Merge branch 'main' of github.com:advanced-security/policy-as-code into ghastoolkit-updates

Author: GeekMasher

.github/workflows/main.yml

@@ -18,7 +18,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        python-version: ["3.9", "3.10", "3.11"]
+        python-version: ["3.9", "3.10", "3.11", "3.12", "3.13"]
 
     steps:
       - uses: actions/checkout@v4

.release.yml

@@ -1,11 +1,15 @@
 name: "policy-as-code"
-version: "2.8.0"
+repository: "advanced-security/policy-as-code"
+version: "2.10.1"
+
+ecosystems:
+  - Python
 
 locations:
   - name: "Update Docs"
     paths:
       - "*.md"
+      - "docs/*.md"
     patterns:
-      - 'advanced-security/policy-as-code@v([0-9]\.[0-9]\.[0-9])'
-      - '--branch "v([0-9]\.[0-9]\.[0-9])"'
-
+      - "{repository}@v{version}"
+      - '--branch "v{version}"'

README.md

@@ -45,7 +45,7 @@ Here is how you can quickly setup policy-as-code.
 ```yaml
 # Policy as Code
 - name: Advance Security Policy as Code
-  uses: advanced-security/policy-as-code@v2.8.0
+  uses: advanced-security/policy-as-code@v2.10.1
 ```
 
 > [!WARNING]
@@ -61,15 +61,15 @@ The Policy as Code project is a self-contained Python based CLI tool.
 **Bash / Zsh:**
 
 ```bash
-git clone --branch "v2.8.0" https://github.com/advanced-security/policy-as-code.git && cd ./policy-as-code
+git clone --branch "v2.10.1" https://github.com/advanced-security/policy-as-code.git && cd ./policy-as-code
 
 ./policy-as-code --help
 ```
 
 **Powershell:**
 
 ```Powershell
-git clone --branch "v2.8.0" https://github.com/advanced-security/policy-as-code.git
+git clone --branch "v2.10.1" https://github.com/advanced-security/policy-as-code.git
 cd policy-as-code
 
 .\policy-as-code.ps1 --help
@@ -84,23 +84,35 @@ For Policy as Code to work correctly, you need to have the following permissions
 
 - [required] Repository Permissions
   - [`security_events: read`][permissions]
-    - [Dependabot Alerts][permissions-dependabot]
     - [Code Scanning][permissions-codescanning]
-    - [Secret Scanning][permissions-secretscanning]
   - [`content: read`][permissions]
     - [Dependency Graph][permissions-dependencygraph] / [Dependency Licenses][permissions-dependencygraph]
   - [`pull-requests: write`][permissions]
     - Policy as Code Pull Request Summary
+  - ["Secret scanning alerts" repository permissions (read)][permissions-secretscanning]
+    - ⚠️ GitHub App or PAT only, not Actions Token
+  - ["Dependabot alerts" repository permissions (read)][permissions-dependabot]
+    - ⚠️ GitHub App or PAT only, not Actions Token
 - [optional] Policy Repository
   - `content: read` to be able to clone external sources of the policies
 
+> [!WARNING]
+> Secret Scanning and Dependabot Alerts results cannot be accessed using the Actions Token, use a GitHub App
+
+**GitHub App:**
+
+- Contents
+- [Code scanning alerts][permissions-codescanning]
+- [Dependabot alerts][permissions-dependabot]
+- [Secret scanning alerts][permissions-secretscanning]
+
 **[Action Permissions Example][permissions]:**
 
 ```yaml
 # workflow or job level
 permissions:
-  content: read
-  security_events: read
+  contents: read
+  security-events: read
   # pull request summaries
   pull-requests: write
 ```
@@ -128,7 +140,7 @@ Here is an example of using a simple yet cross-organization using Policy as Code
 ```yaml
 # Compliance
 - name: Advance Security Policy as Code
-  uses: advanced-security/policy-as-code@v2.8.0
+  uses: advanced-security/policy-as-code@2.10.0
   with:
     # The owner/repo of where the policy is stored
     policy: GeekMasher/security-queries

action.yml

@@ -35,6 +35,10 @@ inputs:
     description: Policy as Code branch
     default: main
 
+  retries:
+    description: Number of times to retry the action
+    default: 240 # 1 hours worth of retries
+
   argvs:
     description: "Additional Arguments"
 
@@ -55,4 +59,5 @@ runs:
           --github-policy "${{ inputs.policy }}" \
           --github-policy-path "${{ inputs.policy-path }}" \
           --github-policy-branch "${{ inputs.policy-branch }}" \
+          --retry-count "${{ inputs.retries }}" \
           ${{ inputs.argvs }}

examples/workflows/appAuth.yml

@@ -1,39 +1,38 @@
-name: Licensing Compliance
+name: Policy as Code
 
 on:
   push:
-    branches: [master, main]
+    branches: [ master, main ]
   pull_request:
-    branches: [master, main]
+    branches: [ master, main ]
   workflow_dispatch:
 
 jobs:
-  licensing:
+  policy-as-code:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: tibdex/github-app-token@v1
-        id: get-token
+      - uses: actions/create-github-app-token@v1
+        id: app-token
         with:
-          private_key: ${{ secrets.GIT_APP_PRIVATE_KEY }}
-          app_id: ${{ secrets.GIT_APP_ID }}
+          app-id: ${{ secrets.GIT_APP_ID }}
+          private-key: ${{ secrets.GIT_APP_PRIVATE_KEY }}
 
