Skip to content

Add DevSecOps page with security news and examples; update project dependencies #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
+782 −2
Open

Add DevSecOps page with security news and examples; update project dependencies #67

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c577d5f
Add DevSecOps page with security news and examples; update project de…
CalinL May 12, 2025
e2f2e71
Refactor PrivacyModel to improve logging and clarify TODOs for produc…
CalinL May 12, 2025
a93d0af
Add new sample files
CalinL May 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions samples/Dockerfile-01
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
FROM alpine:3.14.0
RUN echo "testuser:x:10999:10999:,,,:/home/testuser:/bin/bash" >> /etc/passwd && echo "testuser::18761:0:99999:7:::" >> /etc/shadow
129 changes: 129 additions & 0 deletions samples/Pipfile.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

189 changes: 189 additions & 0 deletions samples/example-02.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,189 @@
resource "azurerm_resource_group" "myresourcegroup" {
name = "${var.prefix}-workshop"
location = var.location

tags = {
environment = "Production"
}
}

resource "azurerm_virtual_network" "vnet" {
name = "${var.prefix}-vnet"
location = azurerm_resource_group.myresourcegroup.location
address_space = [var.address_space]
resource_group_name = azurerm_resource_group.myresourcegroup.name
}

resource "azurerm_subnet" "subnet" {
name = "${var.prefix}-subnet"
virtual_network_name = azurerm_virtual_network.vnet.name
resource_group_name = azurerm_resource_group.myresourcegroup.name
address_prefixes = [var.subnet_prefix]
}

resource "azurerm_network_security_group" "catapp-sg" {
name = "${var.prefix}-sg"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name

security_rule {
name = "HTTP"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "80"
source_address_prefix = "*"
destination_address_prefix = "*"
}

security_rule {
name = "HTTPS"
priority = 102
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "443"
source_address_prefix = "*"
destination_address_prefix = "*"
}

security_rule {
name = "SSH"
priority = 101
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
}

Check failure

Code scanning / checkov

Ensure that HTTP (port 80) access is restricted from the internet Error

Ensure that HTTP (port 80) access is restricted from the internet

Check failure

Code scanning / checkov

Ensure that SSH access is restricted from the internet Error

Ensure that SSH access is restricted from the internet
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

An inbound network security rule allows traffic from /0. Error

Security group rule allows ingress from public internet.
Comment on lines +24 to +64

Check failure

Code scanning / defsec

SSH access should not be accessible from the Internet, should be blocked on port 22 Error

Security group rule allows ingress to SSH port from multiple public internet addresses.

resource "azurerm_network_interface" "catapp-nic" {
name = "${var.prefix}-catapp-nic"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name

ip_configuration {
name = "${var.prefix}ipconfig"
subnet_id = azurerm_subnet.subnet.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.catapp-pip.id
}
}

Check notice

Code scanning / checkov

Ensure that Network Interfaces don't use public IPs Note

Ensure that Network Interfaces don't use public IPs

resource "azurerm_network_interface_security_group_association" "catapp-nic-sg-ass" {
network_interface_id = azurerm_network_interface.catapp-nic.id
network_security_group_id = azurerm_network_security_group.catapp-sg.id
}

resource "azurerm_public_ip" "catapp-pip" {
name = "${var.prefix}-ip"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
allocation_method = "Dynamic"
domain_name_label = "${var.prefix}-meow"
}

resource "azurerm_virtual_machine" "catapp" {
name = "${var.prefix}-meow"
location = var.location
resource_group_name = azurerm_resource_group.myresourcegroup.name
vm_size = var.vm_size

network_interface_ids = [azurerm_network_interface.catapp-nic.id]
delete_os_disk_on_termination = "true"

storage_image_reference {
publisher = var.image_publisher
offer = var.image_offer
sku = var.image_sku
version = var.image_version
}

storage_os_disk {
name = "${var.prefix}-osdisk"
managed_disk_type = "Standard_LRS"
caching = "ReadWrite"
create_option = "FromImage"
}

os_profile {
computer_name = var.prefix
admin_username = var.admin_username
admin_password = var.admin_password
}

os_profile_linux_config {
disable_password_authentication = false
}

tags = {}

# Added to allow destroy to work correctly.
depends_on = [azurerm_network_interface_security_group_association.catapp-nic-sg-ass]
}

Check notice

Code scanning / checkov

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) Note

Ensure Azure Instance does not use basic authentication(Use SSH Key Instead)

Check notice

Code scanning / checkov

Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines Note

Ensure that Microsoft Antimalware is configured to automatically updates for Virtual Machines

Check notice

Code scanning / checkov

Ensure that virtual machines are backed up using Azure Backup Note

Ensure that virtual machines are backed up using Azure Backup
Comment on lines +92 to +129

Check failure

Code scanning / defsec

Password authentication should be disabled on Azure virtual machines Error

Linux virtual machine allows password authentication.

