Variable group for credentials; harden jq install#9
Closed
appsechq-brian wants to merge 14 commits into
Closed
Conversation
…ning - Add vulnerable_packages/ directory for SCA testing - Add n8n-workflow example with vulnerable n8n v1.100.0 - Add Dockerfile.n8n-vulnerable with CVE-2026-21858 - Update README with new vulnerable_packages section
- gha-excessive-permissions: detects permissions: write-all and broad write scope grants at workflow and job level - gha-dangerous-pr-target-checkout: detects pull_request_target trigger combined with checkout of incoming PR code (pwn request pattern)
Scans vulnerable_apps/ for SAST findings on push, PR, and manual trigger. Blocks build on any finding (default CLI exit code 1).
Scans only the diff between PR base and head commits, not the full codebase. Falls back to HEAD~1 on manual trigger.
Full scan runs on push to main only. PRs use the delta scan workflow.
…centralized template Three new patterns complementing the existing CLI gate in azure-pipelines.yml: - scripts/cycode-gate.sh — queries the Cycode RIG Graph API for Open violations in a named repo; fails the build if any match. Filters by severity, category, and risk score via env vars. Emits ##vso[task.logissue] for Azure Pipelines. - scripts/cycode-json-to-junit.py + scripts/cycode-summary.py — converters that take `cycode -o json scan ...` output and produce JUnit XML (for PublishTestResults@2 → Tests tab) and a Markdown report (for ##vso[task.uploadsummary] → custom tab on build summary). - templates/cycode-scan.yml — centralized template consumed via `extends`. App pipelines pass parameters (scanPath, scanTypeFlags, severityThreshold, repoName, gateMode) and inherit the scan + publish + gate logic. Cross-repo usage documented in the header. Example pipelines: - azure-pipelines-api-gate.yml — API gate standalone - azure-pipelines-publish-results.yml — Tests tab + summary + artifact - azure-pipelines-template-consumer.yml — minimal consumer of the template
- RIG .result[] items wrap detections in a .resource object; updated the
jq filter to drill through it so severity/risk_score/policy/file_path
render correctly instead of all dashes.
- Use bare repo name ("vectorvictor") in defaults and docs — the
owner/repo form returns 0 results in RIG.
- Check .fast_query_has_more and surface "at least N (page cap hit)"
when results are paginated, so the gate message is truthful when the
tenant has more than page_size findings.
…terns Azure Pipelines advanced patterns: API gate, UI publishing, central template
Two small improvements based on end-to-end testing in Azure DevOps: Variable group for credentials - All three top-level pipelines now reference an ADO Library variable group named 'cycode-credentials' via 'variables: - group: ...' instead of expecting CYCODE_CLIENT_ID / CYCODE_CLIENT_SECRET as bare secret pipeline variables. Single source of truth for credential rotation (ideally backed by Key Vault) and fewer pipelines to update when the service account changes. jq install hardening - The 'apt-get || true' form silently masked failures on agents without apt-get (macOS, RHEL, Windows, distroless). Now: detect apt-get, fall back to brew, and fail loudly with a clear 'Preinstall jq on the agent' message if neither is available.
Collaborator
Author
|
Opened on wrong fork. See AppSecHQ/vectorvictor instead. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan