Fixes for logic issues in entrypoint and in main files. (#7)

Author: dacoburn

Dockerfile

@@ -1,10 +1,9 @@
 # Use the official Python image as a base
 FROM python:3.9
-COPY src/socket_external_tools_runner.py /app/
-COPY src/core /app/
-COPY entrypoint.sh /app/
+COPY src/socket_external_tools_runner.py /
+COPY src/core /core
+COPY entrypoint.sh /
 ENV PATH=$PATH:/usr/local/go/bin
-WORKDIR /app
 
 # Setup Golang
 RUN curl -sfL https://go.dev/dl/go1.23.2.linux-amd64.tar.gz > go1.23.2.linux-amd64.tar.gz
@@ -18,11 +17,14 @@ RUN curl -sfL https://raw.githubusercontent.com/securego/gosec/master/install.sh
 # Install Trivy
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
 
-# Install Bandit and Trufflehog using pip
-RUN pip install bandit trufflehog
+#Install Trufflehog
+# Install trufflehog
+RUN curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
+
+# Install Bandit
+RUN pip install bandit
 
 # Copy the entrypoint script and make it executable
-COPY entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 

entrypoint.sh

@@ -13,51 +13,58 @@ GOSEC_RULES=${INPUT_GOSEC_RULES:-}
 TRIVY_EXCLUDE_DIR=${INPUT_TRIVY_EXCLUDE_DIR:-}
 TRIVY_RULES=${INPUT_TRIVY_RULES:-}
 
+echo "Running Bandit"
 # Run Bandit with exclusion directories and rules if specified
-bandit_cmd="bandit -r . -f json -o /tmp/bandit_output.json"
+bandit_cmd="bandit -r $GITHUB_WORKSPACE -f json -o /tmp/bandit_output.json"
 if [[ -n "$BANDIT_EXCLUDE_DIR" ]]; then
   bandit_cmd+=" --exclude $BANDIT_EXCLUDE_DIR"
 fi
 if [[ -n "$BANDIT_RULES" ]]; then
   bandit_cmd+=" --skip $BANDIT_RULES"
 fi
-eval $bandit_cmd
+eval $bandit_cmd || :
 
+echo "Running gosec"
 # Run Gosec with exclusion directories and rules if specified
-gosec_cmd="gosec -fmt json -out /tmp/gosec_output.json ./..."
+gosec_cmd="gosec -fmt json -out /tmp/gosec_output.json "
 if [[ -n "$GOSEC_EXCLUDE_DIR" ]]; then
   gosec_cmd+=" -exclude-dir=$GOSEC_EXCLUDE_DIR"
 fi
 if [[ -n "$GOSEC_RULES" ]]; then
   gosec_cmd+=" -severity=$GOSEC_RULES"
 fi
-go mod tidy
-go mod download
-eval $gosec_cmd
+gosec_cmd+=" $GITHUB_WORKSPACE/..."
+eval $gosec_cmd || :
 
+echo "Running Trivy"
 # Run Trivy with exclusion directories and rules if specified
-trivy_cmd="trivy fs --format json --output /tmp/trivy_output.json ."
+trivy_cmd="trivy fs --format json --output /tmp/trivy_output.json"
 if [[ -n "$TRIVY_EXCLUDE_DIR" ]]; then
-  trivy_cmd+=" --ignore $TRIVY_EXCLUDE_DIR"
+  trivy_cmd+=" --skip-dirs $TRIVY_EXCLUDE_DIR"
 fi
 if [[ -n "$TRIVY_RULES" ]]; then
   trivy_cmd+=" --severity $TRIVY_RULES"
 fi
-eval $trivy_cmd
+trivy_cmd+=" $GITHUB_WORKSPACE"
+eval $trivy_cmd || :
 