# We're using a little trick here so we can run the provisioner without
# destroying the VM. Do not do this in production.

# If you need ongoing management (Day N) of your virtual machines a tool such
# as Chef or Puppet is a better choice. These tools track the state of
# individual files and can keep them in the correct configuration.

# Here we do the following steps:
# Sync everything in files/ to the remote VM.
# Set up some environment variables for our script.
# Add execute permissions to our scripts.
# Run the deploy_app.sh script.
resource "null_resource" "configure-cat-app" {
depends_on = [
azurerm_virtual_machine.catapp,
]

# Terraform 0.11
# triggers {
# build_number = "${timestamp()}"
# }

# Terraform 0.12
triggers = {
build_number = timestamp()
}

provisioner "file" {
source = "files/"
destination = "/home/${var.admin_username}/"

connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.catapp-pip.fqdn
}
}

provisioner "remote-exec" {
inline = [
"sudo apt -y update",
"sleep 15",
"sudo apt -y update",
"sudo apt -y install apache2",
"sudo systemctl start apache2",
"sudo chown -R ${var.admin_username}:${var.admin_username} /var/www/html",
"chmod +x *.sh",
"PLACEHOLDER=${var.placeholder} WIDTH=${var.width} HEIGHT=${var.height} PREFIX=${var.prefix} ./deploy_app.sh",
]

connection {
type = "ssh"
user = var.admin_username
password = var.admin_password
host = azurerm_public_ip.catapp-pip.fqdn
}
}
}
2 changes: 2 additions & 0 deletions samples/insecure-01.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
let injection = "Hello, security vulnerabilities!";
eval(`console.log(\"${injection}\");`);
Copy link
Preview

Copilot AI May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using eval with interpolated input can lead to code injection vulnerabilities; avoid eval and use safer alternatives for executing dynamic code.

Suggested change
eval(`console.log(\"${injection}\");`);
console.log(injection);

Copilot uses AI. Check for mistakes.

26 changes: 26 additions & 0 deletions samples/insecure-01.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
#Commented out sample to pass scanning

import hashlib
print("I am very insecure. Bandit thinks so too.")
#B110
xs=[1,2,3,4,5,6,7,8]
try:
print(xs[7])
print(xs[8])
except: pass

Check notice

Code scanning / CodeQL

Empty except Note

'except' clause does nothing but pass and there is no explanatory comment.

Copilot Autofix

AI 17 days ago

To fix the issue, we need to replace the empty except: block with proper exception handling. This involves:

  1. Avoiding the use of a bare except: clause. Instead, specify the type of exception(s) to catch.
  2. Adding meaningful handling logic, such as logging the error or taking corrective action.
  3. If the exception is genuinely safe to ignore, include a comment explaining why.

For this specific case:

  • On line 10, the code attempts to access an out-of-range index in the list xs. We can catch the IndexError and log a message indicating the issue.
  • On line 16, the except: block should also be updated to handle TypeError explicitly and include a comment explaining why the exception is being ignored.
Suggested changeset 1
samples/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/samples/insecure-01.py b/samples/insecure-01.py
--- a/samples/insecure-01.py
+++ b/samples/insecure-01.py
@@ -9,3 +9,4 @@
     print(xs[8])
-except: pass
+except IndexError as e:
+    print(f"IndexError encountered: {e}")
 
@@ -15,3 +16,5 @@
         print(str(y+3)) #TypeErrors ahead
-    except: continue #not how to handle them
+    except TypeError:
+        # Skipping None values in the list
+        continue
 
EOF
@@ -9,3 +9,4 @@
print(xs[8])
except: pass
except IndexError as e:
print(f"IndexError encountered: {e}")

@@ -15,3 +16,5 @@
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them
except TypeError:
# Skipping None values in the list
continue

Copilot is powered by AI and may make mistakes. Always verify output.

Check notice

Code scanning / CodeQL

Except block handles 'BaseException' Note

Except block directly handles BaseException.

Copilot Autofix

AI 17 days ago

To fix the issue, we will replace the bare except: block with an except Exception: block. This ensures that only exceptions derived from Exception are caught, leaving KeyboardInterrupt and SystemExit to propagate as intended. Additionally, we will review the second bare except: block on line 16 and replace it with except Exception: for consistency and correctness.

