feature: Secret detection with Trivy

Author: mrfyda

.circleci/config.yml

@@ -0,0 +1,38 @@
+version: 2.1
+
+orbs:
+  codacy: codacy/[email protected]
+  codacy_plugins_test: codacy/[email protected]
+
+workflows:
+  version: 2
+  compile_test_deploy:
+    jobs:
+      - codacy/checkout_and_version
+      - codacy/sbt:
+          name: build_docker_and_test
+          cmd: |
+            # TODO: Ensure doc generation is done
+            docker build -t $CIRCLE_PROJECT_REPONAME:latest .
+            docker save --output docker-image.tar $CIRCLE_PROJECT_REPONAME:latest
+          persist_to_workspace: true
+          requires:
+            - codacy/checkout_and_version
+      - codacy_plugins_test/run:
+          name: plugins_test
+          run_multiple_tests: true
+          requires:
+            - build_docker_and_test
+      - codacy/publish_docker:
+          context: CodacyDocker
+          requires:
+            - plugins_test
+          filters:
+            branches:
+              only:
+                - master
+      - codacy/tag_version:
+          name: tag_version
+          context: CodacyAWS
+          requires:
+            - codacy/publish_docker

.github/CODEOWNERS

@@ -0,0 +1 @@
+* @codacy/toss

.gitignore

@@ -0,0 +1,11 @@
+.ammonite
+.mypy_cache
+*~
+.*.swp
+.idea
+.scala-build
+.bsp
+.metals
+.vscode
+project
+target

.scalafmt.conf

@@ -0,0 +1,26 @@
+version = "3.7.12"
+style = IntelliJ
+
+runner.dialect = scala3
+
+align.preset = none
+assumeStandardLibraryStripMargin = false
+binPack.literalArgumentLists = true
+binPack.parentConstructors = false
+continuationIndent.defnSite = 4
+danglingParentheses.preset = true
+docstrings.style = SpaceAsterisk
+includeCurlyBraceInSelectChains = true
+lineEndings = unix
+maxColumn = 120
+newlines.topLevelStatementBlankLines = [
+  {
+    blanks { before = 1 }
+  }
+]
+newlines.penalizeSingleSelectMultiArgList = false
+newlines.sometimesBeforeColonInMethodReturnType = true
+optIn.breakChainOnFirstMethodDot = true
+project.git = true
+rewrite.rules = [ SortImports, PreferCurlyFors ]
+spaces.afterKeywordBeforeParen = true

Dockerfile

@@ -0,0 +1,20 @@
+FROM golang:1.21-alpine as builder
+
+WORKDIR /src
+
+COPY go.mod .
+COPY go.sum .
+RUN go mod download
+
+ADD . .
+RUN go build -o bin/codacy-trivy
+
+FROM busybox
+
+COPY --from=builder /src/bin /dist/bin
+COPY docs/ /docs/
+
+RUN adduser -u 2004 -D docker
+RUN chown -R docker:docker /docs
+
+CMD [ "/dist/bin/codacy-trivy" ]

LICENSE

@@ -0,0 +1,13 @@
+Copyright 2023 Codacy.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

README.md

@@ -1,8 +1,58 @@
-# codacy-public-template
+# Codacy Trivy
 
-Template repository for new public repositories. 
+This is the docker engine we use at Codacy to have [Trivy](https://github.com/aquasecurity/trivy) support.
 
