shiftleft-python-demo/shiftleft.yml at 42901fc4bf4654521e9ad8593799a720336e0d7e · ShiftLeftSecurity/shiftleft-python-demo · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Documentation on using check analysis https://docs.shiftleft.io/cli/reference/check-analysis-v2
source:
  branch: master
build_rules:
  - id: allow-high-settings
    finding_types:
      - container
    cvss_31_severity_ratings:
      - high
    threshold: 3
    options:
      num_findings: 3 # Return 3 findings
  - id: build-rule-identifier
    # The specific type of finding to which the build rule should be applied. Accepted values: vuln, secret, insight, oss_vuln, container. If you omit this parameter, ShiftLeft defaults to returning only vulnerabilities.
    finding_types:
      - vuln
      - secret
      - insight
      - oss_vuln
      - container
    # Setting severity level (Critical, High, Medium, Low)
    cvss_31_severity_ratings:
      - high
      - critical
# Do you want to focus on just one or more types?
#    type:
#      - Weak Random
#      - Sensitive Data Leak
#      - Deserialization
#      - Directory Traversal
#      - Sensitive Data Exposure
#      - Remote Code Execution
#      - Command Injection
#      - Security Best Practices
#      - Unsafe Reflection
#      - Regex Injection
#      - SQL Injection
#      - XML External Entities
#      - Template Injection
#      - Cross-Site Scripting
#      - JSON Injection
#      - Potential SQL Injection
#      - Potential Regex Injection
#      - Header Injection
#      - Security Misconfiguration
#      - Deprecated Function Use
#      - Mail Injection
#      - Race Condition
#      - Sensitive Data Usage
#      - Open Redirect
#      - Error Handling
#      - HTTP to Database
#      - HTTP to Model
#      - LDAP Injection
#      - Denial of Service
#      - CRLF Injection
#      - NoSQL Injection
#      - Weak Hash
#      - Session Injection
#      - Server-Side Request Forgery
#      - Prototype Pollution
#      - Log Forging
#      - XPath Injection
#      - Insecure Authentication
#      - Intent Redirection
#      - Authentication Bypass
#      - Weak Cipher
#      - Crypto
# Focus by OWASP Category?
#   owasp_2021_categories:
#      - a01-broken-access-control
#      - a02-cryptographic-failures
#      - a03-injection
#      - a04-insecure-design
#      - a05-security-misconfiguration
#      - a06-vulnerable-and-outdated-components
#      - a07-identification-and-authentication-failures
#      - a08-software-and-data-integrity-failures
#      - a09-security-logging-and-monitoring-failures
#      - a10-server-side-request-forgery-(ssrf)
    threshold: 0
    options:
      num_findings: 10 # Return 10 findings