sa tooling

.github/workflows/SA-codeql.yml

@@ -0,0 +1,48 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: CodeQL Security Scan
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+#   schedule:
+#     - cron: '15 17 * * 1'
+
+jobs:
+  analyze:
+    name: CodeQL Security Scan
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'javascript' ]
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/SA-phpstan.yml

@@ -0,0 +1,32 @@
+name: PHPStan Security Scan
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  phpstan-security-scan:
+    name: PHPStan Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v2
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.0'
+          coverage: none
+          ini-values: "memory_limit=-1"
+          extensions: mbstring, intl
+      - name: Download deps
+        run: composer update --no-interaction --no-progress
+      - name: Download PHPStan
+        run: composer require --dev phpstan/phpstan #:1.5.x-dev
+      - name: Download Larastan v1 # (Laravel Framework 6.20.44)
+        run: composer require nunomaduro/larastan:^1.0 --dev
+      - name: Download mcrypt helper
+        run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
+      - name: Delete conflicting file
+        run: rm -f database/migrations/2015_11_05_183749_image.php
+      - name: Execute PHPStan
+        run: vendor/bin/phpstan analyze app config routes --no-progress --error-format=github -l 5

.github/workflows/SA-psalm.yml

@@ -0,0 +1,57 @@
+name: Psalm Security Scan
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+jobs:
+  psalm-security-scan-basic:
+    name: Psalm Security Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v2
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.0'
+          coverage: none
+          ini-values: "memory_limit=-1"
+          extensions: mbstring, intl
+      - name: Download deps
+        run: composer update --no-interaction --no-progress
+      - name: Install laravel-ide-helper
+        run: composer require --dev barryvdh/laravel-ide-helper
+      - name: Download Psalm
+        run: composer require --dev vimeo/psalm
+      - name: PHPDoc generation for Laravel Facades
+        run: php artisan ide-helper:generate
+      - name: Download mcrypt helper
+        run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
+      - name: Execute Psalm
+        run: ./vendor/bin/psalm --long-progress --output-format=github --no-cache
+
+  psalm-security-scan-taint-analysis:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v2
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: '8.0'
+          coverage: none
+          ini-values: "memory_limit=-1"
+          extensions: mbstring, intl
+      - name: Download deps
+        run: composer update --no-interaction --no-progress
+      - name: Install laravel-ide-helper
+        run: composer require --dev barryvdh/laravel-ide-helper
+      - name: Download Psalm
+        run: composer require --dev vimeo/psalm
+      - name: Download mcrypt helper
+        run: wget https://raw.githubusercontent.com/JetBrains/phpstorm-stubs/master/mcrypt/mcrypt.php -O _mcrypt_helper.php
+      - name: PHPDoc generation for Laravel Facades
+        run: php artisan ide-helper:generate
+      - name: Execute Psalm (Taint Analysis)
+        run: ./vendor/bin/psalm --long-progress --output-format=github --taint-analysis

.github/workflows/SA-semgrep.yml

@@ -0,0 +1,29 @@
+name: Semgrep Security Scan
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+permissions:
+  contents: read
+
+jobs:
+  semgrep-security-scan:
+    name: Semgrep Security Scan
+    runs-on: ubuntu-latest
+    # Skip any PR created by dependabot to avoid permission issues
+    if: (github.actor != 'dependabot[bot]')
+    steps:
+      # Fetch project source
+      - uses: actions/checkout@v2
+
+      - uses: returntocorp/semgrep-action@v1
+        with:
+          config: >- # more at semgrep.dev/explore
+            p/security-audit
+            p/secrets
+            p/phpcs-security-audit
+        env:
+          SEMGREP_TIMEOUT: 9900

dotenv.php

@@ -0,0 +1,9 @@
+<?php
+use Dotenv\Dotenv;
+
+require __DIR__ . '/vendor/autoload.php';
+
+$dotenv = Dotenv::create(dirname(__DIR__), 'snipe-it/.env.testing');
+$dotenv->load(__DIR__.'/.env');
+
+?>

phpstan.neon

@@ -0,0 +1,15 @@
+includes:
+    - ./vendor/nunomaduro/larastan/extension.neon
+parameters:
+    reportUnmatchedIgnoredErrors: false
+    bootstrapFiles:
+        - dotenv.php
+        - c3.php
+        - _mcrypt_helper.php
+    ignoreErrors:
+        - '#PHPDoc tag .#'
+    excludePaths:
+        - tests/*
+        - vendor/*
+        - database/*
+        

psalm.xml

@@ -0,0 +1,23 @@
+<?xml version="1.0"?>
+<psalm
+    errorLevel="7"
+    resolveFromConfigFile="true"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns="https://getpsalm.org/schema/config"
+    xsi:schemaLocation="https://getpsalm.org/schema/config vendor/vimeo/psalm/config.xsd"
+>
+    <projectFiles>
+        <directory name="app" />
+        <ignoreFiles>
+            <directory name="vendor" />
+            <directory name="tests" />
+        </ignoreFiles>
+    </projectFiles>
+    <stubs>
+        <file name="_ide_helper.php" />
+        <file name="_mcrypt_helper.php" />
+    </stubs>
+    <issueHandlers>
+        <UndefinedDocblockClass errorLevel="suppress" />
+    </issueHandlers>
+</psalm>