of the existing SCA rule.

What SCMs is this rule eligible for
All (Github, Gitlab, etc.)

Will this rule work in local run
Yes

What CI/CD platforms is this rule eligible for
JFrog Pipelines

Should this rule be enabled by default
No

Sample repos/orgs to test the rule
If possible, add a link to one or more repositories/organizations that qualifies for testing the rule

Hey, this "here" link:

Is broken and leads to a 404 page:

Describe the solution you'd like
We need to be able to support fetching with full url (instead of just owner/repo)
For example:
allero fetch https://github.com/allero-io/allero
allero fetch https://github.com/allero-io

NOTE: Adopt OpenJDK got moved to Eclipse Temurin and won't be updated anymore. It is highly recommended to migrate workflows from adopt to temurin to keep receiving software and security updates. See more details in the Good-bye AdoptOpenJDK post.

Is your feature request related to a problem? Please describe.
Right now only GitHub rules are tested, see rule tests here

Describe the solution you'd like
Add folder named GitLab to test GitLab rules

@dimabru Please assign me for this issue

Many actions need a username and password.

Prevent usage of password that are not stored in github secrets.

Docker Login:

   name: Login to JFrog 🐸  
        uses: docker/login-action@v1
        with:
          registry: <your artifactory>.jfrog.io
          username: ${{ secrets.JFROG_USER_WRITER }}
          password: **this_is_my_password**

SonarQube:

  sonarQubeTrigger:
    name: SonarQube Trigger
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: SonarQube Scan
      uses: kitabisa/sonarqube-action@master
      with:
        host: ${{ secrets.SONARQUBE_HOST }}
        login: **this_is_my_password**

UploadBinary

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Upload deb package to Bintray
      uses: bpicode/github-action-upload-bintray@master
      with:
        file: ./path/to/example-package_1.0_amd64.deb
        api_user: example-user
        api_key: **this_is_my_api_key**

GitHub Actions should always be running using a specific version - whether using a tag or a commit SHA.

Bad usage:

steps:
  - uses: path/to/action

recommended usage:

steps:
  - uses: path/to/action@v1

Ensure linter in the repository

At least one linter is running in at least one workflow in the repository.

Examples for linters: wemake-python, super-linter, mega-linter

The rule should run on pull request to main branch. It should have an option to disable the rule or to disable the failure in case the developers prefer to ignore the failure.
The rule is relevant for all SCMs including Local repository, It could be a good option to make the rule depending on the programming language of the repo.

Name of the rule you'd like to add
ensure-secrets-scanner

Describe the rule
At least one pipeline in each repository should run a secrets scanner to prevent secrets leaks.

What triggers the rule
If none of the following runs in the repo:
trufflehog
GitGuardian
Gitleaks
Trivy

Failure message should the rule fail
Secrets scanner was not detected in the repository pipelines. It is highly recommended to add one to prevent secrets leaks.

What SCMs is this rule eligible for
Github, Gitlab.

Will this rule work in local run
Eligible for local as well. same behavior.

What CI/CD platforms is this rule eligible for
Github Actions, GitlabCI, JFrog Pipelines.

Should this rule be enabled by default
No

Sample repos/orgs to test the rule
Example of how to integrate trivy

Is your feature request related to a problem? Please describe.
We currently don't have any tests to the cli. This makes it relatively unstable

Describe the solution you'd like
Add some basic e2e tests to go over some scenarios of usage of the cli
Tests should run on PR during the CI workflow

Run the following and make sure the output is correct

1. Main flow

allero fetch github allero-io/demo
allero fetch gitlab allero/demo
allero validate

2. Validate local folder
   Add some test workflows to a local folder and run

allero validate [path-to-local-folder]

3. Fetch from remote url

allero fetch https://github.com/allero-io/demo https://gitlab.com/allero/demo
allero validate

I would like to propose a rule which checks for the existing of a pre-commit configuration file. The content of the file will vary from repo to repo, but the presence of such a file indicates that pre-commit hooks are managed in the repo.

Further extension of the rule could be that there must be a stage in the pipeline which executes these checks, in case the committer has not enabled them in their clone of the repo.

Similar to #105, this can also ensure that a commit message syntax is enforced via commitlint

The rule needs to, at a minimum, assert the presence and correctness of .pre-commit-config.y[a]ml

Is your feature request related to a problem? Please describe.
I see that Dockerimages exist here: https://hub.docker.com/r/allero/allero-cli/tags
However the tags do not match the releases versions in github. Also the latest-tag is only built for arm, not for amd systems.

Describe the solution you'd like
I propose to automatically publish docker images to Dockerhub (or quay) with the correct tags and multiple architectures.

Describe alternatives you've considered
Self-building, but a central place would be better.

Additional context
Add any other context or screenshots about the feature request here.

We need to add the option to enable/disable rules.
To do that, each rule should have the option to be enabled or disabled by default.

Name of the rule you'd like to add
ensure-cache-on-build

Describe the rule
In case that there is a build step in a pipeline there should be a use of cache github action to speed up workflow.

What triggers the rule
A step of build (npm install e.g.) without a step of cache.

Failure message should the rule fail
A build step without a cache using was detected in the pipeline. It is highly recommended to add caching to speed up workflow.

What SCMs is this rule eligible for
Github.

Will this rule work in local run
No.

What CI/CD platforms is this rule eligible for
Github Actions.

Should this rule be enabled by default
No.

