Merge pull request #17074 from CDCgov/deployment/2025-01-14

Deployment of 2025-01-14
CDCgov · Jan 14, 2025 · 7e793f5 · 7e793f5
2 parents b02c5da + fbede22
commit 7e793f5
Show file tree

Hide file tree

Showing 55 changed files with 7,060 additions and 2,055 deletions.
diff --git a/.github/ISSUE_TEMPLATE/platform-user-story.md b/.github/ISSUE_TEMPLATE/platform-user-story.md
@@ -21,34 +21,30 @@ so that _[Outcome - what is the value add to the user]_."
 
 ### Description/Use Case
 <!--
-_Use this section to describe the 'Why', and/or provide an example scenario in which this feature/functionality would be valueable._
+Use this section to describe the 'Why', and/or provide an example scenario in which this feature/functionality would be valueable.
 -->
 
 ### Risks/Impacts/Considerations
 <!--
-_Use this section to briefly list out any risks/impacts that may come about, as a result of the proposed solution._
-- _System performance may be slowed_
-- _Only a single search parameter can be used_
+Use this section to briefly list out any risks/impacts that may come about, as a result of the proposed solution.
+- _[System performance may be slowed]_
+- _[Only a single search parameter can be used]_
 -->
 
 ### Dev Notes
 <!--
-_Use this section to describe any useful technical information to duplicate an issue or explain requirements related to this ticket without providing implementation details._
-- _Provided is the data that was used to replicate the issue..._
-- _To test, use SimpleReport upload CSV page to ..._
+Use this section to describe any useful technical information to duplicate an issue or explain requirements related to this ticket without providing implementation details.
+- _[Provided is the data that was used to replicate the issue...]_
+- _[To test, use SimpleReport upload CSV page to ...]_
 -->
 
 ### Acceptance Criteria
 <!--
 What is Acceptance Criteria?
 A set of conditions or business rules, as defined by the Product Owner, which the functionality or feature should satisfy, in order to be accepted by the Product Owner.
 
-Use the following template when creating new Acceptance Criteria:
+Write the acceptance criteria as a list that can be checked off as work progresses. For example:
 