Suggested changeset 1
samples/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/samples/insecure-01.py b/samples/insecure-01.py
--- a/samples/insecure-01.py
+++ b/samples/insecure-01.py
@@ -9,3 +9,3 @@
     print(xs[8])
-except: pass
+except Exception: pass
 
@@ -15,3 +15,3 @@
         print(str(y+3)) #TypeErrors ahead
-    except: continue #not how to handle them
+    except Exception: continue #not how to handle them
 
EOF
@@ -9,3 +9,3 @@
print(xs[8])
except: pass
except Exception: pass

@@ -15,3 +15,3 @@
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them
except Exception: continue #not how to handle them

Copilot is powered by AI and may make mistakes. Always verify output.

Check warning

Code scanning / Bandit

Try, Except, Pass detected. Warning

Try, Except, Pass detected.

ys=[1, 2, None, None]
for y in ys:
try:
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them

Check notice

Code scanning / CodeQL

Except block handles 'BaseException' Note

Except block directly handles BaseException.

Copilot Autofix

AI 17 days ago

To fix the issue, the except: block on line 16 should be replaced with an except Exception: block. This ensures that only exceptions derived from Exception are caught, leaving KeyboardInterrupt and SystemExit to propagate as intended. This change aligns with Python best practices and the CodeQL recommendation.

Additionally, the continue statement in the except block will remain unchanged, as it is necessary to skip the current iteration of the loop when an exception occurs.

Suggested changeset 1
samples/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/samples/insecure-01.py b/samples/insecure-01.py
--- a/samples/insecure-01.py
+++ b/samples/insecure-01.py
@@ -15,3 +15,3 @@
         print(str(y+3)) #TypeErrors ahead
-    except: continue #not how to handle them
+    except Exception: continue #not how to handle them
 
EOF
@@ -15,3 +15,3 @@
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them
except Exception: continue #not how to handle them

Copilot is powered by AI and may make mistakes. Always verify output.

Check warning

Code scanning / Bandit

Try, Except, Continue detected. Warning

Try, Except, Continue detected.
Comment on lines +10 to +16
Copy link
Preview

Copilot AI May 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a bare except clause can hide unexpected errors; consider catching specific exceptions and logging error details for better clarity.

Suggested change
except: pass
ys=[1, 2, None, None]
for y in ys:
try:
print(str(y+3)) #TypeErrors ahead
except: continue #not how to handle them
except IndexError as e:
print(f"IndexError occurred: {e}")
ys=[1, 2, None, None]
for y in ys:
try:
print(str(y+3)) #TypeErrors ahead
except TypeError as e:
print(f"TypeError occurred: {e}")
continue

Copilot uses AI. Check for mistakes.


#some imports
import telnetlib

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'telnetlib' is not used.

Copilot Autofix

AI 17 days ago

To fix the problem, we should remove the unused import telnetlib statement from the code. This will eliminate the unnecessary dependency and improve code readability without affecting the functionality of the script.

Suggested changeset 1
samples/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/samples/insecure-01.py b/samples/insecure-01.py
--- a/samples/insecure-01.py
+++ b/samples/insecure-01.py
@@ -18,3 +18,2 @@
 #some imports
-import telnetlib
 import ftplib
EOF
@@ -18,3 +18,2 @@
#some imports
import telnetlib
import ftplib
Copilot is powered by AI and may make mistakes. Always verify output.
import ftplib

Check notice

Code scanning / CodeQL

Unused import Note

Import of 'ftplib' is not used.

Copilot Autofix

AI 17 days ago

To fix the problem, we will remove the unused import ftplib statement from the code. This will eliminate the unnecessary dependency and improve code readability without affecting the functionality of the script.

Suggested changeset 1
samples/insecure-01.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/samples/insecure-01.py b/samples/insecure-01.py
--- a/samples/insecure-01.py
+++ b/samples/insecure-01.py
@@ -19,3 +19,2 @@
 import telnetlib
-import ftplib
 
EOF
@@ -19,3 +19,2 @@
import telnetlib
import ftplib

Copilot is powered by AI and may make mistakes. Always verify output.

#B303 and B324
s = b"I am a string"
print("MD5: " +hashlib.md5(s).hexdigest())

Check warning

Code scanning / Bandit

Use of insecure MD2, MD4, MD5, or SHA1 hash function. Warning

Use of insecure MD2, MD4, MD5, or SHA1 hash function.
print("SHA1: " +hashlib.sha1(s).hexdigest())

Check warning

Code scanning / Bandit

Use of insecure MD2, MD4, MD5, or SHA1 hash function. Warning

Use of insecure MD2, MD4, MD5, or SHA1 hash function.
print("SHA256: " +hashlib.sha256(s).hexdigest())
Loading
Loading