Add bearer to CI for security (#2492)

pulibrary · Sep 18, 2024 · ffc4f9f · ffc4f9f
1 parent 9a2a985
commit ffc4f9f
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 1 deletion.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -219,6 +219,17 @@ jobs:
       - run:
           name: Check code against community-provided and custom semgrep rules
           command: semgrep ci --config auto --config .semgrep.yml
+
+  bearer:
+    docker:
+      - image: cimg/ruby:3.2
+    environment:
+      # Set to default branch of your repo
+      DEFAULT_BRANCH: main
+    steps:
+      - checkout
+      - run: curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.sh | sh -s -- -b /tmp
+      - run: CURRENT_BRANCH=$CIRCLE_BRANCH SHA=$CIRCLE_SHA1 /tmp/bearer scan .
 workflows:
   version: 2
   default:
@@ -235,4 +246,4 @@ workflows:
             - build
       - build_and_test_webhook
       - semgrep
-
+      - bearer
diff --git a/bearer.ignore b/bearer.ignore
@@ -0,0 +1,8 @@
+{
+  "c52fc1468bbbd5867590436ec290f478_0": {
+    "author": "Max Kadel",
+    "comment": "False positive - not actually a password, just mapping a MARC subfield code.",
+    "false_positive": true,
+    "ignored_at": "2024-09-18T16:11:06Z"
+  }
+}
diff --git a/bearer.yml b/bearer.yml
@@ -0,0 +1,34 @@
+disable-version-check: false
+log-level: info
+report:
+    fail-on-severity: critical,high,medium,low
+    format: ""
+    no-color: false
+    output: ""
+    report: security
+    severity: critical,high,medium,low,warning
+rule:
+    disable-default-rules: false
+    only-rule: []
+    # Tickets to remediate these rules and remove from this stanza:
+    #   ruby_lang_file_generation - https://github.com/pulibrary/bibdata/issues/2487
+    #   ruby_lang_weak_hash_md - https://github.com/pulibrary/bibdata/issues/2488
+    #   ruby_rails_open_redirect - https://github.com/pulibrary/bibdata/issues/2489
+    #   ruby_rails_default_encryption - https://github.com/pulibrary/bibdata/issues/2490
+    skip-rule: [ruby_lang_file_generation, ruby_lang_weak_hash_md, ruby_rails_open_redirect, ruby_rails_default_encryption]
+scan:
+    context: ""
+    data_subject_mapping: ""
+    disable-domain-resolution: true
+    domain-resolution-timeout: 3s
+    exit-code: -1
+    external-rule-dir: []
+    force: false
+    hide_progress_bar: false
+    internal-domains: []
+    parallel: 0
+    quiet: false
+    scanner:
+        - sast
+    skip-path: []
+    skip-test: true