+echo "Running Trufflehog"
 # Run Trufflehog with exclusion directories and rules if specified
-trufflehog_cmd="trufflehog filesystem --json . > /tmp/trufflehog_output.json"
+trufflehog_cmd="trufflehog filesystem "
 TRUFFLEHOG_EXCLUDE_FILE=$(mktemp)
 if [[ -n "$TRUFFLEHOG_EXCLUDE_DIR" ]]; then
   IFS=',' read -ra EXCLUDE_DIRS <<< "$TRUFFLEHOG_EXCLUDE_DIR"
   for dir in "${EXCLUDE_DIRS[@]}"; do
     echo "$dir" >> "$TRUFFLEHOG_EXCLUDE_FILE"
   done
+  trufflehog_cmd+=" -x $TRUFFLEHOG_EXCLUDE_FILE"
 fi
 if [[ -n "$TRUFFLEHOG_RULES" ]]; then
   trufflehog_cmd+=" --rules $TRUFFLEHOG_RULES"
 fi
-eval $trufflehog_cmd
+trufflehog_cmd+=" --no-verification -j $GITHUB_WORKSPACE > /tmp/trufflehog_output.json"
+eval $trufflehog_cmd || :
 
 # Execute the custom Python script to process findings
+mv /tmp/*.json .
 python socket_external_tools_runner.py

src/core/connectors/bandit/__init__.py

@@ -1,4 +1,4 @@
-from src.core.connectors.bandit.classes import BanditTestResult
+from core.connectors.bandit.classes import BanditTestResult
 from mdutils import MdUtils
 from typing import Union
 
@@ -14,7 +14,7 @@ def process_output(data: dict, cwd: str) -> dict:
             "output": [],
             # "code": []
         }
-        if len(results) > 0:
+        if results is not None and len(results) > 0:
             for test in results:
                 test_result = BanditTestResult(**test, cwd=cwd)
                 tests.append(test_result)
@@ -47,7 +47,7 @@ def create_output(data: dict, marker: str, repo: str, commit: str, cwd: str) ->
                     file = output.url.replace("REPO_REPLACE", repo).replace("COMMIT_REPLACE", commit)
                     file_name = f"[{output.filename}]({file})"
                 else:
-                    file_name = output.filename
+                    file_name = f"`{output.filename}`"
                 md.new_line(f"**{output.issue_text}**")
                 md.new_line(f"**Severity**: `{output.issue_severity}`")
                 md.new_line(f"**Filename:** {file_name}")

src/core/connectors/bandit/classes.py

@@ -1,5 +1,5 @@
 import json
-from src.core import base_github
+from core import base_github
 
 
 class BanditTestResult:

src/core/connectors/gosec/__init__.py

@@ -1,4 +1,4 @@
-from src.core.connectors.gosec.classes import GosecTestResult
+from core.connectors.gosec.classes import GosecTestResult
 from mdutils import MdUtils
 from typing import Union
 
@@ -14,21 +14,22 @@ def process_output(data: dict, cwd: str) -> dict:
             "output": [],
             # "code": []
         }
-        for test in results:
-            test_result = GosecTestResult(**test, cwd=cwd)
-            tests.append(test_result)
-            test_name = f"{test_result.rule_id}_{test_result.severity}"
-            if test_result.severity not in metrics["severities"]:
-                metrics["severities"][test_result.severity] = 1
-            else:
-                metrics["severities"][test_result.severity] += 1
+        if results is not None and len(results) > 0:
+            for test in results:
+                test_result = GosecTestResult(**test, cwd=cwd)
+                tests.append(test_result)
+                test_name = f"{test_result.rule_id}_{test_result.severity}"
+                if test_result.severity not in metrics["severities"]:
+                    metrics["severities"][test_result.severity] = 1
+                else:
+                    metrics["severities"][test_result.severity] += 1
 
-            if test_name not in metrics["tests"]:
-                metrics["tests"][test_name] = 1
-            else:
-                metrics["tests"][test_name] += 1
-            metrics["output"].append(test_result)
-            # metrics["code"].append(test_result.code)
+                if test_name not in metrics["tests"]:
+                    metrics["tests"][test_name] = 1
+                else:
+                    metrics["tests"][test_name] += 1
+                metrics["output"].append(test_result)
+                # metrics["code"].append(test_result.code)
 
         return metrics
 
@@ -47,7 +48,7 @@ def create_output(data: dict, marker: str, repo: str, commit: str, cwd: str) ->
                     file = output.url.replace("REPO_REPLACE", repo).replace("COMMIT_REPLACE", commit)
                     file_name = f"[{output.file}]({file})"
                 else:
-                    file_name = output.file
+                    file_name = f"`{output.file}`"
                 md.new_line(f"**{output.details}**")
                 md.new_line(f"**Severity**: `{output.severity}`")
                 md.new_line(f"**Filename:** {file_name}")

src/core/connectors/gosec/classes.py

@@ -1,5 +1,5 @@
 import json
-from src.core import base_github
+from core import base_github
 
 
 class GosecTestResult:

src/core/connectors/trufflehog/__init__.py

@@ -1,4 +1,4 @@
-from src.core.connectors.trufflehog.classes import TrufflehogTestResult
+from core.connectors.trufflehog.classes import TrufflehogTestResult
 from mdutils import MdUtils
 from typing import Union
 
