feat: security best practices (#3024)

Author: epipav

backend/src/database/migrations/U1744813638__securityInsights.sql

@@ -0,0 +1,77 @@
+-- Security Insights Evaluation Suites
+create table public."securityInsightsEvaluationSuites" (
+    "id" uuid not null primary key,
+    "name" text not null,
+    "repo" text not null,
+    "catalogId" text not null,
+    "result" text not null,
+    "corruptedState" boolean not null,
+    "createdAt" timestamp with time zone default now() not null,
+    "updatedAt" timestamp with time zone default now() not null,
+    "insightsProjectId" uuid not null,
+    "insightsProjectSlug" text not null,
+    
+    foreign key ("insightsProjectId") references "insightsProjects" (id) on delete cascade,
+    unique ("repo", "catalogId")
+);
+
+create index "ix_securityInsightsEvaluationSuites_repo" on "securityInsightsEvaluationSuites"("repo");
+create index "ix_securityInsightsEvaluationSuites_updatedAt_id" on "securityInsightsEvaluationSuites" ("updatedAt", id);
+
+-- Security Insights Evaluation Suites Control Evaluations
+create table public."securityInsightsEvaluationSuiteControlEvaluations" (
+    "id" uuid not null primary key,
+    "securityInsightsEvaluationSuiteId" uuid not null,
+    "name" text not null,
+    "repo" text not null,
+    "controlId" text not null,
+    "result" text not null,
+    "message" text not null,
+    "corruptedState" boolean not null,
+    "remediationGuide" text not null,
+    "createdAt" timestamp with time zone default now() not null,
+    "updatedAt" timestamp with time zone default now() not null,
+    "insightsProjectId" uuid not null,
+    "insightsProjectSlug" text not null,
+    
+    foreign key ("insightsProjectId") references "insightsProjects" (id) on delete cascade,
+    foreign key ("securityInsightsEvaluationSuiteId") references "securityInsightsEvaluationSuites" (id) on delete cascade,
+    unique ("securityInsightsEvaluationSuiteId", "repo", "controlId")
+);
+
+create index "ix_securityInsightsControlEvaluations_repo" on "securityInsightsEvaluationSuiteControlEvaluations"("repo");
+create index "ix_securityInsightsControlEvaluations_updatedAt_id" on "securityInsightsEvaluationSuiteControlEvaluations" ("updatedAt", id);
+
+
+-- Security Insights Evaluation Suites Control Evaluation Assessments
+create table public."securityInsightsEvaluationSuiteControlEvaluationAssessments" (
+    "id" uuid not null primary key,
+    "securityInsightsEvaluationSuiteControlEvaluationId" uuid not null,
+    "repo" text not null,
+    "requirementId" text not null,
+    "applicability" text[] not null,
+    "description" text not null,
+    "result" text not null,
+    "message" text not null,
+    "steps" text[] not null,
+    "stepsExecuted" integer not null,
+    "runDuration" text not null,
+    "createdAt" timestamp with time zone default now() not null,
+    "updatedAt" timestamp with time zone default now() not null,
+    "insightsProjectId" uuid not null,
+    "insightsProjectSlug" text not null,
+    
+    foreign key ("insightsProjectId") references "insightsProjects" (id) on delete cascade,
+    foreign key ("securityInsightsEvaluationSuiteControlEvaluationId") references "securityInsightsEvaluationSuiteControlEvaluations" (id) on delete cascade,
+    unique ("securityInsightsEvaluationSuiteControlEvaluationId", "repo", "requirementId")
+);
+
+create index "ix_securityInsightsAssessments_repo" on "securityInsightsEvaluationSuiteControlEvaluationAssessments"("repo");
+create index "ix_securityInsightsAssessments_updatedAt_id" on "securityInsightsEvaluationSuiteControlEvaluationAssessments" ("updatedAt", id);
+
+
+-- Sequin publication migrations
+ALTER PUBLICATION sequin_pub ADD TABLE "securityInsightsEvaluationSuiteControlEvaluations";
+ALTER PUBLICATION sequin_pub ADD TABLE "securityInsightsEvaluationSuiteControlEvaluationAssessments";
+ALTER TABLE public."securityInsightsEvaluationSuiteControlEvaluations" REPLICA IDENTITY FULL;
+ALTER TABLE public."securityInsightsEvaluationSuiteControlEvaluationAssessments" REPLICA IDENTITY FULL;

backend/src/database/migrations/V1744813638__securityInsights.sql

@@ -0,0 +1,4 @@
+DOCKERFILE="./services/docker/Dockerfile.security_best_practices_worker"
+CONTEXT="../"
+REPO="sjc.ocir.io/axbydjxa5zuh/security-best-practices-worker"
+SERVICES="security-best-practices-worker"

