panther-labs · egibs · May 7, 2024 · May 7, 2024 · May 8, 2024 · May 8, 2024
@@ -0,0 +1,8 @@
+version: 2
+
+updates:
+  # Update the GitHub actions used in our CI/CD workflow
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
@@ -1,14 +1,28 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   check_packs:
     name: check packs
     runs-on: ubuntu-latest
 
     steps:
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+
       - name: Checkout panther-analysis
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0
@@ -25,27 +39,29 @@ jobs:
           panther_analysis_tool check-packs 2> errors.txt || true
 
           # run again to get exit code
-          panther_analysis_tool check-packs || echo ::set-output name=errors::`cat errors.txt`
+          panther_analysis_tool check-packs || echo "errors=`cat errors.txt`" >> $GITHUB_OUTPUT
 
       - name: Comment PR
-        uses: thollander/actions-comment-pull-request@v2
+        uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
         if: ${{ steps.check-packs.outputs.errors }}
         with:
           mode: upsert
           message: |
-            :scream: 
-            looks like somethings could be wrong with the packs
+            :scream:
+            looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
+            ```
           comment_tag: check-packs
       - name: Delete comment
-        uses: thollander/actions-comment-pull-request@v2
+        uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6
         if: ${{ !steps.check-packs.outputs.errors }}
         with:
           mode: delete
           message: |
-            :scream: 
-            looks like somethings could be wrong with the packs
+            :scream:
+            looks like some things could be wrong with the packs
             ```diff
             ${{ steps.check-packs.outputs.errors }}
+            ```
           comment_tag: check-packs
@@ -3,13 +3,31 @@ on:
     paths:
       - "Dockerfile"
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Build Dockerfile
     runs-on: ubuntu-latest
     steps:
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            9236a389bd48b984df91adc1bc924620.r2.cloudflarestorage.com:443
+            auth.docker.io:443
+            cgr.dev:443
+            files.pythonhosted.org:443
+            github.com:443
+            packages.wolfi.dev:443
+            production.cloudflare.docker.com:443
+            pypi.org:443
+            registry-1.docker.io:443
+            www.python.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
       - uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 #v3.0.0
       - name: Set up Docker Buildx
         id: buildx

@@ -1,16 +1,25 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout panther-analysis
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
-          ref: ${{ github.event.pull_request.head.sha }}
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            pypi.org:443
+      - name: Checkout panther-analysis
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

@@ -3,6 +3,9 @@ name: Panther Analysis Release
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read    
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -12,7 +15,10 @@ jobs:
     env:
       GITHUB_TOKEN: ${{ secrets.PANTHER_BOT_AUTOMATION_TOKEN }}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
         with:
           fetch-depth: 0
           token: ${{ env.GITHUB_TOKEN }}

@@ -37,7 +37,7 @@ jobs:
           branch: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
       # Checkout this repo into the branch
       - name: Checkout your local repo in PR branch
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
         with:
           ref: "sync_upstream_${{steps.set_upstream.outputs.latest-release}}"
           token: ${{ secrets.GITHUB_TOKEN }}

@@ -1,14 +1,26 @@
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
 
     steps:
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            files.pythonhosted.org:443
+            github.com:443
+            ipinfo.io:443
+            pypi.org:443
       - name: Checkout panther-analysis
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

@@ -3,22 +3,28 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read      
+
 jobs:
   upload:
-    name:
+    name: Upload
     runs-on: ubuntu-latest
     env:
       API_HOST: ${{ secrets.API_HOST }}
       API_TOKEN: ${{ secrets.API_TOKEN }}
     steps:
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
       - name: Validate Secrets
         if: ${{ env.API_HOST == '' || env.API_TOKEN == '' }}
         run: |
           echo "API_HOST or API_TOKEN not set"
           exit 0
 
       - name: Checkout panther-analysis
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b #v4.1.4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 #v4.1.7
 
       - name: Set python version
         uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d #v5.1.0