Sample repos/orgs to test the rule
An example of a correct use of actions/cache

To Reproduce
Steps to reproduce the behavior:

1. run allero validate {path that doesn't exist}

Expected behavior
Print an error message - "The path doesn't exist, re-run allero validate on an existing directory or run allero fetch to fetch from a remote repository and rerun allero validate"

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS] - MacOS
• Version [e.g. 22] - 0.0.18

Is your feature request related to a problem? Please describe.
Not really an issue but I think it will be more convenient to run allero without needing to set the repository before.

Describe the solution you'd like
I'm thinking to add an option for a command like -> allero validate local this command will not use the fetched repository but check the current running project. For example, if I'm running inside a project called myProject and it has .github I can just moke githubData and fill only workflow object with the current existing yaml files.

If you agree that this could be helpful please assign me and I'll do it.

When running allero validate at version 0.0.4

The summary table shows up twice.

Name of the rule you'd like to add
Prevent kubernetes misconfigurations

Describe the rule
Make sure a scanner for kubernetes misconfigurations exists

What triggers the rule
If none of the following scanners exist in a single repo: Checkov, Datree, Kics

Failure message should the rule fail
No k8s misconfigurations scanner detected. You are vulnerable to k8s cluster issues

What SCMs is this rule eligible for
All

Will this rule work in local run
Yes

What CI/CD platforms is this rule eligible for
Github actions, GitlabCI

Should this rule be enabled by default
No

Sample repos/orgs to test the rule
https://github.com/datreeio/examples

Right now when adding rules, the only way to test if it works is to actually run a build of allero PR branch on a real example.
There should be an easy way to test this, and this test shall be part of the github actions as well.
My initial thought was to have an examples folder of various github requests and another folder of tests.

├───allero
|   ├───pkg
|   |   └───rulesConfig
|   |   |   └───defaultRules
|   |   |       └───github
|   |   |   └───rulesConfig.go
|   |   |   └───tests
|   |   |   └───templates

Describe the solution you'd like
We need to be able to support fetching with full url (instead of just owner/repo)

For example:
allero validate https://github.com/allero-io/allero
allero validate https://github.com/allero-io

Add a policy to enforce GitHub actions workflows with no default timeout definition.

https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idtimeout-minutes

Name of the rule you'd like to add
Ensure code quality

Describe the rule
Make sure a tool exists that checks for code quality

What triggers the rule
If none of the following scanners exist per single repo:
codeclimate
wemake-python-styleguide
megalinter
sonarqube
codecov

Failure message should the rule fail
Failed to detect any code quality tools in your repository

What SCMs is this rule eligible for
All

Will this rule work in local run
Yes

What CI/CD platforms is this rule eligible for
Github Actions, GitlabCI

Should this rule be enabled by default
No

Sample repos/orgs to test the rule
https://github.com/codecov/example-c

Allow exporting allero validate output to csv using -o csv

Describe the bug
The test has been done on a clear ubuntu docker container. Following this instructions it still looks like the fetch is not working.
The content of gitab metadata (/root/.allero/repo_files/gitlab.json) is empty {}

To Reproduce
Steps to reproduce the behavior:

docker run -it ubuntu bin/bash

inside docker

apt update && apt upgrade
apt install unzip 
export ALLERO_GITLAB_TOKEN="<tocken>
allero fetch gitlab dolby360/webapp # 404 error
allero fetch gitlab gitterHQ/webapp 
cat /root/.allero/repo_files/gitlab.json # == {}
allero validate # nothing found

Is your feature request related to a problem? Please describe.
I would like to support Allero by implementing Uffizzi preview environments.
Disclaimer: I work on Uffizzi.

Uffizzi is a Open Source full stack previews engine and our platform is available completely free for Allero (and all open source projects). This will provide maintainers with preview environments of every PR in the cloud, which enables faster iterations and reduces time to merge. You can see the open source repos which are currently using Uffizzi over here

Uffizzi is purpose-built for the task of previewing PRs and it integrates with your workflow to deploy preview environments in the background without any manual steps for maintainers or contributors.

We can go ahead and create an Initial PoC for you right away if you think there is value in this proposal.

The node-version input is optional. If not supplied, the node version from PATH will be used. However, it is recommended to always specify Node.js version and don't rely on the system one.

Bad practice:

steps:
- uses: actions/setup-node@v3
- run: npm ci
- run: npm test

Recommended usage:

steps:
- uses: actions/setup-node@v3
  with:
    node-version: 16
- run: npm ci
- run: npm test

Is your feature request related to a problem? Please describe.
Currently we are manually adding new unique ids for each new rule (one for github and one for gitlab). Manual updates can have potential issues

Describe the solution you'd like
Add a workflow on PR that checks that each rule has its own unique ID setup and that they are all set correctly in an increasing order (once per scm)

Name of the rule you'd like to add
ensure-helm

Describe the rule
At least one pipeline in each repository should use Helm.

What triggers the rule
In case that Helm was not detected in the repo pipelines.

Failure message should the rule fail
Helm was not detected in the repository pipelines. Helm is the most used tool to manage Kubernetes applications and it is highly recommended to add it.

What SCMs is this rule eligible for
Github, Gitlab.

Will this rule work in local run
Eligible for local as well with the same behavior.

What CI/CD platforms is this rule eligible for
Github Actions, GitlabCI, JFrog Pipelines.

Should this rule be enabled by default
No.

Sample repos/orgs to test the rule
example how to use Helm

It is recommended to specify a python version to prevent potential breaking changes due to patch updates.
You should specify the exact major and minor versions. patch version is optional.

Bad practice:

steps:
- uses: actions/setup-python@v4
- run: python my_script.py

Recommended usage:

steps:
- uses: actions/setup-python@v4
  with:
    python-version: '3.7.5' 
- run: python my_script.py