Mi nueva rama

.github/workflows/IaC_scan.yml

@@ -0,0 +1,27 @@
+name: Sysdig IaC Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  iac-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Scan infrastructure
+      uses: sysdiglabs/scan-action@v5
+      with:
+        sysdig-secure-token:  98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }} #
+        cli-scanner-version: 1.9.0
+        mode: iac
+        sysdig-secure-url: https://eu1.app.sysdig.com
+        iac-scan-path: ./

.github/workflows/deploy.yml

@@ -0,0 +1,39 @@
+name: Deploy to EKS
+
+on:
+  push:
+    branches:
+      - main  # Puedes cambiarlo por la rama que prefieras
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v3
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-region: eu-west-1 # ${{ secrets.AWS_REGION }}
+
+    - name: Log in to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v2
+
+    - name: Build, tag, and push image to ECR
+      run: |
+        IMAGE_TAG=$(echo $GITHUB_SHA | cut -c1-7)
+        REPOSITORY_URI=<your-ecr-repo-uri>
+        docker build -t $REPOSITORY_URI:$IMAGE_TAG .
+        docker push $REPOSITORY_URI:$IMAGE_TAG
+      env:
+        ECR_REPOSITORY: ${{ secrets.ECR_REPOSITORY }}
+
+    - name: Update Kubernetes Deployment
+      run: |
+        aws eks update-kubeconfig --name ${{ secrets.EKS_CLUSTER_NAME }} --region ${{ secrets.AWS_REGION }}
+        kubectl set image deployment/<your-deployment-name> <your-container-name>=<your-ecr-repo-uri>:$(echo $GITHUB_SHA | cut -c1-7)

.github/workflows/sysdig-scan.yml

@@ -0,0 +1,62 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: Sysdig - Build, scan, push and upload sarif report
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '16 20 * * 5'
+
+permissions:
+  contents: read
+
+jobs:
+
+  build:
+
+    permissions:
+      checks: write # for sysdiglabs/scan-action to publish the checks
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Build the Docker image
+      # Tag image to be built
+      # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag below
+      run: docker build . --file worker/Dockerfile --tag ${{ github.repository }}:latest
+
+    - name: Sysdig Secure Inline Scan
+      id: scan
+      uses: sysdiglabs/scan-action@768d7626a14897e0948ea89c8437dd46a814b163
+      with:
+        # Tag of the image to analyse.
+        # Change ${{ github.repository }} variable by another image name if you want but don't forget changing also image-tag above
+        image-tag: ${{ github.repository }}:latest
+        # API token for Sysdig Scanning auth
+        sysdig-secure-token: ${{ secrets.SYSDIG_SECURE_TOKEN}}
+        # Sysdig secure endpoint. Please read: https://docs.sysdig.com/en/docs/administration/saas-regions-and-ip-ranges/
+        # US-East https://secure.sysdig.com
+        # US-West https://us2.app.sysdig.com
+        # EU      https://eu1.app.sysdig.com
+        sysdig-secure-url: https://us2.app.sysdig.com
+        dockerfile-path: ./worker/Dockerfile
+        input-type: docker-daemon
+        ignore-failed-scan: true
+        # Sysdig inline scanner requires privileged rights
+        run-as-user: root
+
+    - uses: github/codeql-action/upload-sarif@v3
+      #Upload SARIF file
+      if: always()
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarifReport }}

.github/workflows/vulnerability_scan.yml

@@ -0,0 +1,56 @@
+name: Docker Image Build and Scan
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  build-and-scan:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+#imagen 1
+    - name: Build the Docker image 1
+      run: docker build . --file ./vote/Dockerfile --tag vote
+
+    - name: Scan image 1
+      id: scan1
+      uses: sysdiglabs/scan-action@v5
+      with:
+        image-tag: vote:latest
+        sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }}
+        sysdig-secure-url: https://eu1.app.sysdig.com
+        #sarif-output-file: ${{ github.workspace }}/sarif.json
+#imagen 2
+    - name: Build the Docker image 2
+      run: docker build . --file ./result/Dockerfile --tag result
+
+    - name: Scan image 2
+      id: scan2
+      uses: sysdiglabs/scan-action@v5
+      with:
+        image-tag: result:latest
+        sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }}
+        sysdig-secure-url: https://eu1.app.sysdig.com
+        #sarif-output-file: ${{ github.workspace }}/sarif.json
+#imagen 3
+    - name: Build the Docker image 3
+      run: docker build . --file ./worker/Dockerfile --tag worker
+
+    - name: Scan image 3
+      id: scan3
+      uses: sysdiglabs/scan-action@v5
+      with:
+        image-tag: worker:latest
+        sysdig-secure-token: 98513912-9a2c-4f60-a5ba-2c424565e793 #${{ secrets.SYSDIG_SECURE_TOKEN }}
+        sysdig-secure-url: https://eu1.app.sysdig.com
+        #sarif-output-file: ${{ github.workspace }}/sarif.json
+

bad_code.tf

@@ -0,0 +1,43 @@
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_security_group" "bad_sg" {
+  name        = "bad_security_group"
+  description = "Security group with overly permissive rules"
+  vpc_id      = "vpc-123456"
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_s3_bucket" "bad_bucket" {
+  bucket = "bad-bucket"
+
+  acl    = "public-read" # S3 bucket with public read access
+}
+
+resource "aws_instance" "bad_instance" {
+  ami           = "ami-123456"
+  instance_type = "t2.micro"
+
+  user_data = <<-EOF
+              #!/bin/bash
+              echo "This is a test" > /tmp/test.txt
+              EOF
+
+  tags = {
+    Name = "BadInstance"
+  }
+}

result/Dockerfile

@@ -10,7 +10,7 @@ WORKDIR /usr/local/app
 # have nodemon available for local dev use (file watching)
 RUN npm install -g nodemon
 
-COPY package*.json ./
+COPY /result/package*.json ./
 
 RUN npm ci && \
  npm cache clean --force && \

vote/Dockerfile

@@ -10,7 +10,7 @@ RUN apt-get update && \
 WORKDIR /usr/local/app
 
 # Install our requirements.txt
-COPY requirements.txt ./requirements.txt
+COPY vote/requirements.txt ./requirements.txt
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Define a stage specifically for development, where it'll watch for

worker/Dockerfile

@@ -13,7 +13,7 @@ ARG BUILDPLATFORM
 RUN echo "I am running on $BUILDPLATFORM, building for $TARGETPLATFORM"
 
 WORKDIR /source
-COPY *.csproj .
+COPY /worker/*.csproj .
 RUN dotnet restore -a $TARGETARCH
 
 COPY . .
@@ -23,4 +23,4 @@ RUN dotnet publish -c release -o /app -a $TARGETARCH --self-contained false --no
 FROM mcr.microsoft.com/dotnet/runtime:7.0
 WORKDIR /app
 COPY --from=build /app .
-ENTRYPOINT ["dotnet", "Worker.dll"]
+ENTRYPOINT ["dotnet", "Worker.dll"]