-"Given _[describe the precondition]_, when I _[describe the action performed]_, then I expect _[describe the expected outcome]_."
-
-_OR... it may be written as a bulleted list._
-
-- _Time must be displayed as HH:MM:SS_
-- _Delivery rate must be shown as a percentage_
+- [ ] _[Time must be displayed as HH:MM:SS]_
+- [ ] _[Delivery rate must be shown as a percentage]_
 -->
diff --git a/.github/actions/runleaks/.gitignore b/.github/actions/runleaks/.gitignore
@@ -0,0 +1,4 @@
+.git
+_git
+.github
+_github
diff --git a/.github/actions/runleaks/Dockerfile b/.github/actions/runleaks/Dockerfile
@@ -0,0 +1,8 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+RUN apk add git gh make parallel jq
+
+COPY git-secrets /git-secrets
+RUN make -C /git-secrets install
+COPY lib/* /
+
+ENTRYPOINT ["bash", "/scan.sh"]
diff --git a/.github/actions/runleaks/LICENSE b/.github/actions/runleaks/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2023 Josiah Siegel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/.github/actions/runleaks/README.md b/.github/actions/runleaks/README.md
@@ -0,0 +1,163 @@
+# runleaks
+
+[![Scan Action Logs](https://github.com/CDCgov/prime-reportstream/.github/workflows/runleaks--main.yml/badge.svg?branch=main)](https://github.com/CDCgov/prime-reportstream/.github/workflows/runleaks--main.yml)
+
+Leverages [git-secrets](https://github.com/awslabs/git-secrets) to identify potential leaks in GitHub action run logs.
+
+ * Common Azure and Google Cloud patterns are available, thanks to fork [msalemcode/git-secrets](https://github.com/msalemcode/git-secrets).
+
+
+## Inputs
+```yml
+  github-token:
+    description: 'Token used to login to GitHub'
+    required: true
+  repo:
+    description: 'Repo to scan run logs for exceptions'
+    required: false
+    default: ${{ github.repository }}
+  run-limit:
+    description: 'Limit on how many runs to scan'
+    required: false
+    default: '50'
+  min-days-old:
+    description: 'Min age of runs in days'
+    required: false
+    default: '0'
+  max-days-old:
+    description: 'Max age of runs in days'
+    required: false
+    default: '3'
+  patterns-path:
+    description: 'Patterns file path'
+    required: false
+    default: ".runleaks/patterns.txt"
+  exclusions-path:
+    description: 'Excluded patterns file path'
+    required: false
+    default: ".runleaks/exclusions.txt"
+  fail-on-leak:
+    description: 'Fail action if leak is found'
+    required: false
+    default: true
+```
+
+## Outputs
+```yml
+  exceptions:
+    description: 'Json output of run logs with exceptions'
+  count:
+    description: 'Count of exceptions'
+```
+
+## Usage
+ * Note: [GitHub rate limits](#rate-limits)
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-limit: 500
+          fail-on-leak: false
+      - name: Get scan exceptions
+        if: steps.scan.outputs.count > 0
+        run: echo "${{ steps.scan.outputs.exceptions }}"
+```
+or
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.MY_TOKEN }}
+          patterns-path: ".github/patterns.txt"
+          exclusions-path: ".github/exclusions.txt"
+          fail-on-leak: false
+      - name: Get scan exceptions
+        if: steps.scan.outputs.count > 0
+        run: echo "${{ steps.scan.outputs.exceptions }}"
+```
+or
+```yml
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          repository: 'me/my-repo'
+      - name: Scan run logs
+        uses: josiahsiegel/runleaks@4dd30d107c03b6ade87978e10c94a77015e488f9
+        id: scan
+        with:
+          github-token: ${{ secrets.MY_TOKEN }}
+          repo: 'me/my-repo'
+          run-limit: 200
+          min-days-old: 0
+          max-days-old: 4
+          fail-on-leak: true
+```
+
+## Local testing
+  * Registers default patterns
+```sh
+git clone https://github.com/CDCgov/prime-reportstream/.github/actions/runleaks.git
+cd runleaks/
+docker build -t runleaks .
+docker run scan "<PERSONAL_ACCESS_TOKEN>" "<REPO>" <RUN_LIMIT> <MIN_DAYS_OLD> <MAX_DAYS_OLD>
+```
+
+## Pattern file
+ * Default location: `.runleaks/patterns.txt`
+
+```
+####################################################################
+
+# Register a secret provider
+#--register-azure
+#--register-gcp
+--register-aws
+
+####################################################################
+
+# Add a prohibited pattern
+--add [A-Z0-9]{20}
+--add Account[k|K]ey
+--add Shared[a|A]ccessSignature
+
+####################################################################
+
+# Add a string that is scanned for literally (+ is escaped):
+--add --literal foo+bar
+
+####################################################################
+```
+
+## Exclusion file
+ * Default location: `.runleaks/exclusions.txt`
+```
+####################################################################
+
+# Add regular expressions patterns to filter false positives.
+
+# Allow GUID
+("|')[0-9A-Fa-f]{8}-([0-9A-Fa-f]{4}-){3}[0-9A-Fa-f]{12}("|')
+
+####################################################################
+```
+
+## Performance
+
+ * Scan 50 runs = 1 min
+
+ * Scan 500 runs = 8 mins
