Merge pull request #1039 from GitGuardian/fperucki/remove-sca-iac

chore: remove SCA & IaC

Author: sevbch

.gitguardian.example.yml

@@ -36,44 +36,3 @@ secret:
   # Detectors to ignore.
   ignored_detectors: # default: []
     - Generic Password
-
-iac:
-  # Exclude files and paths by globbing
-  ignored_paths:
-    - '**/README.md'
-    - 'doc/*'
-    - 'LICENSE'
-    - path: 'tests/*'
-      comment: 'Ignore vulnerabilities in tests'
-    - path: 'dev/*'
-      comment: 'Ignore vulnerabilities in dev sandbox'
-      until: '2030-06-24T00:00:01Z'
-
-  # IaC vulnerabilities to ignore
-  ignored_policies:
-    - GG_IAC_0000
-    - GG_IAC_0005
-    - policy: 'GG_IAC_0003'
-      until: '2030-06-24T00:00:01Z'
-    - policy: 'GG_IAC_0012'
-      comment: 'We will handle this later'
-      until: '2030-06-24T00:00:01Z'
-
-  # Minimum severity of the policies
-  minimum_severity: HIGH
-
-sca:
-  # Exclude files and paths by globbing
-  ignored_paths:
-    - '**/Pipfile'
-    - '/back/**/package.json'
-
-  # SCA vulnerabilities to ignore
-  ignored_vulnerabilities:
-    - identifier: 'GHSA-0000-aaaa-ZZZZ'
-      path: 'Pipfile.lock' # Can be a regex
-      comment: 'Check vulnerability later' # Optional
-      until: '2023-05-01T00:00:00' # Optional, needs to follow ISO 8061 format 'YYYY-MM-DDTHH:MM:SS' (converted to UTC)
-
-  # Minimum severity of the policies
-  minimum_severity: HIGH

.gitguardian.yaml

@@ -34,14 +34,3 @@ secret:
     - .env
     - 'tests/unit/cassettes/*'
     - 'tests/unit/**/snapshots/*'
-
-iac:
-  ignored_policies:
-    # We don't want to fix this vulnerability because many CI systems
-    # (including GitHub action and Azure pipelines) expect the user inside the
-    # container to be root.
-    - GG_IAC_0079
-
-sca:
-  ignored_paths:
-    - tests/

.github/workflows/ci.yml

@@ -164,51 +164,13 @@ jobs:
           GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
           GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
 
-  test_github_iac_scan_action:
-    name: Test GitHub action for `iac scan`
-    # See note about steps requiring the GITGUARDIAN_API at the top of this file
-    if: ${{ !github.event.pull_request.head.repo.fork }}
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Scan commits for IaC vulnerabilities
-        uses: ./actions-unstable/iac
-        with:
-          args: .
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
-
-  test_github_sca_scan_action:
-    name: Test GitHub action for `sca scan`
-    # See note about steps requiring the GITGUARDIAN_API at the top of this file
-    if: ${{ !github.event.pull_request.head.repo.fork }}
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-      - name: Scan commits for SCA vulnerabilities
-        uses: ./actions-unstable/sca
-        with:
-          args: .
-        env:
-          GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
-          GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
-
   dockerhub-unstable:
     name: Push Docker image to Docker Hub
     runs-on: ubuntu-22.04
     if: github.ref == 'refs/heads/main' && github.event_name == 'push'
     needs:
       - lint
       - build
-      - test_github_iac_scan_action
-      - test_github_sca_scan_action
       - test_github_secret_scan_action
     steps:
       - name: Checkout
@@ -228,8 +190,6 @@ jobs:
     needs:
       - lint
       - build
-      - test_github_iac_scan_action
-      - test_github_sca_scan_action
       - test_github_secret_scan_action
     steps:
       - name: Check out the repo

