Merge branch 'master' into docs

Author: xfhg

.github/workflows/intercept.yml

@@ -0,0 +1,42 @@
+name: "Intercept Mock Code Scanning - Integration"
+
+on:
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: 'Branch to scan'
+        required: true
+        default: 'master'
+  push:
+    branches: [ master, integration/github  ]
+  schedule:
+    - cron: '0 0 * * 0'
+
+
+jobs:
+  analyze:
+    name: Mock Code Scanning with Intercept
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Compile intercept
+      run: |
+        make build && cp release/intercept .
+
+    - name: Run intercept with mock policy
+      run: |
+        ./intercept audit --policy playground/policies/mock_github.yaml --target playground/targets/ -vvvv 
+
+    - name: Find SARIF file
+      id: find-sarif
+      run: |
+        SARIF_FILE=$(find . -type f -regex ".*intercept_[a-zA-Z0-9]+\.sarif\.json" -print -quit)
+        echo "SARIF_FILE=${SARIF_FILE}" >> $GITHUB_OUTPUT
+
+    - name: Upload SARIF file
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ${{ steps.find-sarif.outputs.SARIF_FILE }}

cmd/hook.go

@@ -5,7 +5,11 @@ package cmd
 
 import (
 	"bytes"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
 	"crypto/tls"
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"reflect"
@@ -78,6 +82,42 @@ func convertLogsToNDJSON(logs interface{}) (string, error) {
 	return strings.Join(ndjsonLines, "\n"), nil
 }
 
+func GenerateWebhookSecret() (string, error) {
+	// Generate 32 bytes of random data
+	randomBytes := make([]byte, 32)
+	_, err := rand.Read(randomBytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+
+	// Encode the random bytes to base64
+	secret := base64.URLEncoding.EncodeToString(randomBytes)
+
+	// Prefix the secret with "whsec_" to match the format of the example
+	return "whsec_" + secret, nil
+}
+
+func calculateWebhookSignature(payload []byte, secret string) (string, error) {
+	// Split the secret and decode the base64 part
+	parts := strings.SplitN(secret, "_", 2)
+	if len(parts) != 2 {
+		return "", fmt.Errorf("invalid secret format")
+	}
+	secretBytes, err := base64.URLEncoding.DecodeString(parts[1])
+	if err != nil {
+		return "", fmt.Errorf("failed to decode secret: %w", err)
+	}
+
+	// Create the HMAC
+	h := hmac.New(sha256.New, secretBytes)
+	h.Write(payload)
+
+	// Get the result and encode to base64
+	signature := base64.StdEncoding.EncodeToString(h.Sum(nil))
+
+	return signature, nil
+}
+
 // event types same as log types : minimal, results, policy, report
 // custom modifiers : policy+bulk, report+bulk,
 
@@ -168,6 +208,22 @@ func PostResultsToWebhooks(sarifReport SARIFReport) error {
 		// Prepare the request
 		req := client.R()
 		req.SetHeaders(hook.Headers)
+
+		// Set custom User-Agent
+		userAgent := fmt.Sprintf("intercept/%s", buildVersion)
+		req.SetHeader("User-Agent", userAgent)
+
+		// Convert payload to []byte for signature calculation
+		var payloadBytes []byte
+		if payloadType == "x-ndjson" {
+			payloadBytes = []byte(payload.(string))
+		} else {
+			payloadBytes, _ = json.Marshal(payload)
+		}
+		// Calculate and set the signature
+		signature, _ := calculateWebhookSignature(payloadBytes, webhookSecret)
+		req.SetHeader("X-Signature", signature)
+
 		req.SetBody(payload)
 
 		// Set content type based on payloadType
@@ -196,13 +252,15 @@ func PostResultsToWebhooks(sarifReport SARIFReport) error {
 				time.Sleep(retryDelay)
 			}
 		}
+		// Flatten hook.EventTypes to a single string
+		flatEventTypes := strings.Join(hook.EventTypes, ",")
 
 		if err != nil {
-			log.Error().Err(err).Str("hook", hook.Name).Msg("Failed to post to webhook")
+			log.Error().Err(err).Str("hook", hook.Name).Str("event_type", flatEventTypes).Msg("Failed to post to webhook")
 		} else if !resp.IsSuccess() {
-			log.Error().Str("hook", hook.Name).Int("status", resp.StatusCode()).Msg("Webhook request failed")
+			log.Error().Str("hook", hook.Name).Str("event_type", flatEventTypes).Int("status", resp.StatusCode()).Msg("Webhook request failed")
 		} else {
-			log.Info().Str("hook", hook.Name).Msg("Successfully posted to webhook")
+			log.Info().Str("hook", hook.Name).Str("event_type", flatEventTypes).Str("payload_type", payloadType).Msg("Successfully posted to webhook")
 		}
 	}
 