+
+* Scan 3000 runs = 50 mins
+
+## Rate limits
+
+Built-in secret `GITHUB_TOKEN` is [limited to 1,000 requests per hour per repository](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-github-actions).
+
+To avoid repo-wide rate limiting, personal access tokens can be added to secrets, which are [limited to 5,000 requests per hour and per authenticated user](https://docs.github.com/en/rest/overview/resources-in-the-rest-api#requests-from-personal-accounts).
diff --git a/.github/actions/runleaks/action.yml b/.github/actions/runleaks/action.yml
@@ -0,0 +1,55 @@
+# action.yml
+name: 'runleaks'
+description: 'Identify potential leaks in GitHub action logs'
+branding:
+  icon: 'search'  
+  color: 'red'
+inputs:
+  github-token:
+    description: 'Token used to login to GitHub'
+    required: true
+  repo:
+    description: 'Repo to scan run logs for exceptions'
+    required: false
+    default: ${{ github.repository }}
+  run-limit:
+    description: 'Limit on how many runs to scan'
+    required: false
+    default: '100'
+  min-days-old:
+    description: 'Min age of runs in days'
+    required: false
+    default: '0'
+  max-days-old:
+    description: 'Max age of runs in days'
+    required: false
+    default: '3'
+  patterns-path:
+    description: 'Patterns file path'
+    required: false
+    default: ".github/runleaks/patterns.txt"
+  exclusions-path:
+    description: 'Excluded patterns file path'
+    required: false
+    default: ".github/runleaks/exclusions.txt"
+  fail-on-leak:
+    description: 'Fail action if leak is found'
+    required: false
+    default: true
+outputs:
+  exceptions:
+    description: 'Json output of run logs with exceptions'
+  count:
+    description: 'Count of exceptions'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  args:
+    - ${{ inputs.github-token }}
+    - ${{ inputs.repo }}
+    - ${{ inputs.run-limit }}
+    - ${{ inputs.min-days-old }}
+    - ${{ inputs.max-days-old }}
+    - ${{ inputs.patterns-path }}
+    - ${{ inputs.exclusions-path }}
+    - ${{ inputs.fail-on-leak }}
diff --git a/.github/actions/runleaks/git-secrets/.pre-commit-hooks.yaml b/.github/actions/runleaks/git-secrets/.pre-commit-hooks.yaml
@@ -0,0 +1,5 @@
+-   id: git-secrets
+    name: Git Secrets
+    description: git-secrets scans commits, commit messages, and --no-ff merges to prevent adding secrets into your git repositories.
+    entry: 'git-secrets --pre_commit_hook'
+    language: script
diff --git a/.github/actions/runleaks/git-secrets/CHANGELOG.md b/.github/actions/runleaks/git-secrets/CHANGELOG.md
@@ -0,0 +1,49 @@
+# CHANGELOG
+
+## 1.3.0 - 2019-02-10
+
+* Empty provider output is now excluded
+  (https://github.com/awslabs/git-secrets/issues/34)
+* Spaces are now supported in git exec path, making more Windows
+  paths execute properly.
+* Patterns with newlines and carriage returns are now loaded properly.
+* Patterns that contain only "\n" are now ignored.
+* Various Bash 4 fixes (https://github.com/awslabs/git-secrets/issues/66).
+* Make IAM key scanning much more targeted.
+
+## 1.2.1 - 2016-06-27
+
+* Fixed an issue where secret provider commands were causing "command not
+  found" errors due to a previously set IFS variable.
+  https://github.com/awslabs/git-secrets/pull/30
+
+## 1.2.0 - 2016-05-23
+
+* Fixed an issue where spaces files with spaces in their names were not being
+  properly scanned in the pre-commit hook.
+* Now ignoring empty lines and comments (e.g., `#`) in the .gitallowed file.
+* Fixed an issue where numbers were being compared to strings causing failures
+  on some platforms.
+
+## 1.1.0 - 2016-04-06
+
+* Bug fix: the pre-commit hook previously only scanned the working directory
+  rather than staged files. This release updates the pre-commit hook to instead
+  scan staged files so that git-secrets will detect violations if the working
+  directory drifts from the staging directory.
+* Added the `--scan-history` subcommand so that you can scan your entire
+  git history for violations.
+* Added the ability to filter false positives by using a .gitallowed file.
+* Added support for `--cached`, `--no-index`, and `--untracked` to the `--scan`
+  subcommand.
+
+## 1.0.1 - 2016-01-11
+
+* Now works correctly with filenames in a repository that contain spaces when
+  executing `git secrets --scan` with no provided filename (via `git grep`).
+* Now works with git repositories with hundreds of thousands of files when
+  using `git secrets --scan` with no provided filename (via `git grep`).
+
+## 1.0.0 - 2015-12-10
+
+* Initial release of ``git-secrets``.
diff --git a/.github/actions/runleaks/git-secrets/CODE_OF_CONDUCT.md b/.github/actions/runleaks/git-secrets/CODE_OF_CONDUCT.md
@@ -0,0 +1,4 @@
+## Code of Conduct
+This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct). 
+For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact 
+opensource-codeofconduct@amazon.com with any additional questions or comments.
-Original file line number
+Diff line change
@@ -0,0 +1,4 @@
+    .git
+    _git
+    .github
+    _github