.importlinter

@@ -9,8 +9,8 @@ name = ggshield-layers
 type = layers
 layers = 
 	ggshield.__main__
-	ggshield.cmd.auth | ggshield.cmd.config | ggshield.cmd.hmsl | ggshield.cmd.honeytoken | ggshield.cmd.iac | ggshield.cmd.install | ggshield.cmd.quota | ggshield.cmd.sca | ggshield.cmd.secret | ggshield.cmd.status | ggshield.cmd.utils
-	ggshield.verticals.auth | ggshield.verticals.hmsl | ggshield.verticals.iac | ggshield.verticals.sca | ggshield.verticals.secret
+	ggshield.cmd.auth | ggshield.cmd.config | ggshield.cmd.hmsl | ggshield.cmd.honeytoken | ggshield.cmd.install | ggshield.cmd.quota | ggshield.cmd.secret | ggshield.cmd.status | ggshield.cmd.utils
+	ggshield.verticals.auth | ggshield.verticals.hmsl | ggshield.verticals.secret
 	ggshield.core
 	click | ggshield.utils | pygitguardian
 ignore_imports = 
@@ -26,18 +26,14 @@ source_modules =
 	ggshield.cmd.config
 	ggshield.cmd.hmsl
 	ggshield.cmd.honeytoken
-	ggshield.cmd.iac
 	ggshield.cmd.install
 	ggshield.cmd.quota
-	ggshield.cmd.sca
 	ggshield.cmd.secret
 	ggshield.cmd.status
 	ggshield.cmd.utils
 forbidden_modules = 
 	ggshield.verticals.auth
 	ggshield.verticals.hmsl
-	ggshield.verticals.iac
-	ggshield.verticals.sca
 	ggshield.verticals.secret
 ignore_imports = 
 	ggshield.cmd.auth.** -> ggshield.verticals.auth
@@ -49,14 +45,10 @@ ignore_imports =
 	ggshield.cmd.hmsl.** -> ggshield.verticals.hmsl.**
 	ggshield.cmd.honeytoken.** -> ggshield.verticals.honeytoken
 	ggshield.cmd.honeytoken.** -> ggshield.verticals.honeytoken.**
-	ggshield.cmd.iac.** -> ggshield.verticals.iac
-	ggshield.cmd.iac.** -> ggshield.verticals.iac.**
 	ggshield.cmd.install.** -> ggshield.verticals.install
 	ggshield.cmd.install.** -> ggshield.verticals.install.**
 	ggshield.cmd.quota.** -> ggshield.verticals.quota
 	ggshield.cmd.quota.** -> ggshield.verticals.quota.**
-	ggshield.cmd.sca.** -> ggshield.verticals.sca
-	ggshield.cmd.sca.** -> ggshield.verticals.sca.**
 	ggshield.cmd.secret.** -> ggshield.verticals.secret
 	ggshield.cmd.secret.** -> ggshield.verticals.secret.**
 	ggshield.cmd.status.** -> ggshield.verticals.status

.pre-commit-hooks.yaml

@@ -9,26 +9,6 @@
   pass_filenames: false
   minimum_pre_commit_version: 3.2.0
 
-- id: ggshield-iac
-  name: ggshield-iac (pre-commit)
-  entry: ggshield
-  description: Runs ggshield Infra as Code Security to detect IaC vulnerabilities.
-  stages: [pre-commit]
-  args: ['iac', 'scan', 'pre-commit']
-  language: python
-  pass_filenames: false
-  minimum_pre_commit_version: 3.2.0
-
-- id: ggshield-sca
-  name: ggshield-sca (pre-commit)
-  entry: ggshield
-  description: Runs ggshield Software Composition Analysis to detect vulnerabilities introduced by dependencies.
-  stages: [pre-commit]
-  args: ['sca', 'scan', 'pre-commit']
-  language: python
-  pass_filenames: false
-  minimum_pre_commit_version: 3.2.0
-
 - id: docker-ggshield
   name: ggshield (pre-commit,docker)
   language: docker_image
@@ -46,26 +26,6 @@
   pass_filenames: false
   minimum_pre_commit_version: 3.2.0
 
-- id: ggshield-iac-push
-  name: ggshield-iac (pre-push)
-  entry: ggshield
-  description: Runs ggshield Infra as Code Security to detect IaC vulnerabilities.
-  args: ['iac', 'scan', 'pre-push']
-  stages: [pre-push]
-  language: python
-  pass_filenames: false
-  minimum_pre_commit_version: 3.2.0
-
-- id: ggshield-sca-push
-  name: ggshield-sca (pre-push)
-  entry: ggshield
-  description: Runs ggshield Software Composition Analysis to detect vulnerabilities introduced by dependencies.
-  args: ['sca', 'scan', 'pre-push']
-  stages: [pre-push]
-  language: python
-  pass_filenames: false
-  minimum_pre_commit_version: 3.2.0
-
 - id: docker-ggshield-push
   name: ggshield (pre-push,docker)
   language: docker_image

README.md

@@ -39,7 +39,6 @@ Only metadata such as call time, request size and scan mode is stored from scans
   - [Manual setup](#manual-setup)
 - [Getting started](#getting-started)
   - [Secrets](#secrets)
-  - [Infra as Code Security (IaC)](#infra-as-code-security-iac)
 - [Integrations](#integrations)
 - [Learn more](#learn-more)
 - [Output](#output)
@@ -166,22 +165,6 @@ You can now use `ggshield` to search for secrets:
 - in Pypi packages: `ggshield secret scan pypi flask`
 - and more, have a look at `ggshield secret scan --help` output for details.
 
-## Infra as Code Security (IaC)
-
-You can also search for vulnerabilities in your IaC files using the following command:
-
-```
-ggshield iac scan all .
-```
-
-However, if you are only interested in _new_ potential IaC vulnerabilities, you can run:
-
-```
-ggshield iac scan diff --ref=HEAD~1 .
-```
-
-Have a look at `ggshield iac scan --help` for more details.
-
 # Integrations
 
 You can integrate `ggshield` in your [CI/CD workflow](https://docs.gitguardian.com/ggshield-docs/integrations/overview#cicd-integrations-secrets-detection-in-your-cicd-workflow).