@@ -330,6 +388,22 @@ func PostReportToWebhooks(sarifReport SARIFReport) error {
 		// Prepare the request
 		req := client.R()
 		req.SetHeaders(hook.Headers)
+
+		// Set custom User-Agent
+		userAgent := fmt.Sprintf("intercept/%s", buildVersion)
+		req.SetHeader("User-Agent", userAgent)
+
+		// Convert payload to []byte for signature calculation
+		var payloadBytes []byte
+		if payloadType == "x-ndjson" {
+			payloadBytes = []byte(payload.(string))
+		} else {
+			payloadBytes, _ = json.Marshal(payload)
+		}
+		// Calculate and set the signature
+		signature, _ := calculateWebhookSignature(payloadBytes, webhookSecret)
+		req.SetHeader("X-Signature", signature)
+
 		req.SetBody(payload)
 
 		// if containsString(hook.EventTypes, "bulk") {
@@ -361,12 +435,15 @@ func PostReportToWebhooks(sarifReport SARIFReport) error {
 			}
 		}
 
+		// Flatten hook.EventTypes to a single string
+		flatEventTypes := strings.Join(hook.EventTypes, ",")
+
 		if err != nil {
-			log.Error().Err(err).Str("hook", hook.Name).Msg("Failed to post to webhook")
+			log.Error().Err(err).Str("hook", hook.Name).Str("event_type", flatEventTypes).Msg("Failed to post to webhook")
 		} else if !resp.IsSuccess() {
-			log.Error().Str("hook", hook.Name).Int("status", resp.StatusCode()).Msg("Webhook request failed")
+			log.Error().Str("hook", hook.Name).Str("event_type", flatEventTypes).Int("status", resp.StatusCode()).Msg("Webhook request failed")
 		} else {
-			log.Info().Str("hook", hook.Name).Msg("Successfully posted to webhook")
+			log.Info().Str("hook", hook.Name).Str("event_type", flatEventTypes).Str("payload_type", payloadType).Msg("Successfully posted to webhook")
 		}
 	}
 

cmd/observe.go

@@ -31,6 +31,7 @@ var (
 	observeReport       string
 	observeMode         string
 	observeIndex        string
+	webhookSecret       string
 	reportMutex         sync.Mutex
 	reportDir           string = "_status"
 	allFileInfos        []FileInfo
@@ -112,6 +113,19 @@ func runObserve(cmd *cobra.Command, args []string) {
 
 	observeConfig = GetConfig()
 
+	if len(observeConfig.Hooks) > 0 {
+		if observeConfig.Flags.WebhookSecret != "" {
+			webhookSecret = os.Getenv(observeConfig.Flags.WebhookSecret)
+		} else {
+			webhookSecret, err = GenerateWebhookSecret()
+
+			if err != nil {
+				log.Fatal().Err(err).Msg("Failed to generate webhook secret")
+			}
+		}
+		log.Info().Str("webhook_secret", webhookSecret).Msg("Webhook Secret for X-Signature")
+	}
+
 	// Needed for scan/assure/schema policies
 	if observeConfig.Flags.Target != "" {
 		targetDir = observeConfig.Flags.Target

cmd/policy.go

@@ -12,10 +12,11 @@ import (
 )
 
 type PolicyFile struct {
-	Config    Config   `yaml:"Config"`
-	Version   string   `yaml:"Version"`
-	Namespace string   `yaml:"Namespace"`
-	Policies  []Policy `yaml:"Policies"`
+	Config     Config      `yaml:"Config"`
+	Version    string      `yaml:"Version"`
+	Namespace  string      `yaml:"Namespace"`
+	Policies   []Policy    `yaml:"Policies"`
+	SARIFRules []SARIFRule `json:"sarif_rules,omitempty"`
 }
 
