Skip to content

Instantly share code, notes, and snippets.

Avatar

Josh Johanning joshjohanning

View GitHub Profile
@joshjohanning
joshjohanning / package.json
Created Sep 23, 2022
vulnerable javascript package
View package.json
"tar": "2.2.2"
@joshjohanning
joshjohanning / github-advanced-security-resources.md
Last active Sep 16, 2022
GitHub Advanced Security Resources
View github-advanced-security-resources.md
@joshjohanning
joshjohanning / Add-Vulnerable-NuGet-Package.sh
Created Aug 24, 2022
Sample vulnerable NuGet package for Dependabot
View Add-Vulnerable-NuGet-Package.sh
dotnet add src/MyProject.csproj package Microsoft.Data.OData -v 5.0.1
@joshjohanning
joshjohanning / New.cs
Created Aug 24, 2022
sample vulnerable .NET C# code for CodeQL
View New.cs
using System;
using System.Security.Cryptography;
class WeakEncryption
{
public static byte[] encryptString()
{
SymmetricAlgorithm serviceProvider = new DESCryptoServiceProvider();
byte[] key = { 16, 22, 240, 11, 18, 150, 192, 21 };
serviceProvider.Key = key;
ICryptoTransform encryptor = serviceProvider.CreateEncryptor();
@joshjohanning
joshjohanning / runner.yaml
Created Jun 28, 2022
runner.yaml for actions-runner-controller with org runners and metric-based scaling
View runner.yaml
apiVersion: actions.summerwind.dev/v1alpha1
kind: RunnerDeployment
metadata:
name: joshjohanning-org-runner
spec:
replicas: 1
template:
spec:
organization: joshjohanning-org
group: k8s-group
@joshjohanning
joshjohanning / actions-runner-controller-self-signed-certs.md
Last active Jun 28, 2022
self-signed certs for actions-runner-controller
View actions-runner-controller-self-signed-certs.md
  1. Create RSA keys for CA cert, server cert - this will output ca-key.key and server-key.key
openssl genrsa -out ca.key 4096
openssl genrsa -out server.key 4096
  1. Create a ca.conf ca config file
View generate-release-notes.ps1
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Accept", "application/vnd.github.v3+json")
$headers.Add("Authorization", "Bearer <add your PAT here>")
$headers.Add("Content-Type", "application/json")
$body = "{ `n `"tag_name`": `"newest`",`n `"previous_tag_name`": `"newer`"`n}"
$response = Invoke-RestMethod 'https://api.github.com/repos/services-octoshift-demo/Test-Octoshift-2/releases/generate-notes' -Method 'POST' -Headers $headers -Body $body
$response | ConvertTo-Json
@joshjohanning
joshjohanning / action.yml
Last active Jan 31, 2022
Workflow dispatch inputs and defaults with other on: trigger events
View action.yml
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
build_run_id_to_deploy:
description: 'the build run id to download for deploy'
required: true
default: '1703586018'
env:
build_run_id_to_deploy: '1703586018'
@joshjohanning
joshjohanning / vulnerability.js
Created Jan 13, 2022
introduce code vulnerability in ghas
View vulnerability.js
function endsWith(x,y) {
let index = x.lastIndexOf(y);
return x.lastIndexOf(y) === x.length - y.length;
}
// comment
@joshjohanning
joshjohanning / action.yml
Created Jan 12, 2022
use an app id, installation id, and private key to clone a repo with github apps
View action.yml
name: CI
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the main branch
push:
branches: [ main ]
pull_request:
branches: [ main ]