diff --git a/.github/workflows/kpi_scans.yml b/.github/workflows/kpi_scans.yml index 772ca5129..3f7467bde 100644 --- a/.github/workflows/kpi_scans.yml +++ b/.github/workflows/kpi_scans.yml @@ -27,8 +27,7 @@ jobs: - uses: actions/checkout@v4 - id: load_json run : | - content=$(cat ./kpi_scan/kpi_repo_list.json | jq -c) - echo "matrix=$content" >> $GITHUB_OUTPUT + echo "matrix=$(npx --yes json5 ./kpi_scan/kpi_repo_list.json5)" >> $GITHUB_OUTPUT build: needs: [build_and_push_docker_image, load_repo_list] name: Run KPI scans diff --git a/.github/workflows/kpi_scans_staging.yml b/.github/workflows/kpi_scans_staging.yml index fb0c6cb61..807d2eded 100644 --- a/.github/workflows/kpi_scans_staging.yml +++ b/.github/workflows/kpi_scans_staging.yml @@ -27,8 +27,7 @@ jobs: - uses: actions/checkout@v4 - id: load_json run : | - content=$(cat ./kpi_scan/kpi_repo_list.json | jq -c) - echo "matrix=$content" >> $GITHUB_OUTPUT + echo "matrix=$(npx --yes json5 ./kpi_scan/kpi_repo_list.json5)" >> $GITHUB_OUTPUT build: needs: [build_and_push_docker_image, load_repo_list] name: Run Staging KPI scans diff --git a/.github/workflows/version_comparison.yml b/.github/workflows/version_comparison.yml new file mode 100644 index 000000000..7c07f366e --- /dev/null +++ b/.github/workflows/version_comparison.yml @@ -0,0 +1,78 @@ +name: Version Comparison +on: + workflow_dispatch: + inputs: + baseRef: + description: 'Base CLI ref (tag/branch/SHA)' + baseRulesRef: + description: 'Base rules ref' + testRef: + description: 'Test CLI ref (tag/branch/SHA)' + testRulesRef: + description: 'Test rules ref' + +jobs: + setup: + name: Setup version comparison + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.load_json.outputs.matrix }} + steps: + - uses: actions/checkout@v4 + - id: load_json + run : | + echo "matrix=$(npx --yes json5 ./kpi_scan/kpi_repo_list.json5)" >> $GITHUB_OUTPUT + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: 1.21 + - name: Checkout base CLI + uses: actions/checkout@v4 + with: + repository: bearer/bearer + ref: ${{ inputs.baseRef }} + path: base-cli + - name: Checkout base rules + uses: actions/checkout@v4 + with: + repository: bearer/bearer-rules + ref: ${{ inputs.baseRulesRef }} + path: base-rules + - name: Build base CLI + run: | + go build -o base-bearer ./base-cli/cmd/bearer/main.go + - name: Checkout test CLI + uses: actions/checkout@v4 + with: + repository: bearer/bearer + ref: ${{ inputs.testRef }} + path: test-cli + - name: Checkout test rules + uses: actions/checkout@v4 + with: + repository: bearer/bearer-rules + ref: ${{ inputs.testRulesRef }} + path: test-rules + - name: Build test CLI + run: | + go build -o test-bearer ./test-cli/cmd/bearer/main.go + + test: + needs: [setup] + name: Run version comparison scans for ${{ matrix.name }} + runs-on: ubuntu-latest + strategy: + matrix: ${{fromJson(needs.setup.outputs.matrix)}} + steps: + - name: Checkout KPI repo + uses: actions/checkout@v4 + with: + repository: ${{ matrix.repository_url }} + path: ${{ matrix.name }} + - run: | + ./base-bearer scan ${{ matrix.name }} --format json --exit-code 0 | jq > base.json + - run: | + ./test-bearer scan ${{ matrix.name }} --format json --exit-code 0 | jq > test.json + - run: | + diff -u base.json test.json + diff --git a/kpi_scan/kpi_repo_list.json b/kpi_scan/kpi_repo_list.json deleted file mode 100644 index 422b7d9aa..000000000 --- a/kpi_scan/kpi_repo_list.