-## GitHub actions
+## Usage
 
-This repository has the common GitHub actions that we want to have accross all of our public repositories.
-They should be kept at `.github/workflows`
+You can create the docker by doing:
+
+  ```bash
+  docker build -t codacy-trivy:latest .
+  ```
+
+The docker is ran with the following command:
+
+  ```bash
+  docker run -it -v $srcDir:/src codacy-trivy:latest
+  ```
+
+## Generate Docs
+
+ 1. Update the version in `go.mod`
+ 2. Install the dependencies:
+
+```bash
+go mod download
+```
+
+ 3. Run the DocGenerator:
+
+```bash
+go run ./doc-generator.go &&\
+scala-cli doc-generator.sc
+```
+
+## Test
+
+We use the [codacy-plugins-test](https://github.com/codacy/codacy-plugins-test) to test our external tools integration.
+You can follow the instructions there to make sure your tool is working as expected.
+
+## What is Codacy?
+
+[Codacy](https://www.codacy.com/) is an Automated Code Review Tool that monitors your technical debt, helps you improve your code quality, teaches best practices to your developers, and helps you save time in Code Reviews.
+
+### Among Codacy’s features
+
+- Identify new Static Analysis issues
+- Commit and Pull Request Analysis with GitHub, BitBucket/Stash, GitLab (and also direct git repositories)
+- Auto-comments on Commits and Pull Requests
+- Integrations with Slack, HipChat, Jira, YouTrack
+- Track issues in Code Style, Security, Error Proneness, Performance, Unused Code and other categories
+
+Codacy also helps keep track of Code Coverage, Code Duplication, and Code Complexity.
+
+Codacy supports PHP, Python, Ruby, Java, JavaScript, and Scala, among others.
+
+### Free for Open Source
+
+Codacy is free for Open Source projects.

docgenerator/doc-generator.sc

@@ -0,0 +1,65 @@
+//> using scala "2"
+//> using lib "com.codacy::codacy-engine-scala-seed:6.1.0"
+//> using lib "com.lihaoyi::os-lib:0.9.1"
+//> using lib "com.lihaoyi::upickle:3.1.2"
+//> using lib "com.lihaoyi::requests:0.8.0"
+
+import com.codacy.plugins.api.results.Pattern
+import com.codacy.plugins.api.results.Result
+import com.codacy.plugins.api.results.Tool
+
+import com.codacy.plugins.api._
+import play.api.libs.json.Json
+
+case class TrivySecretRule(ID: String, Category: String, Title: String, Severity: String)
+
+implicit val trivySecretRuleRW = Json.format[TrivySecretRule]
+
+val version = os
+  .read(os.pwd / "go.mod")
+  .linesIterator
+  .collectFirst { case s"	github.com/aquasecurity/trivy $version" =>
+    version.trim
+  }
+  .get
+
+val lines = os
+  .proc("go", "run", "./docgenerator/extract-secret-rules.go")
+  .call()
+  .out
+  .lines()
+  .mkString
+
+val trivyRules = Json.fromJson[List[TrivySecretRule]](Json.parse(lines)).asOpt.get
+
+def categoryAndSubcategoryOf(patternId: String): (Pattern.Category, Option[Pattern.Subcategory]) =
+  (Pattern.Category.Security, None)
+
+def severityOf(rule: TrivySecretRule): Result.Level =
+  rule.Severity match {
+    case "CRITICAL" => Result.Level.Err
+    case "HIGH" => Result.Level.Err
+    case "MEDIUM" => Result.Level.Warn
+    case "LOW" => Result.Level.Info
+    case _ => Result.Level.Err
+  }
+
+val patternSpecifications = trivyRules.map { rule =>
+  val (category, subcategory) = categoryAndSubcategoryOf(rule.ID)
+  Pattern.Specification(Pattern.Id(rule.ID), severityOf(rule), category, subcategory, enabled = true)
+}
+
+val patternDescriptions =
+  trivyRules.map(rule => Pattern.Description(Pattern.Id(rule.ID), Pattern.Title(s"Detects ${rule.Title}"), None, None))
+
+val specification = Tool.Specification(Tool.Name("trivy"), Some(Tool.Version(version)), patternSpecifications.toSet)
+
+os.write.over(os.pwd / "docs" / "patterns.json", Json.prettyPrint(Json.toJson(specification)) + "\n")
+
+os.remove.all(os.pwd / "docs" / "description")
+
+os.write.over(
+  os.pwd / "docs" / "description" / "description.json",
+  Json.prettyPrint(Json.toJson(patternDescriptions)) + "\n",
+  createFolders = true
+)

docgenerator/extract-secret-rules.go

@@ -0,0 +1,16 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/aquasecurity/trivy/pkg/fanal/secret"
+)
+
+func main() {
+
+	rules := secret.NewScanner(nil).Rules
+	jsonResults, _ := json.Marshal(rules)
+	fmt.Print(string(jsonResults))
+
+}