@@ -61,15 +61,18 @@
       "$ref": "#/definitions/ScheduledQueries"
     }
   },
-  "required": [
-    "AnalysisType",
-    "DisplayName",
-    "Enabled",
-    "RuleID",
-    "Severity",
-    "Tests"
-  ],
+  "required": ["AnalysisType", "DisplayName", "Enabled", "RuleID", "Severity"],
   "additionalProperties": false,
+  "allOf": [
+    {
+      "if": {
+        "properties": { "AnalysisType": { "enum": ["rule", "scheduled_rule"] } }
+      },
+      "then": {
+        "required": ["Tests"]
+      }
+    }
+  ],
   "anyOf": [
     {
       "required": ["Filename"]
@@ -82,7 +85,7 @@
     "AnalysisType": {
       "description": "what kind of detection",
       "type": "string",
-      "enum": ["rule", "scheduled_rule"],
+      "enum": ["rule", "scheduled_rule", "correlation_rule"],
       "default": "rule"
     },
     "DisplayName": {
@@ -177,6 +180,23 @@
       "type": "string",
       "minLength": 1
     },
+    "RuleMatch": {
+      "$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#ruleoutput-fields",
+      "description": "The Match that occurred for 1 of the rules in this test case",
+      "type": "object",
+      "required": ["ID"],
+      "properties": {
+        "ID": {
+          "type": "string",
+          "description": "The ID of the Rule from the Sequence/Group section above to simulate matches on"
+        },
+        "Matches": {
+          "type": "object",
+          "description": "The Match definition for this rule. Key: field that matched. value: mapping of the value that was matched on to the timestamps that the match(es) occurred. See docs for more details",
+          "$comment": "https://docs.panther.com/detections/correlation-rules/correlation-rule-reference#matchvalue-fields"
+        }
+      }
+    },
     "Tests": {
       "$comment": "https://docs.panther.com/detections/writing-and-editing-detections",
       "description": "Unit test cases",
@@ -225,16 +245,42 @@
               "else": false
             }
           ]
+        },
+        "RuleOutputs": {
+          "anyOf": [
+            {
+              "if": {
+                "properties": {
+                  "AnalysisType": { "enum": ["correlation_rule"] }
+                }
+              },
+              "then": {
+                "type": "array",
+                "description": "List of Rule Matches that occurred for this test case",
+                "items": { "$ref": "#/definitions/RuleMatch" },
+                "minItems": 1
+              },
+              "else": false
+            }
+          ]
         }
       },
-      "allOf": [
+      "oneOf": [
         {
           "if": {
             "properties": { "AnalysisType": { "enum": ["rule"] } }
           },
           "then": {
             "required": ["Name", "ExpectedResult", "Log"]
           }
+        },
+        {
+          "if": {
+            "properties": { "AnalysisType": { "enum": ["correlation_rule"] } }
+          },
+          "then": {
+            "required": ["Name", "ExpectedResult", "RuleOutputs"]
+          }
         }
       ]
     }

@@ -11,8 +11,6 @@ RUN apk update \
         git \
         libffi-dev \
         ncurses-dev \
-        nodejs \
-        npm \
         openssl-dev \
         readline-dev \
         sqlite-dev \
@@ -46,15 +44,8 @@ WORKDIR /home/panther-analysis
 # Install requirements
 COPY Pipfile .
 COPY Pipfile.lock .
-RUN pipenv uninstall --all
 RUN pipenv sync --dev
 
-COPY package.json .
-COPY package-lock.json .
-RUN npm install
-
-ENV PATH="/home/panther-analysis/node_modules/.bin:$PATH"
-
 # Remove pipfile so it doesn't interfere with local files after install
-RUN rm Pipfile 
+RUN rm Pipfile
 RUN rm Pipfile.lock
@@ -18,7 +18,7 @@ vscode-config: install-pipenv install
 	@echo "Creating new vscode config files"
 	cp .vscode/example_launch.json  .vscode/launch.json
 	sed -e 's#XXX_pipenv_py_output_XXX#$(shell pipenv --py)#' .vscode/example_settings.json  > .vscode/settings.json
-	which code && code . 
+	which code && code .
 
 ci:
 	pipenv run $(MAKE) lint test
@@ -42,7 +42,6 @@ lint-pylint:
 lint-fmt:
 	@echo Checking python file formatting with the black code style checker
 	pipenv run black --line-length=100 --check $(dirs)
-	npx prettier . --check
 
 venv:
 	pipenv sync --dev
@@ -53,12 +52,9 @@ pat-update:
 fmt:
 	pipenv run isort --profile=black $(dirs)
 	pipenv run black --line-length=100 $(dirs)
-	npx prettier . --write --list-different
 
 install:
 	pipenv sync --dev
-	# install prettier for formatting YAML and Markdown files
-	npm install
 
 test: global-helpers-unit-test
 	pipenv run panther_analysis_tool test $(TEST_ARGS)