Setup security-scan workflow with Bearer SAST

.github/workflows/Dockerfile

@@ -0,0 +1,9 @@
+FROM bearer/bearer:latest as bear
+FROM golang:1.23
+
+COPY --from=bear /usr/local/bin/bearer /usr/local/bin
+COPY --from=bear /usr/bin/git /usr/bin
+
+WORKDIR /
+
+# RUN go install github.com/google/osv-scanner/cmd/osv-scanner@v1

.github/workflows/github-security-checks.yml

@@ -0,0 +1,39 @@
+name: SAST Scan
+run-name: Push from ${{ github.actor }} initiated a Security Scan 🚀
+on: [push]
+permissions:
+  contents: write
+jobs:
+  sast-scan:
+    runs-on: ubuntu-latest
+    container: avarteqgmbh/bearer-osv-scan
+    steps:
+      - name: Checkout repo inside CI runner
+        uses: actions/checkout@v4
+      # - name: Bearer-SAST Installation
+      #   working-directory: ./ci/actions
+      #   run: | 
+      #     chmod +x install-bearer.sh
+      #     ./install-bearer.sh
+      - name: Setup results file
+        run: |
+          mkdir -p scan_results
+          touch ./scan_results/bearer.out.json 
+          git config --global --add safe.directory '*'
+      - name: SAST Scan
+        working-directory: .
+        run: bearer scan . --config-file ./ci/configs/bearer.yml --output ./scan_results/bearer.out.json
+      - name: Commit changes
+        uses: EndBug/add-and-commit@v9
+        with: 
+          author_name: scanner-bot
+          author_email: [email protected]
+          message: '[bot] Add SAST scan results'
+
+
+#TODO 
+#1. Generate JSON report and store in repo
+#2. Ensure bearer does not exit with -1
+#2. Create docker image with pre-installed Bearer and OSV tools
+#3. Add a step to run the OSV scanner
+#4. 

README.md

@@ -1,19 +1,3 @@
-<p align="center" margin="20 0"><a href="https://horusec.io/">
-    <img src="https://github.com/ZupIT/horusec-devkit/blob/main/assets/horusec_logo.png?raw=true"
-            alt="logo_header" width="65%" style="max-width:100%;"/></a></p>
-
-<p align="center">
-    <a href="https://github.com/ZupIT/horusec-engine/pulse" alt="activity">
-        <img src="https://img.shields.io/github/commit-activity/m/ZupIT/horusec-engine?label=activity"/></a>
-    <a href="https://github.com/ZupIT/horusec-engine/graphs/contributors" alt="contributors">
-        <img src="https://img.shields.io/github/contributors/ZupIT/horusec-engine?label=contributors"/></a>
-    <a href="https://github.com/ZupIT/horusec-engine/actions/workflows/security.yml" alt="security">
-        <img src="https://img.shields.io/github/workflow/status/ZupIT/horusec-engine/Security?label=security"/></a>
-    <a href="https://opensource.org/licenses/Apache-2.0" alt="license">
-        <img src="https://img.shields.io/badge/license-Apache%202-blue"/></a>
-
-# **Horusec Examples Vulnerabilities**
-
 ## **Table of contents**
 ### 1. [**About**](#about)
 ### 2. [**Documentation**](#documentation)
@@ -23,54 +7,6 @@
 
 
 ## **About** 
-This repository contains some vulnerabilities examples for you to test Horusec's analysis.
-
-## **Documentation**
-
-For more information about Horusec, please check out the [**documentation**](https://docs.horusec.io).
-
-
-## **Contributing**
-
-If you want to contribute to this repository, access our [**Contributing Guide**](https://github.com/ZupIT/horusec/blob/main/CONTRIBUTING.md). 
-
-
-### **Developer Certificate of Origin - DCO**
-
- This is a security layer for the project and for the developers. It is mandatory.
-
- Follow one of these two methods to add DCO to your commits:
-
-**1. Command line**
- Follow the steps: 
- **Step 1:** Configure your local git environment adding the same name and e-mail configured at your GitHub account. It helps to sign commits manually during reviews and suggestions.
-
- ```
-git config --global user.name “Name”
-git config --global user.email “[email protected]”
-```
-**Step 2:** Add the Signed-off-by line with the `'-s'` flag in the git commit command:
-
-```
-$ git commit -s -m "This is my commit message"
-```
-
-**2. GitHub website**
-You can also manually sign your commits during GitHub reviews and suggestions, follow the steps below: 
-
-**Step 1:** When the commit changes box opens, manually type or paste your signature in the comment box, see the example:
-
-```
-Signed-off-by: Name < e-mail address >
-```
-
-For this method, your name and e-mail must be the same registered on your GitHub account.
-
-## **License**
-[**Apache License 2.0**](https://github.com/ZupIT/horusec-examples-vulnerabilities/blob/main/LICENSE).
-
-## **Community**
-Do you have any question about Horusec? Let's chat in our [**forum**](https://forum.zup.com.br/).
-
+This repository contains some vulnerabilities examples, with a Bearer-based Github workflow in it that scans said vulnerabilities. This is a fork of the https://github.com/ZupIT/horusec-examples-vulnerabilities repository. No use or customization of Horusec tooling is made; the only changes concern the Github Workflows, this README and the addition of some mock vendored packages to facilitate CVE scanner tests.
 
-This project exists thanks to all the contributors. You rock! ❤️🚀
+As such, the LICENSE and copyright.txt remain unchanged.

bearer.ignore

@@ -0,0 +1,8 @@
+{
+  "ae903051b59300db2d5afbd80fc94fd3_5": {
+    "author": "Mish Bear",
+    "comment": "Ignore this finding",
+    "false_positive": true,
+    "ignored_at": "2024-12-03T10:01:25Z"
+  }
+}

ci/configs/bearer.yml

@@ -0,0 +1,29 @@
+disable-version-check: false
+log-level: info
+report:
+    fail-on-severity: critical,high,medium,low
+    format: json
+    no-color: false
+    output: ""
+    report: security
+    severity: critical,high,medium,low,warning
+rule:
+    disable-default-rules: false
+    only-rule: []
+    skip-rule: []
+scan:
+    context: ""
+    data_subject_mapping: ""
+    disable-domain-resolution: true
+    domain-resolution-timeout: 3s
+    exit-code: 0
+    external-rule-dir: []
+    force: false
+    hide_progress_bar: false
+    internal-domains: []
+    parallel: 0
+    quiet: true
+    scanner:
+        - sast
+    skip-path: ['*/vendor']
+    skip-test: true