pnpm-lock.yaml

@@ -0,0 +1,45 @@
+FROM alpine:3.21 AS core
+RUN apk add --no-cache wget tar unzip
+
+WORKDIR /app
+ARG VERSION=0.7.0
+ARG PLATFORM=Linux_x86_64
+
+RUN wget https://github.com/privateerproj/privateer/releases/download/v${VERSION}/privateer_${PLATFORM}.tar.gz
+RUN tar -xzf privateer_${PLATFORM}.tar.gz
+
+FROM golang:1.23.4-alpine3.21 AS plugin
+RUN apk add --no-cache make git
+WORKDIR /plugin
+RUN git clone https://github.com/revanite-io/pvtr-github-repo.git
+RUN cd pvtr-github-repo && make binary && cp github-repo ../github-repo
+
+FROM node:20-alpine as builder
+
+RUN apk add --no-cache python3 make g++
+
+WORKDIR /usr/crowd/app
+RUN npm install -g corepack@latest && corepack enable pnpm && corepack prepare pnpm@9.15.0 --activate
+
+COPY ./pnpm-workspace.yaml ./pnpm-lock.yaml ./
+RUN pnpm fetch
+
+COPY ./services ./services
+RUN pnpm i --frozen-lockfile
+
+FROM node:20-bookworm-slim as runner
+
+RUN mkdir -p /.privateer/bin
+WORKDIR /.privateer/bin
+COPY --from=core /app/privateer .
+COPY --from=plugin /plugin/github-repo /root/.privateer/bin/github-repo
+COPY ./services/apps/security_best_practices_worker/example-config.yml /.privateer/example-config.yml
+
+WORKDIR /usr/crowd/app
+RUN npm install -g corepack@latest && corepack enable pnpm && corepack prepare pnpm@9.15.0 --activate && apt update && apt install -y ca-certificates --no-install-recommends && rm -rf /var/lib/apt/lists/*
+
+COPY --from=builder /usr/crowd/app/node_modules ./node_modules
+COPY --from=builder /usr/crowd/app/services/base.tsconfig.json ./services/base.tsconfig.json
+COPY --from=builder /usr/crowd/app/services/libs ./services/libs
+COPY --from=builder /usr/crowd/app/services/archetypes/ ./services/archetypes
+COPY --from=builder /usr/crowd/app/services/apps/security_best_practices_worker/ ./services/apps/security_best_practices_worker

scripts/builders/security-best-practices-worker.env

@@ -0,0 +1,18 @@
+**/.git
+**/node_modules
+**/venv*
+**/.webpack
+**/.serverless
+**/.env
+**/.env.*
+**/.idea
+**/.vscode
+**/dist
+.vscode/
+.github/
+frontend/
+scripts/
+.flake8
+*.md
+Makefile
+backend/

scripts/services/docker/Dockerfile.security_best_practices_worker

@@ -0,0 +1,64 @@
+version: '3.1'
+
+x-env-args: &env-args
+  DOCKER_BUILDKIT: 1
+  NODE_ENV: docker
+  SERVICE: security-best-practices-worker
+  CROWD_TEMPORAL_TASKQUEUE: security-best-practices
+  SHELL: /bin/sh
+
+services:
+  security-best-practices-worker:
+    build:
+      context: ../../
+      dockerfile: ./scripts/services/docker/Dockerfile.security_best_practices_worker
+    command: 'pnpm run start'
+    working_dir: /usr/crowd/app/services/apps/security_best_practices_worker
+    env_file:
+      - ../../backend/.env.dist.local
+      - ../../backend/.env.dist.composed
+      - ../../backend/.env.override.local
+      - ../../backend/.env.override.composed
+    environment:
+      <<: *env-args
+    restart: always
+    networks:
+      - crowd-bridge
+
+  security-best-practices-worker-dev:
+    build:
+      context: ../../
+      dockerfile: ./scripts/services/docker/Dockerfile.security_best_practices_worker
+    command: 'pnpm run dev'
+    working_dir: /usr/crowd/app/services/apps/security_best_practices_worker
+    # user: '${USER_ID}:${GROUP_ID}'
+    env_file:
+      - ../../backend/.env.dist.local
+      - ../../backend/.env.dist.composed
+      - ../../backend/.env.override.local
+      - ../../backend/.env.override.composed
+    environment:
+      <<: *env-args
+    hostname: security-best-practices-worker
+    networks:
+      - crowd-bridge
+    volumes:
+      - ../../services/libs/audit-logs/src:/usr/crowd/app/services/libs/audit-logs/src
+      - ../../services/libs/common/src:/usr/crowd/app/services/libs/common/src
+      - ../../services/libs/common_services/src:/usr/crowd/app/services/libs/common_services/src
+      - ../../services/libs/data-access-layer/src:/usr/crowd/app/services/libs/data-access-layer/src
+      - ../../services/libs/database/src:/usr/crowd/app/services/libs/database/src
+      - ../../services/libs/integrations/src:/usr/crowd/app/services/libs/integrations/src
+      - ../../services/libs/logging/src:/usr/crowd/app/services/libs/logging/src
+      - ../../services/libs/opensearch/src:/usr/crowd/app/services/libs/opensearch/src
+      - ../../services/libs/questdb/src:/usr/crowd/app/services/libs/questdb/src
+      - ../../services/libs/queue/src:/usr/crowd/app/services/libs/queue/src
+      - ../../services/libs/redis/src:/usr/crowd/app/services/libs/redis/src
+      - ../../services/libs/telemetry/src:/usr/crowd/app/services/libs/telemetry/src
+      - ../../services/libs/temporal/src:/usr/crowd/app/services/libs/temporal/src
+      - ../../services/libs/types/src:/usr/crowd/app/services/libs/types/src
+      - ../../services/apps/security_best_practices_worker/src:/usr/crowd/app/services/apps/security_best_practices_worker/src
+
+networks:
+  crowd-bridge:
+    external: true