 type Config struct {
@@ -32,6 +33,7 @@ type Config struct {
 		Tags           []string `yaml:"tags,omitempty"`
 		PolicySchedule string   `yaml:"policy_schedule,omitempty"`
 		ReportSchedule string   `yaml:"report_schedule,omitempty"`
+		WebhookSecret  string   `yaml:"webhook_secret_env,omitempty"`
 	} `yaml:"Flags,omitempty"`
 	Metadata struct {
 		HostOS          string `yaml:"host_os,omitempty"`
@@ -91,6 +93,7 @@ type Metadata struct {
 	Score       string   `yaml:"score"`
 	MsgSolution string   `yaml:"msg_solution"`
 	MsgError    string   `yaml:"msg_error"`
+	HelpURL     string   `yaml:"help_url"`
 	TargetInfo  []string `yaml:"target_info,omitempty"`
 }
 
@@ -141,13 +144,39 @@ func LoadPolicyFile(filename string) (*PolicyFile, error) {
 
 	// log.Debug().Interface("raw config", policyFile.Config).Msg("Raw Config data")
 
+	rules := make([]SARIFRule, 0, len(policyFile.Policies))
+
 	// Generate intercept_id for each policy, add its own ID as a tag for easy filtering with tags flag
 	for i := range policyFile.Policies {
 		policyFile.Policies[i].ID = NormalizePolicyName(policyFile.Policies[i].ID)
 		policyFile.Policies[i].InterceptID = intercept_run_id + "-" + NormalizeFilename(policyFile.Policies[i].ID)
 		policyFile.Policies[i].Metadata.Tags = append(policyFile.Policies[i].Metadata.Tags, policyFile.Policies[i].ID)
+
+		// Generate rule entry for SARIF
+		rule := SARIFRule{
+			ID: policyFile.Policies[i].ID,
+			ShortDescription: ShortDescription{
+				Text: policyFile.Policies[i].Metadata.Description,
+			},
+			FullDescription: &FullDescription{
+				Text: policyFile.Policies[i].Metadata.MsgError,
+			},
+			HelpURI: policyFile.Policies[i].Metadata.HelpURL,
+			Help: &Help{
+				Text: policyFile.Policies[i].Metadata.MsgSolution,
+			},
+			Properties: Properties{
+				Category: policyFile.Policies[i].Metadata.Tags[0],
+				Tags:     policyFile.Policies[i].Metadata.Tags,
+			},
+		}
+		rules = append(rules, rule)
+
 	}
 
+	// Add rules to policyFile
+	policyFile.SARIFRules = rules
+
 	return &policyFile, nil
 }
 

cmd/root.go

@@ -30,6 +30,7 @@ var (
 	hostIps         string
 	buildVersion    string
 	buildSignature  string
+	smVersion       string
 
 	debugOutput bool
 
@@ -81,6 +82,7 @@ func init() {
 
 	// running id
 	intercept_run_id = ksuid.New().String()
+	smVersion = strings.Split(strings.TrimPrefix(buildVersion, "v"), "-")[0]
 
 	// Setup logging based on verbosity flag
 	rootCmd.PersistentPreRunE = func(cmd *cobra.Command, args []string) error {

cmd/runtime.go

@@ -134,10 +134,15 @@ func generateRuntimeSARIFReport(policy Policy, gossResult GossResult) (SARIFRepo
 			{
 				Tool: Tool{
 					Driver: Driver{
-						Name:    "INTERCEPT",
-						Version: buildVersion,
+						FullName:        fmt.Sprintf("%s %s", "INTERCEPT", buildVersion),
+						Name:            "INTERCEPT",
+						Version:         smVersion,
+						SemanticVersion: smVersion,
+						InformationURI:  "https://intercept.cc",
+						Rules:           policyData.SARIFRules,
 					},
 				},
+
 				Results: []Result{},
 				Invocations: []Invocation{
 					{
@@ -214,6 +219,14 @@ func generateRuntimeSARIFReport(policy Policy, gossResult GossResult) (SARIFRepo
 			{
 				PhysicalLocation: PhysicalLocation{
 					ArtifactLocation: ArtifactLocation{URI: "N/A"},
+					Region: Region{
+						StartLine:   1,
+						StartColumn: 1,
+						EndColumn:   1,
+						Snippet: Snippet{
+							Text: "N/A",
+						},
+					},
 				},
 			},
 		},