@@ -14,24 +14,24 @@ def process_output(data: dict, cwd: str) -> dict:
             "output": [],
             # "code": []
         }
-        for test in results:
-            test_result = TrufflehogTestResult(**test, cwd=cwd)
-            metadata = test_result.SourceMetadata.get('Data')
-            if metadata is not None:
-                test_result.file = metadata['Filesystem']['file'].lstrip("./").lstrip("/")
-                test_result.file.replace(cwd, "")
-                test_result.line = metadata['Filesystem'].get('line')
-                if test_result.line is not None:
-                    test_result.url = test_result.set_url()
-            test_name = f"secret_{test_result.DetectorName}_{test_result.DecoderName}"
-            if test_name not in metrics["tests"]:
-                metrics["tests"][test_name] = 1
-            else:
-                metrics["tests"][test_name] += 1
-            tests.append(test_result)
-            metrics["output"].append(test_result)
-            # metrics["code"].append(test_result.code)
-
+        if results is not None and len(results) > 0:
+            for test in results:
+                test_result = TrufflehogTestResult(**test, cwd=cwd)
+                metadata = test_result.SourceMetadata.get('Data')
+                if metadata is not None:
+                    test_result.file = metadata['Filesystem']['file'].lstrip("./").lstrip("/")
+                    test_result.file.replace(cwd, "")
+                    test_result.line = metadata['Filesystem'].get('line')
+                    if test_result.line is not None:
+                        test_result.url = test_result.set_url()
+                test_name = f"secret_{test_result.DetectorName}_{test_result.DecoderName}"
+                if test_name not in metrics["tests"]:
+                    metrics["tests"][test_name] = 1
+                else:
+                    metrics["tests"][test_name] += 1
+                tests.append(test_result)
+                metrics["output"].append(test_result)
+                # metrics["code"].append(test_result.code)
         return metrics
 
     @staticmethod
@@ -49,11 +49,11 @@ def create_output(data: dict, marker: str, repo: str, commit: str, cwd: str) ->
                     file = output.url.replace("REPO_REPLACE", repo).replace("COMMIT_REPLACE", commit)
                     file_name = f"[{output.file}]({file})"
                 else:
-                    file_name = output.file
+                    file_name = f"`{output.file}`"
                 md.new_line(f"**Detection:** {output.DetectorName} - {output.DecoderName}")
                 md.new_line(f"**Source Type**: `{output.SourceName}`")
                 md.new_line(f"**Filename:** {file_name}")
-                md.new_line(f"**Detected Secret:** {output.Raw}")
+                # md.new_line(f"**Detected Secret:** {output.Raw}")
                 md.new_line("<br>")
                 md.new_line()
             md.create_md_file()

src/core/connectors/trufflehog/classes.py

@@ -1,5 +1,5 @@
 import json
-from src.core import base_github
+from core import base_github
 
 
 class TrufflehogTestResult:

src/core/scm/__init__.py

@@ -1,4 +1,4 @@
-from src.core.scm.github import Github
+from core.scm.github import Github
 
 
 class SCM:

src/core/scm/github.py

@@ -1,7 +1,7 @@
 import json
 import os
 from github import Github, Repository, PullRequest, IssueComment
-from src.core import log
+from core import log
 
 
 repo: Repository
@@ -13,7 +13,7 @@
 with open(event_path, 'r') as f:
     event_data = json.load(f)
 # Extract the pull request number from the event data
-pr_number = event_data["number"] if "pull_request" in event_data else None
+pr_number = event_data["pull_request"]["number"] if "pull_request" in event_data else None
 if pr_number is None:
     log.warn("Unable to get PR number from event data, assuming not a PR")
     exit(0)
@@ -88,4 +88,5 @@ def post_comment(tool_name: str, marker: str, issues: str = None):
             else:
                 pull_request.create_issue_comment(comment_body)
         else:
-            existing_comment.delete()
+            if existing_comment is not None:
+                existing_comment.delete()