       - name: Security Compliance Action
         uses: advanced-security/policy-as-code@main
         with:
-          policy: KPMG-UK/security-compliance
+          # Which repository the policy is stored
+          policy: advanced-security/security
           # The local (within the workspace) or repository
-          policy-path: policies/kpmg-uk.yml
-          # The branch you want to target
+          policy-path: policies/production.yml
+          # [optional] The branch you want to target
           policy-branch: main
-
-          # The branch you want to target using `policy` argument
-          # policy-branch: main
-
           # GitHub Personal Access Token to access the GitHub API.
           # Secret Scanning and Dependabot do not allow their resources to be
           #  exposed to Actions so this might need to be set using a token that has
           #  the ability to access the resources
-          token: ${{ steps.get-token.outputs.token }}
+          token: ${{ steps.app-token.outputs.token }}
+          # [optional]: What action to take if the policy requirements are broken
           action: continue
+          # This is needed to specify that the token being used is a GitHub App token
           argvs: "--is-github-app-token"

ghascompliance/__main__.py

@@ -24,7 +24,9 @@
 parser = argparse.ArgumentParser(tool_name)
 
 parser.add_argument(
-    "--debug", action="store_true", default=bool(os.environ.get("DEBUG"))
+    "--debug",
+    action="store_true",
+    default=bool(os.environ.get("RUNNER_DEBUG", os.environ.get("DEBUG", 0))),
 )
 parser.add_argument("--disable-caching", action="store_false")
 parser.add_argument("--disable-code-scanning", action="store_true")
@@ -50,6 +52,8 @@
     "--github-policy-path",
     default=os.path.join(HERE, "defaults", "policy.yml"),
 )
+github_arguments.add_argument("--retry-count", type=int, default=240)
+github_arguments.add_argument("--retry-sleep", type=int, default=15)
 
 thresholds = parser.add_argument_group("Thresholds")
 thresholds.add_argument(
@@ -73,6 +77,8 @@
         format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
     )
     Octokit.setLevel(logging.DEBUG if arguments.debug else logging.INFO)
+    ghastoolkit_logger = logging.getLogger("ghastoolkit")
+    ghastoolkit_logger.setLevel(logging.DEBUG if arguments.debug else logging.INFO)
 
     if arguments.debug:
         Octokit.debug("Debugging enabled")
@@ -186,6 +192,8 @@
         display=arguments.display,
         results_path=results,
         caching=arguments.disable_caching,
+        retry_count=arguments.retry_count,
+        retry_sleep=arguments.retry_sleep,
     )
 
     errors = 0
@@ -213,7 +221,7 @@
             Summary.addLine(Summary.formatItalics(str(err)))
 
         except Exception as err:
-            Octokit.error("Unknown Exception was hit, please repo this to " + __url__)
+            Octokit.error("Unknown Exception was hit, please report this to " + __url__)
             Octokit.error(str(err))
 
             errors += 1  # add to error count

ghascompliance/__version__.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-__version__ = "2.8.0"
+__version__ = "2.10.1"
 
 __title__ = "GitHub Advanced Security Policy as Code"
 __name__ = "ghascompliance"

ghascompliance/checks.py

@@ -31,6 +31,8 @@ def __init__(
         debugging: bool = False,
         results_path: str = ".compliance",
         caching: bool = True,
+        retry_count: int = 240,
+        retry_sleep: int = 15,
     ):
         self.policy = policy
 
@@ -39,6 +41,9 @@ def __init__(
         self.results = results_path
 
         self.caching = caching
+        # Retry count and sleep for Code Scanning
+        self.retry_count = retry_count
+        self.retry_sleep = retry_sleep
 
         os.makedirs(self.results, exist_ok=True)
 
@@ -77,14 +82,20 @@ def checkCodeScanning(self):
         ]
         code_scanning_violations = []
 
-        codescanning = CodeScanning()
+        # Code Scanning + Retries for large repos (e.g. 240 * 15 = 60 minutes)
+        codescanning = CodeScanning(
+            retry_count=self.retry_count, retry_sleep=self.retry_sleep
+        )
 
         if not self.policy.checkTechnologyActive("codescanning"):
             Octokit.info("Code Scanning is not active in the policy")
             return 0
 
         if GitHub.repository.isInPullRequest():
             Octokit.info("Code Scanning Alerts from Pull Request (alert diff)")
+            Octokit.info(
+                f"Code Scanning retries enabled :: x{self.retry_count}/{self.retry_sleep}s"
+            )
             pr_base = (
                 GitHub.repository.getPullRequestInfo().get("base", {}).get("ref", "")
             )
@@ -201,13 +212,7 @@ def checkDependabot(self):
 
         else:
             # Alerts
-            try:
-                alerts = dependabot.getAlerts("open")
-            except Exception as err:
-                Octokit.warning(f"Unable to get Dependabot alerts :: {err}")
-                Octokit.warning("Trying GraphQL API")
-                alerts = dependabot.getAlertsGraphQL()
-
+            alerts = dependabot.getAlerts("open")
             # Dependencies
             dependencies = depgraph.getDependencies()