prabhu prabhu

## github-repo-template.tf
data "github_repositories" "java_ms_template" {
  query = "org:${var.organization} language:java topic:microservice topic:template"
}

resource "github_repository" "new_ms" {
  name        = "new-java-microservice"
  description = "New Java Microservice"

  private = true

## github-on-deploy.yml
on:
  deployment

## github-on-label.yml
on:
  label:
    types: [created]

steps:
  - name: Analyze with NG SAST
    if: ${{ contains(github.context.payload.pull_request.labels.*.name, 'Ready for AppSec') }}
    run: |
      sl analyze --app ShiftLeftHSLGo14 --tag branch=${GITHUB_REF} --go --cpg $(pwd)

## bitbucket-branch-protect.tf
resource "bitbucket_branch_restriction" "master" {
  owner      = "myteam"
  repository = "terraform-shiftleft"

  # force, restrict_merges, enforce_merge_checks, allow_auto_merge_when_builds_pass, require_passing_builds_to_merge
  kind = "push"

  # feature/*, release/*
  pattern = "master"
}

## bitbucket-repo-variable.tf
provider "bitbucket" {
  version  = "~> 1.2"
  username = var.username
  password = var.password
}

resource "bitbucket_repository_variable" "sl_org_id_secret" {
  for_each   = toset(var.repos)
  key        = "SHIFTLEFT_ORG_ID"
  value      = var.sl_org_id

## bitbucket-reusable-pipelines.yml
definitions:
  steps:
    - step: &build
        name: Build microservices jar
        script:
          - mvn package
        artifacts:
          - target/**
    - step: &build-react
        name: Build React app

## bitbucket-proxy-api.py
import requests

# Use local bitbucket proxy to avoid the need for app password
proxies = {
    "http": "http://localhost:29418",
    "https": "http://localhost:29418",
}

# Use the proxies object in requests for making
# authenticated calls without app passwords

## shiftleft-bitbucket-insights.py
#!/usr/bin/python
# pip install requests
import os
import sys

import requests

# Collect the required variables
APP_ID = os.getenv("BITBUCKET_REPO_SLUG")
SHIFTLEFT_ORG_ID = os.getenv("SHIFTLEFT_ORG_ID")

## bitbucket-pipelines.yml
- step:
    name: ShiftLeft NextGen Analysis
    script:
      - curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
      - $HOME/sl analyze --no-diagnostic --force --app ${BITBUCKET_REPO_SLUG} --tag branch=${BITBUCKET_BRANCH} --go --cpg $(pwd)
- step:
    image: python:3.7-slim
    name: ShiftLeft NG SAST Code Insights
    script:
      - pip install requests

## shiftleft.rego
package shiftleft

default allow = true

runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
	data "github_repositories" "java_ms_template" {
	query = "org:${var.organization} language:java topic:microservice topic:template"
	}

	resource "github_repository" "new_ms" {
	name = "new-java-microservice"
	description = "New Java Microservice"

	private = true
	on:
	label:
	types: [created]

	steps:
	- name: Analyze with NG SAST
	if: ${{ contains(github.context.payload.pull_request.labels.*.name, 'Ready for AppSec') }}
	run: \|
	sl analyze --app ShiftLeftHSLGo14 --tag branch=${GITHUB_REF} --go --cpg $(pwd)
	resource "bitbucket_branch_restriction" "master" {
	owner = "myteam"
	repository = "terraform-shiftleft"

	# force, restrict_merges, enforce_merge_checks, allow_auto_merge_when_builds_pass, require_passing_builds_to_merge
	kind = "push"

	# feature/, release/
	pattern = "master"
	}
	provider "bitbucket" {
	version = "~> 1.2"
	username = var.username
	password = var.password
	}

	resource "bitbucket_repository_variable" "sl_org_id_secret" {
	for_each = toset(var.repos)
	key = "SHIFTLEFT_ORG_ID"
	value = var.sl_org_id
	definitions:
	steps:
	- step: &build
	name: Build microservices jar
	script:
	- mvn package
	artifacts:
	- target/**
	- step: &build-react
	name: Build React app
	import requests

	# Use local bitbucket proxy to avoid the need for app password
	proxies = {
	"http": "http://localhost:29418",
	"https": "http://localhost:29418",
	}

	# Use the proxies object in requests for making
	# authenticated calls without app passwords
	#!/usr/bin/python
	# pip install requests
	import os
	import sys

	import requests

	# Collect the required variables
	APP_ID = os.getenv("BITBUCKET_REPO_SLUG")
	SHIFTLEFT_ORG_ID = os.getenv("SHIFTLEFT_ORG_ID")
	- step:
	name: ShiftLeft NextGen Analysis
	script:
	- curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
	- $HOME/sl analyze --no-diagnostic --force --app ${BITBUCKET_REPO_SLUG} --tag branch=${BITBUCKET_BRANCH} --go --cpg $(pwd)
	- step:
	image: python:3.7-slim
	name: ShiftLeft NG SAST Code Insights
	script:
	- pip install requests
	package shiftleft

	default allow = true

	runtime := opa.runtime()
	sl_app_name := runtime.env.SHIFTLEFT_APP
	sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
	payload := io.jwt.decode(sl_access_token)
	sl_org_id := payload[1].orgID
	headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}