prabhu prabhu

## shiftleft-branch.rego
package shiftleft

default allow = true

runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}

## shiftleft.rego
package shiftleft

default allow = true

runtime := opa.runtime()
sl_app_name := runtime.env.SHIFTLEFT_APP
sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
payload := io.jwt.decode(sl_access_token)
sl_org_id := payload[1].orgID
headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}

## Snippets
function detectBrowser(userAgent, language) {
  var version, webkitVersion, iOSAgent, iOSDevice, iOSMajorVersion, iOSMinorVersion, browser = {};
  userAgent = (userAgent || navigator.userAgent).toLowerCase();
  language = language || navigator.language || navigator.browserLanguage;
  version = browser.version = (userAgent.match(/.*(?:rv|chrome|webkit|opera|ie)[\/: ](.+?)([ \);]|$)/) || [])[1];
  webkitVersion = (userAgent.match(/webkit\/(.+?) /) || [])[1];
  iOSAgent = (userAgent.match(/\b(iPad|iPhone|iPod)\b.*\bOS (\d)_(\d)/i) || []);
  iOSDevice = iOSAgent[1];
  iOSMajorVersion = iOSAgent[2];
  iOSMinorVersion = iOSAgent[3];

## bitbucket-pipelines.yml
- step:
    name: ShiftLeft NextGen Analysis
    script:
      - curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
      - $HOME/sl analyze --no-diagnostic --force --app ${BITBUCKET_REPO_SLUG} --tag branch=${BITBUCKET_BRANCH} --go --cpg $(pwd)
- step:
    image: python:3.7-slim
    name: ShiftLeft NG SAST Code Insights
    script:
      - pip install requests

## shiftleft-bitbucket-insights.py
#!/usr/bin/python
# pip install requests
import os
import sys

import requests

# Collect the required variables
APP_ID = os.getenv("BITBUCKET_REPO_SLUG")
SHIFTLEFT_ORG_ID = os.getenv("SHIFTLEFT_ORG_ID")

## bitbucket-proxy-api.py
import requests

# Use local bitbucket proxy to avoid the need for app password
proxies = {
    "http": "http://localhost:29418",
    "https": "http://localhost:29418",
}

# Use the proxies object in requests for making
# authenticated calls without app passwords

## bitbucket-repo-variable.tf
provider "bitbucket" {
  version  = "~> 1.2"
  username = var.username
  password = var.password
}

resource "bitbucket_repository_variable" "sl_org_id_secret" {
  for_each   = toset(var.repos)
  key        = "SHIFTLEFT_ORG_ID"
  value      = var.sl_org_id

## bitbucket-branch-protect.tf
resource "bitbucket_branch_restriction" "master" {
  owner      = "myteam"
  repository = "terraform-shiftleft"

  # force, restrict_merges, enforce_merge_checks, allow_auto_merge_when_builds_pass, require_passing_builds_to_merge
  kind = "push"

  # feature/*, release/*
  pattern = "master"
}

## github-on-label.yml
on:
  label:
    types: [created]

steps:
  - name: Analyze with NG SAST
    if: ${{ contains(github.context.payload.pull_request.labels.*.name, 'Ready for AppSec') }}
    run: |
      sl analyze --app ShiftLeftHSLGo14 --tag branch=${GITHUB_REF} --go --cpg $(pwd)

## github-on-deploy.yml
on:
  deployment
	package shiftleft

	default allow = true

	runtime := opa.runtime()
	sl_app_name := runtime.env.SHIFTLEFT_APP
	sl_access_token := runtime.env.SHIFTLEFT_ACCESS_TOKEN
	payload := io.jwt.decode(sl_access_token)
	sl_org_id := payload[1].orgID
	headers := {"Content-Type": "application/json", "Authorization": sprintf("Bearer %s", [sl_access_token])}
	function detectBrowser(userAgent, language) {
	var version, webkitVersion, iOSAgent, iOSDevice, iOSMajorVersion, iOSMinorVersion, browser = {};
	userAgent = (userAgent \|\| navigator.userAgent).toLowerCase();
	language = language \|\| navigator.language \|\| navigator.browserLanguage;
	version = browser.version = (userAgent.match(/.*(?:rv\|chrome\|webkit\|opera\|ie)[\/: ](.+?)([ \);]\|$)/) \|\| [])[1];
	webkitVersion = (userAgent.match(/webkit\/(.+?) /) \|\| [])[1];
	iOSAgent = (userAgent.match(/\b(iPad\|iPhone\|iPod)\b.*\bOS (\d)_(\d)/i) \|\| []);
	iOSDevice = iOSAgent[1];
	iOSMajorVersion = iOSAgent[2];
	iOSMinorVersion = iOSAgent[3];
	- step:
	name: ShiftLeft NextGen Analysis
	script:
	- curl https://cdn.shiftleft.io/download/sl > $HOME/sl && chmod a+rx $HOME/sl
	- $HOME/sl analyze --no-diagnostic --force --app ${BITBUCKET_REPO_SLUG} --tag branch=${BITBUCKET_BRANCH} --go --cpg $(pwd)
	- step:
	image: python:3.7-slim
	name: ShiftLeft NG SAST Code Insights
	script:
	- pip install requests
	#!/usr/bin/python
	# pip install requests
	import os
	import sys

	import requests

	# Collect the required variables
	APP_ID = os.getenv("BITBUCKET_REPO_SLUG")
	SHIFTLEFT_ORG_ID = os.getenv("SHIFTLEFT_ORG_ID")
	import requests

	# Use local bitbucket proxy to avoid the need for app password
	proxies = {
	"http": "http://localhost:29418",
	"https": "http://localhost:29418",
	}

	# Use the proxies object in requests for making
	# authenticated calls without app passwords
	provider "bitbucket" {
	version = "~> 1.2"
	username = var.username
	password = var.password
	}

	resource "bitbucket_repository_variable" "sl_org_id_secret" {
	for_each = toset(var.repos)
	key = "SHIFTLEFT_ORG_ID"
	value = var.sl_org_id
	resource "bitbucket_branch_restriction" "master" {
	owner = "myteam"
	repository = "terraform-shiftleft"

	# force, restrict_merges, enforce_merge_checks, allow_auto_merge_when_builds_pass, require_passing_builds_to_merge
	kind = "push"

	# feature/, release/
	pattern = "master"
	}
	on:
	label:
	types: [created]

	steps:
	- name: Analyze with NG SAST
	if: ${{ contains(github.context.payload.pull_request.labels.*.name, 'Ready for AppSec') }}
	run: \|
	sl analyze --app ShiftLeftHSLGo14 --tag branch=${GITHUB_REF} --go --cpg $(pwd)