Merge pull request #93 from advanced-security/version/v2_7_0

feat(version): Update to v2.7.0
advanced-security · Jan 31, 2024 · 2758e23 · 2758e23
2 parents 700f4d6 + eabf5de
commit 2758e23
Show file tree

Hide file tree

Showing 9 changed files with 51 additions and 20 deletions.
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ Here is how you can quickly setup policy-as-code.
 ```yaml
 # Policy as Code
 - name: Advance Security Policy as Code
-  uses: advanced-security/policy-as-code@v2.6.0
+  uses: advanced-security/policy-as-code@v2.7.0
 ```
 
 > [!TIP]
@@ -54,15 +54,15 @@ The Policy as Code project is a self-contained Python based CLI tool.
 **Bash / Zsh:**
 
 ```bash
-git clone --branch "v2.6.0" https://github.com/advanced-security/policy-as-code.git && cd ./policy-as-code
+git clone --branch "v2.7.0" https://github.com/advanced-security/policy-as-code.git && cd ./policy-as-code
 
 ./policy-as-code --help
 ```
 
 **Powershell:**
 
 ```Powershell
-git clone --branch "v2.6.0" https://github.com/advanced-security/policy-as-code.git
+git clone --branch "v2.7.0" https://github.com/advanced-security/policy-as-code.git
 cd policy-as-code
 
 .\policy-as-code.ps1 --help
@@ -124,7 +124,7 @@ Here is an example of using a simple yet cross-organization using Policy as Code
 ```yaml
 # Compliance
 - name: Advance Security Policy as Code
-  uses: advanced-security/policy-as-code@v2.6.0
+  uses: advanced-security/policy-as-code@v2.7.0
   with:
     # The owner/repo of where the policy is stored
     policy: GeekMasher/security-queries

diff --git a/docs/introduction/actions.md b/docs/introduction/actions.md
@@ -7,14 +7,14 @@ To do this, you can simply add the following to your workflow:
 ```yaml
 # Compliance
 - name: Advance Security Compliance Action
-  uses: advanced-security/policy-as-code@v2.6.0
+  uses: advanced-security/policy-as-code@v2.7.0
 ```
 
 This runs the policy-as-code action with the default configuration. You can also specify a configuration file to use:
 
 ```yaml
 - name: Advance Security Compliance Action
-  uses: advanced-security/policy-as-code@v2.6.0
+  uses: advanced-security/policy-as-code@v2.7.0
   with:
     policy: GeekMaherOrg/security
     policy-branch: main
@@ -32,5 +32,5 @@ Policy as Code is written in Python, so you will need to setup Python in your wo
     python-version: '3.10'  # minimum supported Python version
 
 - name: Advance Security Compliance Action
-  uses: advanced-security/policy-as-code@v2.6.0
+  uses: advanced-security/policy-as-code@v2.7.0
 ```
diff --git a/docs/samples/appauthentication.md b/docs/samples/appauthentication.md
@@ -20,7 +20,7 @@ name: GitHub App Authentication
         app_id: ${{ secrets.GIT_APP_ID }}
 
     - name: Security Compliance Action
-      uses: advanced-security/policy-as-code@v2.6.0
+      uses: advanced-security/policy-as-code@v2.7.0
 # ...
 
       with:

diff --git a/ghascompliance/__version__.py b/ghascompliance/__version__.py
@@ -1,5 +1,5 @@
 #!/usr/bin/env python
-__version__ = "2.6.0"
+__version__ = "2.7.0"
 
 __title__ = "GitHub Advanced Security Policy as Code"
 __name__ = "ghascompliance"

diff --git a/vendor/bin/normalizer b/vendor/bin/normalizer
@@ -1,4 +1,4 @@
-#!/home/codespace/.local/share/virtualenvs/policy-as-code-tZI3uR7_/bin/python
+#!/usr/local/python/3.10.13/bin/python
 # -*- coding: utf-8 -*-
 import re
 import sys

diff --git a/vendor/ghastoolkit/__init__.py b/vendor/ghastoolkit/__init__.py
@@ -2,7 +2,7 @@
 __name__ = "ghastoolkit"
 __title__ = "GHAS Toolkit"
 
