timothywarner-org
diff --git a/‎.github/codeql/codeql-config-nodegoat.yml‎
Lines changed: 25 additions & 0 deletions b/‎.github/codeql/codeql-config-nodegoat.yml‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎.github/workflows/codeql-nodegoat-only.yml‎
Lines changed: 33 additions & 0 deletions b/‎.github/workflows/codeql-nodegoat-only.yml‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 69 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎PRE-COMMIT-HOOKS.md‎
Lines changed: 198 additions & 0 deletions b/‎PRE-COMMIT-HOOKS.md‎
Lines changed: 198 additions & 0 deletions
@@ -0,0 +1,25 @@
+# Name of this CodeQL config — helps if you have multiple configs
+name: "NodeGoat-only CodeQL config"
+
+disable-default-queries: true   # we will explicitly pick what to run
+
+packs:
+  # Use the standard JavaScript security-extended query suite
+  - codeql/javascript-queries:codeql-suites/javascript-security-extended.qls
+
+# Only scan paths under vulnerable_repos/NodeGoat
+paths:
+  - 'vulnerable_repos/NodeGoat/**'
+
+# Optionally, ignore paths under NodeGoat that you don't care about
+paths-ignore:
+  - 'vulnerable_repos/NodeGoat/node_modules/**'
+  - 'vulnerable_repos/NodeGoat/**/*.test.js'
+  - 'vulnerable_repos/NodeGoat/**/*.spec.js'
+
+# Optional: filter out low-severity warnings/recommendations to reduce noise
+query-filters:
+  - exclude:
+      problems.severity:
+        - warning
+        - recommendation
@@ -0,0 +1,33 @@
+name: CodeQL − NodeGoat Only
+
+on:
+  workflow_dispatch:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze NodeGoat JS/TS
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL with NodeGoat config
+        uses: github/codeql-action/init@v3
+        with:
+          config-file: ./.github/codeql/codeql-config-nodegoat.yml
+          languages: javascript-typescript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:javascript-typescript"
@@ -0,0 +1,69 @@
+# Pre-commit Hook Configuration
+# ==============================
+# Automated security scanning before commits
+# Install: pre-commit install
+# Run manually: pre-commit run --all-files
+
+repos:
+  # Semgrep - SAST for secrets and vulnerabilities
+  - repo: https://github.com/returntocorp/semgrep
+    rev: v1.52.0
+    hooks:
+      - id: semgrep
+        name: Semgrep Security Scan
+        entry: semgrep
+        language: python
+        types: [text]
+        args:
+          - --config=p/secrets
+          - --config=p/security-audit
+          - --config=p/owasp-top-ten
+          - --error
+          - --strict
+          - --verbose
+        exclude: |
+          (?x)^(
+            .*\.min\.js|
+            .*\.map|
+            node_modules/|
+            vendor/|
+            \.git/|
+            \.venv/|
+            venv/|
+            __pycache__/|
+            \.pytest_cache/|
+            \.mypy_cache/|
+            dist/|
+            build/|
+            \.lock$|
+            package-lock\.json|
+            yarn\.lock
+          )
+
+  # Standard pre-commit hooks
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+        exclude: \.md$
+      - id: end-of-file-fixer
+      - id: check-yaml
+        args: [--unsafe]
+      - id: check-json
+      - id: check-added-large-files
+        args: [--maxkb=1024]
+      - id: detect-private-key
+      - id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+
+  # YAML linting
+  - repo: https://github.com/adrienverge/yamllint
+    rev: v1.33.0
+    hooks:
+      - id: yamllint
+        args: [-d, '{extends: relaxed, rules: {line-length: {max: 120}}}']
+        exclude: |
+          (?x)^(
+            \.github/workflows/|
+            vulnerable_repos/
+          )
@@ -0,0 +1,198 @@
+# Git Pre-Commit Hooks for Security Scanning
+
+This repository uses automated pre-commit hooks to scan for security vulnerabilities, exposed secrets, API keys, passwords, and other sensitive data before code is committed.