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "repository_url": [ - "https://github.com/juice-shop/juice-shop", - "https://github.com/OWASP/railsgoat", - "https://github.com/OWASP/NodeGoat", - "https://github.com/WebGoat/WebGoat", - "https://github.com/forem/forem", - "https://github.com/freeCodeCamp/chapter", - "https://github.com/mastodon/mastodon", - "https://github.com/frab/frab", - "https://github.com/discourse/discourse", - "https://github.com/diaspora/diaspora", - "https://github.com/TryGhost/Ghost", - "https://github.com/wekan/wekan", - "https://gitlab.com/gitlab-org/gitlab", - "https://github.com/grafana/grafana" - ] -} \ No newline at end of file diff --git a/kpi_scan/kpi_repo_list.json5 b/kpi_scan/kpi_repo_list.json5 new file mode 100644 index 000000000..89676c786 --- /dev/null +++ b/kpi_scan/kpi_repo_list.json5 @@ -0,0 +1,36 @@ +{ + "include": [ + // ruby + { "name": "railsgoat", "repository_url": "https://github.com/Bearer/railsgoat" }, + { "name": "mastodon", "repository_url": "https://github.com/mastodon/mastodon" }, + { "name": "frab", "repository_url": "https://github.com/frab/frab" }, + { "name": "discourse", "repository_url": "https://github.com/discourse/discourse" }, + { "name": "diaspora", "repository_url": "https://github.com/diaspora/diaspora" }, + { "name": "gitlab", "repository_url": "https://gitlab.com/gitlab-org/gitlab" }, + { "name": "chatwoot", "repository_url": "https://github.com/chatwoot/chatwoot" }, + { "name": "postal", "repository_url": "https://github.com/postalserver/postal" }, + { "name": "forem", "repository_url": "https://github.com/forem/forem" }, + { "name": "openstreetmap-website", "repository_url": "https://github.com/openstreetmap/openstreetmap-website" }, + { "name": "loomio", "repository_url": "https://github.com/loomio/loomio" }, + { "name": "rdv-solidarites.fr", "repository_url": "https://github.com/betagouv/rdv-solidarites.fr" }, + // javascript + { "name": "juice-shop", "repository_url": "https://github.com/Bearer/juice-shop" }, + { "name": "NodeGoat", "repository_url": "https://github.com/Bearer/NodeGoat" }, + { "name": "chapter", "repository_url": "https://github.com/freeCodeCamp/chapter" }, + { "name": "Ghost", "repository_url": "https://github.com/TryGhost/Ghost" }, + { "name": "wekan", "repository_url": "https://github.com/wekan/wekan" }, + { "name": "backstage", "repository_url": "https://github.com/backstage/backstage" }, + { "name": "medusa", "repository_url": "https://github.com/medusajs/medusa" }, + { "name": "ToolJet", "repository_url": "https://github.com/ToolJet/ToolJet" }, + { "name": "grafana", "repository_url": "https://github.com/grafana/grafana" }, + { "name": "mattermost-server", "repository_url": "https://github.com/mattermost/mattermost-server" }, + { "name": "Rocket.Chat", "repository_url": "https://github.com/RocketChat/Rocket.Chat" }, + // java + { "name": "WebGoat", "repository_url": "https://github.com/Bearer/WebGoat" }, + { "name": "BenchmarkJava", "repository_url": "https://github.com/OWASP-Benchmark/BenchmarkJava" }, + // php + { "name": "OWASPWebGoatPHP", "repository_url": "https://github.com/OWASP/OWASPWebGoatPHP" }, + { "name": "Vulnerable-Web-Application", "repository_url": "https://github.com/OWASP/Vulnerable-Web-Application" }, + { "name": "mediawiki", "repository_url": "https://github.com/wikimedia/mediawiki" } + ] +}