doc: Security TRG 8 UPDATED

docs/release/trg-0/trg-8-01.md

@@ -0,0 +1,106 @@
+---
+title: TRG 8.01 - CodeQL
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Draft  | 01-Mar-2024 | Draft release                        |
+
+## Why
+
+Use CodeQL for deep, static code analysis to identify vulnerabilities and improve code quality across a wide range of programming languages.
+
+## Description
+
+Use CodeQL for all repos with classic code (e.g., C#, Java) without exception. Do not use it for documentation-only or pure IaC repos; it's intended solely for analyzing classic code vulnerabilities. Exclude files as necessary.
+
+The GitHub Actions configuration must include the following triggers:
+
+- `workflow_dispatch`: Manual workflow execution.
+- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`.
+- `push` and `pull_request`: Activate the workflow on both push and pull request events targeting the branch that contains the code for the currently supported version, which may not necessarily be the `main` branch. This is the branch from which new releases will be made.
+
+Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended.
+
+Teams are given the freedom to integrate failure conditions (`fail-on`) for high severity issues into their workflow as they see fit.
+
+Adjust your code's language and build settings as indicated within the workflow comments.
+
+Example CodeQL workflow:
+
+```yml
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    timeout-minutes: 360
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java"] # Define languages here
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file
+          # By default, queries listed here will override any specified in a config file
+          # Prefix the list here with "+" to use these queries and those in the config file
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          # Use +security-extended,security-and-quality for wider security and better code quality
+          queries: +security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift)
+      # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      # If the Autobuild fails above, remove it and uncomment the following three lines modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+          fail-on: error
+```

docs/release/trg-0/trg-8-03.md

@@ -0,0 +1,77 @@
+---
+title: TRG 8.03 - KICS
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Draft  | 01-Mar-2024 | Draft release                        |
+
+## Why
+
+KICS is deployed for comprehensive scanning of Infrastructure as Code (IaC) files, ensuring secure and best-practice configurations across various IaC frameworks.
+
+## Description
+
+KICS is essential for repositories exclusively containing Infrastructure as Code (IaC) files, such as Terraform, CloudFormation, Kubernetes, GitHub Actions, and Helm charts. It's not applicable to traditional programming languages or documentation-only repositories. Exclude non-IaC files as necessary.
+
+Configure your GitHub Actions to include:
+
+- `workflow_dispatch`: Manual workflow execution.
+- `schedule`: Schedule the workflow to run at least once a week with `0 0 * * 0`.
+- `push` and `pull_request`: Targets the branch that holds the IaC files intended for current deployments, which might not always be the `main` branch.
+
+Findings appear in the GitHub Advanced Security Dashboard. Dismiss high/error findings as non-exploitable or false positives with required justification in the vulnerability alert. Address high severity findings within 30 days; addressing medium severity findings is strongly recommended.
+
+Teams are given the freedom to integrate failure conditions (`fail_on`) for high severity issues into their workflow as they see fit.
+
+Example KICS workflow:
+
+```yml
+name: KICS
+
+on:
+  push:
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+    paths-ignore:
+      - "**/*.md"
+      - "**/*.txt"
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: Run KICS Scan with SARIF result
+        uses: checkmarx/[email protected]
+        with:
+          path: "." # Scanning directory .
+          output_path: kicsResults/ # Output path for SARIF results
+          output_formats: "sarif" # Output format
+          # ignore_on_exit: results # Ignore the results and return exit status code 0 unless a KICS engine error happens
+          fail_on: high # If you want your pipeline to fail only on high severity results and KICS engine execution errors
+          # exclude_paths: "terraform/gcp/big_data.tf,terraform/azure" # Exclude paths or files from scan
+          # exclude_queries: 0437633b-daa6-4bbc-8526-c0d2443b946e # Exclude accepted queries from the build
+          disable_secrets: true # No secret scanning
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: kicsResults/results.sarif
+```