scripts/services/docker/Dockerfile.security_best_practices_worker.dockerignore

@@ -0,0 +1,17 @@
+loglevel: info
+write-directory: evaluation_results
+write: true
+services:
+  $REPO_NAME:
+    plugin: github-repo
+
+    policy:
+      catalogs:
+        - OSPS_B
+      applicability:
+        - Maturity Level 1
+
+    vars:
+      owner: $REPO_OWNER
+      repo: $REPO_NAME
+      token: $GITHUB_TOKEN

scripts/services/security-best-practices-worker.yaml

@@ -0,0 +1,35 @@
+{
+  "name": "@crowd/security-best-practices-worker",
+  "scripts": {
+    "start": "CROWD_TEMPORAL_TASKQUEUE=security-best-practices SERVICE=security-best-practices-worker tsx src/main.ts",
+    "start:debug:local": "set -a && . ../../../backend/.env.dist.local && . ../../../backend/.env.override.local && set +a && CROWD_TEMPORAL_TASKQUEUE=security-best-practices SERVICE=security-best-practices-worker LOG_LEVEL=trace tsx --inspect=0.0.0.0:9232 src/main.ts",
+    "start:debug": "CROWD_TEMPORAL_TASKQUEUE=security-best-practices SERVICE=security-best-practices-worker LOG_LEVEL=info tsx --inspect=0.0.0.0:9232 src/main.ts",
+    "dev:local": "nodemon --watch src --watch ../../libs --ext ts --exec pnpm run start:debug:local",
+    "dev": "nodemon --watch src --watch ../../libs --ext ts --exec pnpm run start:debug",
+    "lint": "npx eslint --ext .ts src --max-warnings=0",
+    "format": "npx prettier --write \"src/**/*.ts\"",
+    "format-check": "npx prettier --check .",
+    "tsc-check": "tsc --noEmit"
+  },
+  "dependencies": {
+    "@crowd/archetype-standard": "workspace:*",
+    "@crowd/archetype-worker": "workspace:*",
+    "@crowd/data-access-layer": "workspace:*",
+    "@crowd/logging": "workspace:*",
+    "@crowd/common": "workspace:*",
+    "@crowd/opensearch": "workspace:*",
+    "@crowd/redis": "workspace:*",
+    "@crowd/types": "workspace:*",
+    "@temporalio/workflow": "~1.11.1",
+    "@temporalio/client": "~1.11.1",
+    "axios": "^1.6.8",
+    "moment": "~2.29.4",
+    "tsx": "^4.7.1",
+    "typescript": "^5.6.3",
+    "js-yaml": "^4.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.8.2",
+    "nodemon": "^3.0.1"
+  }
+}

services/apps/security_best_practices_worker/example-config.yml

@@ -0,0 +1,7 @@
+import {
+  findObsoleteRepos,
+  getOSPSBaselineInsights,
+  saveOSPSBaselineInsightsToDB,
+} from './activities/index'
+
+export { getOSPSBaselineInsights, saveOSPSBaselineInsightsToDB, findObsoleteRepos }