-__version__ = "0.11.1"
+__version__ = "0.11.3"
 
 __description__ = "GitHub Advanced Security Python Toolkit"
 __summary__ = """\

diff --git a/vendor/ghastoolkit/octokit/dependabot.py b/vendor/ghastoolkit/octokit/dependabot.py
@@ -24,11 +24,15 @@ def __init__(self, repository: Optional[Repository] = None) -> None:
     def isEnabled(self) -> bool:
         """Is Dependabot enabled."""
         try:
-            self.graphql.query(
+            data = self.graphql.query(
                 "GetDependencyStatus",
                 options={"owner": self.repository.owner, "repo": self.repository.repo},
             )
-            return True
+            return (
+                data.get("data", {})
+                .get("repository", {})
+                .get("hasVulnerabilityAlertsEnabled", False)
+            )
         except:
             logger.debug(f"Failed to get alert count")
         return False

diff --git a/vendor/ghastoolkit/octokit/graphql/__init__.py b/vendor/ghastoolkit/octokit/graphql/__init__.py
@@ -1,9 +1,7 @@
 DEPENDENCY_GRAPH_STATUS = """\
 {
     repository(owner: "$owner", name: "$repo") {
-        vulnerabilityAlerts(first: 100, states: [OPEN], $cursor) {
-            totalCount
-        }
+        hasVulnerabilityAlertsEnabled
     }
 }
 """

diff --git a/vendor/ghastoolkit/octokit/secretscanning.py b/vendor/ghastoolkit/octokit/secretscanning.py
@@ -1,6 +1,7 @@
 import logging
 from dataclasses import dataclass, field
-from typing import Optional
+from datetime import datetime, timedelta
+from typing import Any, Optional
 
 from ghastoolkit.octokit.github import GitHub, Repository
 from ghastoolkit.octokit.octokit import OctoItem, RestRequest, loadOctoItem
@@ -18,16 +19,33 @@ class SecretAlert(OctoItem):
     state: str
     """Alert State"""
 
-    created_at: str
-    """Created Timestamp"""
-
     secret_type: str
     """Secret Scanning type"""
     secret_type_display_name: str
     """Secret Scanning type display name"""
     secret: str
     """Secret value (sensitive)"""
 
+    created_at: str
+    """Created Timestamp"""
+    resolved_at: Optional[str] = None
+    """Resolved Timestamp"""
+    resolved_by: Optional[dict[str, Any]] = None
+    """Resolved By"""
+
+    push_protection_bypassed: bool = False
+    """Push Protection Bypassed"""
+    push_protection_bypassed_by: Optional[dict[str, Any]] = None
+    """Push Protection Bypassed By"""
+    push_protection_bypassed_at: Optional[str] = None
+    """Push Protection Bypassed At"""
+
+    resolution_comment: Optional[str] = None
+    """Resolution Comment"""
+
+    validity: str = "unknown"
+    """Validity of secret"""
+
     _locations: list[dict] = field(default_factory=list)
     _sha: Optional[str] = None
 
@@ -48,6 +66,17 @@ def commit_sha(self) -> Optional[str]:
                     break
         return self._sha
 
+    @property
+    def mttr(self) -> Optional[timedelta]:
+        """Calculate Mean Time To Resolution / Remidiate (MTTR) for a closed/fixed alert."""
+        if self.created_at and self.resolved_at:
+            # GitHub returns ISO 8601 timestamps with a Z at the end
+            # datetime.fromisoformat() doesn't like the Z
+            created = self.created_at.replace("Z", "+00:00")
+            resolved = self.resolved_at.replace("Z", "+00:00")
+            return datetime.fromisoformat(resolved) - datetime.fromisoformat(created)
+        return None
+
     def __str__(self) -> str:
         return f"SecretAlert({self.number}, '{self.secret_type}')"