docs/release/trg-8/_category_.json

@@ -0,0 +1,3 @@
+{
+  "label": "TRG 8 - Security"
+}

docs/release/trg-8/trg-8-01.md

@@ -0,0 +1,142 @@
+---
+title: TRG 8.01 - CodeQL
+---
+
+| Status | Created     | Post-History                         |
+|--------|-------------|--------------------------------------|
+| Active | 26-Feb-2024 | Initial release                      |
+
+## Why
+
+**CodeQL** can be used to analyze large and complex codebases, making it ideal for organizations of all sizes.It can also be integrated into your existing development workflow, allowing you to catch problems early.
+
+:::info
+
+For any errors, please contact Security Team by creating an issue on GitHub.
+
+:::
+
+## Description
+
+**CodeQL** serves as our core code analysis tool (**SAST**), providing deep code introspection for potential security vulnerabilities and other code quality concerns.
+Below is a technical breakdown of how CodeQL integrates with our **CI/CD** process.
+
+:::info
+
+The CodeQL scan is triggered upon commits to the main branch, based on a CRON schedule set at 01:36 every Sunday, or when manually initiated.
+
+:::
+
+Given the range of languages CodeQL can analyze, the workflow leverages a matrix strategy to dynamically adjust runner settings based on the target language. It currently scans **Java**, **JavaScript**, **Python**, and **Ruby**, but this list is adjustable depending on the repository's dominant languages.
+
+:::info
+
+CodeQL supports a broader set of languages including 'cpp', 'csharp', 'go', 'swift', among others. Accordingly, adjustments should be made to the language matrix when different languages are in play.
+
+:::
+
+### The CodeQL analysis consists of several steps
+
+- **Repository Checkout**: The repository content is fetched using actions/checkout@v4.
+
+- **CodeQL Initialization**: The github/codeql-action/init@v3 action initializes the CodeQL tools, setting the target languages and the desired query sets. CodeQL possesses an extensive collection of predefined queries, but developers can specify custom queries if necessary.
+
+- **Auto-build**: The github/codeql-action/autobuild@v3 action attempts to build any compiled languages. This auto-build feature can occasionally face issues and may fail, especially with complex build processes or non-standard configurations. If an auto-build failure occurs, developers must manually configure the build process within the workflow. An example is provided in the workflow to guide this manual setup.
+
+- **CodeQL Analysis**: Post build, CodeQL performs its analysis, examining the codebase for vulnerabilities and other concerns. Results are categorized based on the language of analysis.
+
+In the provided CodeQL workflow, specific queries are used to enhance security analysis: +security-extended,security-and-quality. The + symbol ensures that these queries are added to the default set, allowing for a comprehensive security analysis. Developers should be aware of these configured queries as they focus on identifying a broad range of vulnerabilities, ensuring robust code security and quality.
+
+:::info
+
+For CodeQL we recommend for workflow to run with PR and push. Schedule can be set up nightly or once per week, depends on each team capacity.
+
+:::
+
+```md
+/********************************************************************************
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    - cron: "36 1 * * 0"
+  workflow_dispatch:
+
+jobs:
+  analyze:
+    name: Analyze
+    # Runner size impacts CodeQL analysis time. To learn more, please see:
+    #   - https://gh.io/recommended-hardware-resources-for-running-codeql
+    #   - https://gh.io/supported-runners-and-hardware-resources
+    #   - https://gh.io/using-larger-runners
+    # Consider using larger runners for possible analysis time improvements.
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["java", "javascript", "python", "ruby"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby', 'swift' ]
+        # Use only 'java' to analyze code written in Java, Kotlin or both
+        # Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+          # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+          queries: +security-extended,security-and-quality
+
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
+      # Automates dependency installation for Python, Ruby, and JavaScript, optimizing the CodeQL analysis setup.
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #     echo "Run, Build Application using script"
+      #     ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{matrix.language}}"
+ ********************************************************************************/
+ ```