+
+## What Gets Scanned
+
+The pre-commit hooks perform the following security checks:
+
+- **Semgrep**: Scans for hardcoded secrets, API keys, passwords, and security anti-patterns
+- **TruffleHog**: Detects high-entropy strings and known secret patterns
+- **GitLeaks**: Additional secret detection with pattern matching
+- **Built-in Checks**: Detects private keys, AWS credentials, large files, and trailing whitespace
+
+## Installation
+
+### Prerequisites
+
+Install the required tools:
+
+```bash
+# Install pre-commit framework
+pip install pre-commit
+
+# Install Semgrep
+pip install semgrep
+
+# Install TruffleHog (requires Go)
+go install github.com/trufflesecurity/trufflehog/v3@latest
+
+# Install GitLeaks (alternative: download binary from releases)
+go install github.com/gitleaks/gitleaks/v8@latest
+
+# Or use package managers:
+# macOS
+brew install pre-commit semgrep trufflehog gitleaks
+
+# Ubuntu/Debian
+pip install pre-commit semgrep
+# Download TruffleHog and GitLeaks binaries separately
+```
+
+### Setup Pre-Commit Hooks
+
+1. **Install the hooks** in your local repository:
+
+```bash
+cd /path/to/github-security-testbed
+pre-commit install
+```
+
+2. **Verify installation**:
+
+```bash
+pre-commit --version
+```
+
+You should see output like: `pre-commit 3.x.x`
+
+3. **(Optional) Run against all files** to test:
+
+```bash
+pre-commit run --all-files
+```
+
+## Usage
+
+### Automatic Scanning
+
+Once installed, the hooks run automatically on every `git commit`:
+
+```bash
+git add myfile.js
+git commit -m "Add new feature"
+# Pre-commit hooks will run automatically
+```
+
+### Manual Scanning
+
+Run hooks manually without committing:
+
+```bash
+# Scan all files
+pre-commit run --all-files
+
+# Scan specific files
+pre-commit run --files src/auth.js src/config.js
+
+# Run specific hook only
+pre-commit run semgrep --all-files
+pre-commit run trufflehog --all-files
+```
+
+### Bypassing Hooks (Use with Caution)
+
+If you need to bypass hooks temporarily (not recommended for security-sensitive changes):
+
+```bash
+git commit --no-verify -m "Emergency fix"
+```
+
+## What Happens When Secrets Are Detected
+
+If a secret or security issue is found:
+
+1. **Commit is blocked** - Your commit will fail
+2. **Results are displayed** - You'll see which files and lines contain issues
+3. **Fix the issues** - Remove or properly secure the detected secrets
+4. **Retry commit** - After fixing, try committing again
+
+Example output:
+```
+Semgrep Security Scan........................................Failed
+- hook id: semgrep
+- exit code: 1
+
+src/config.js
+  severity:error rule:generic.secrets.gitleaks.generic-api-key
+    Found hardcoded API key
+    Line 12: const API_KEY = "sk_live_51234567890abcdef"
+```
+
+## Configuration
+
+The hook configuration is in `.pre-commit-config.yaml`. You can customize:
+
+- **Semgrep rules**: Modify `args` under the Semgrep hook
+- **File exclusions**: Update `exclude` patterns
+- **Hook versions**: Update `rev` values to newer versions
+
+Example customization:
+```yaml
+- id: semgrep
+  args:
+    - --config=p/secrets
+    - --config=p/owasp-top-ten  # Add more rulesets
+    - --error
+```
+
+## Troubleshooting
+
+### Hook fails to install
+```bash
+# Update pre-commit
+pip install --upgrade pre-commit
+
+# Reinstall hooks
+pre-commit uninstall
+pre-commit install
+```
+
+### Semgrep not found
+```bash
+# Ensure Semgrep is in PATH
+which semgrep
+pip install --upgrade semgrep
+```
+
+### TruffleHog/GitLeaks not found
+```bash
+# Check installation
+which trufflehog
+which gitleaks
+
+# Add Go bin to PATH if needed
+export PATH=$PATH:$(go env GOPATH)/bin
+```
+
+### Slow hook execution
+```bash
+# Update to latest hook versions
+pre-commit autoupdate
+
+# Or disable specific slow hooks
+# (comment out in .pre-commit-config.yaml)
+```
+
+## Best Practices
+
+1. **Never commit secrets** - Use environment variables or secret management tools
+2. **Use .gitignore** - Exclude files with sensitive data (`.env`, `secrets.json`)
+3. **Regular updates** - Keep hooks updated: `pre-commit autoupdate`
+4. **Team adoption** - Ensure all developers install hooks
+5. **CI/CD integration** - Run same checks in CI pipeline (see `.github/workflows/`)
+
+## Resources
+
+- [Pre-commit Documentation](https://pre-commit.com/)
+- [Semgrep Rules](https://semgrep.dev/r)
+- [TruffleHog GitHub](https://github.com/trufflesecurity/trufflehog)
+- [GitLeaks Documentation](https://github.com/gitleaks/gitleaks)
+
+## Support
+
+For issues with the hooks:
+1. Check this documentation
+2. Run `pre-commit run --all-files --verbose` for detailed output
+3. Review `.pre-commit-config.yaml` configuration
+4. Open an issue in this repository