Versions Compared

Version Old Version 8 New Version 9
Changes made by

Victor Wang

Victor Wang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
Scanning completed in 15.65 seconds
Scan results: 1 issues on commit=f719d004ef98254b46187c53ef1b3ed2f8643082
Total Issues: 1
Issues per types:
- First Party Code: 1
- SCA: 1
Issues per severity:
- High Severity: 1
- Medium Severity: 1
[
  {
    "issue_title": "Unauthenticated Route Found for Flask API",
    "issue_description": "The security of this code is compromised due to the presence of unauthenticated access to specific routes within the Flask API. This vulnerability poses a significant risk as it can potentially expose sensitive data or allow unauthorized actions to be performed. To mitigate this risk, it is crucial to implement robust authentication mechanisms that ensure only authorized users can access the protected routes.\n\nBy allowing unauthenticated access, the code fails to validate the identity of users before granting them access to certain routes. This lack of authentication opens the door for malicious actors to exploit the system and gain unauthorized access to sensitive information or perform actions that they should not be able to.\n\nTo address this issue, it is recommended to implement a secure authentication process that verifies the identity of users before granting them access to protected routes. This can be achieved through various methods such as username/password authentication, token-based authentication, or integration with third-party authentication providers.\n\nAdditionally, it is important to consider implementing other security measures such as encryption of sensitive data, input validation to prevent injection attacks, and proper error handling to avoid leaking sensitive information.\n\nBy implementing these security measures, the code can ensure that only authenticated and authorized users can access the protected routes, significantly reducing the risk of unauthorized access or data breaches. It is essential to prioritize security in the development process to safeguard sensitive data and protect the integrity of the system.",
    "issue_type": "FIRST_PARTY_CODE",
    "severity": "HIGH",
    "detected_in_file_path": "sample_code/bad_python.py",
    "detected_on_line": 7,
    "issue_code_snippet": "@app.route(\"/\")\ndef index():\n    cmd = request.args.get(\"cmd\", \"\")\n    exec(cmd)\n    return \"\""
  },
  {
    "issue_title": "jinja2 version 3.1.2 contains a known vulnerability (via PyPI dependency): Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter",
    "issue_description": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter",
    "issue_type": "SCA",
    "severity": "MEDIUM",
    "detected_in_file_path": "sample_code/requirements.txt",
    "detected_on_line": 1,
    "issue_code_snippet": "jinja2==3.1.2\n"
  }
]
Visit https://www.securetheorem.com/api/v2/security/sast for more details

GitHub Actions

...

example

Set the Data Theorem API Key as a secret variable

...

Code Block
name: Data Theorem SAST

# Controls when the workflow will run, adapt to your own needs
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  # Adapt triggers to your own needs
  push:
    branches: [ "main" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest
      env:
        DT_SAST_API_KEY: ${{ secrets.DT_SAST_API_KEY }}
        DT_SAST_REPOSITORY_NAME: ${{ github.event.repository.full_name }}
        DT_SAST_REPOSITORY_PLATFORM: GITHUB
        DT_SAST_REPOSITORY_ID: ${{ github.event.repository.id }}
        DT_SAST_REPOSITORY_HTML_URL: ${{ github.event.repository.html_url }}
        DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME: ${{ github.event.repository.default_branch }}
        DT_SAST_OUTPUT_DIR: ./
    steps:
      - uses: actions/checkout@v4
      - name: Start Data Theorem SAST Scan
        run: data_theorem_sast_analyzer scan ./
      - uses: actions/upload-artifact@v4
        with:
          name: dt-sast-scan-result
          path: ./scan-results-sarif.json

...

Code Block
name: Data Theorem SAST

# Controls when the workflow will run, adapt to your own needs
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  # Adapt triggers to your own needs
  pull_request

jobs:
  scan:
    runs-on: ubuntu-latest
    container:
      image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest
      env: 
        DT_SAST_API_KEY: ${{ secrets.DT_SAST_API_KEY }}
        DT_SAST_REPOSITORY_NAME: ${{ github.event.repository.full_name }}
        DT_SAST_REPOSITORY_PLATFORM: GITHUB
        DT_SAST_REPOSITORY_ID: ${{ github.event.repository.id }}
        DT_SAST_REPOSITORY_HTML_URL: ${{ github.event.repository.html_url }}
        DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME: ${{ github.event.repository.default_branch }}
        DT_SAST_SCAN_HEAD_REF: "refs/remotes/origin/${{ github.head_ref }}"
        DT_SAST_SCAN_TARGET_REF: "refs/remotes/origin/${{ github.base_ref }}"
        DT_SAST_FAIL_MODE: true
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # IMPORTANT: Needed because by default, actions/checkout@v4 doesn't load the full git history/refs
      - name: Start Data Theorem SAST Scan
        run: data_theorem_sast_analyzer scan ./

...

Code Block
image: atlassian/default-image:3

pipelines:
  # Triggers the pipeline on push events but only for the "main" branch
  # Adapt triggers to your own needs
  branches:
    main:
      - step:
          name: 'Data Theorem SAST'
          image: us-central1-docker.pkg.dev/dev-scandal-us/datatheorem-sast-dev/datatheorem-sast-dev:latest
          script:
            - echo "Your security scan goes here..."
            - export DT_SAST_API_KEY=$DT_SAST_API_KEY
            - export DT_SAST_REPOSITORY_NAME=$BITBUCKET_REPO_FULL_NAME
            - export DT_SAST_REPOSITORY_PLATFORM=BITBUCKET
            - export DT_SAST_REPOSITORY_ID=$BITBUCKET_REPO_UUID
            - export DT_SAST_REPOSITORY_HTML_URL=$BITBUCKET_GIT_HTTP_ORIGIN
            - export DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME="main"
            - data_theorem_sast_analyzer scan ./


  pull-requests:
    # Triggers the pipeline on pull request events
    # Adapt triggers to your own needs
    "**":
      - step:
          name: 'Data Theorem SAST'
          image: us-central1-docker.pkg.dev/prod-scandal-us/datatheorem-sast/datatheorem-sast:latest
          script:
            - echo "Your security scan goes here..."
            - export DT_SAST_API_KEY=$DT_SAST_API_KEY
            - export DT_SAST_REPOSITORY_NAME=$BITBUCKET_REPO_FULL_NAME
            - export DT_SAST_REPOSITORY_PLATFORM=BITBUCKET
            - export DT_SAST_REPOSITORY_ID=$BITBUCKET_REPO_UUID
            - export DT_SAST_REPOSITORY_HTML_URL=$BITBUCKET_GIT_HTTP_ORIGIN
            - export DT_SAST_REPOSITORY_DEFAULT_BRANCH_NAME="main"
            - export DT_SAST_SCAN_HEAD_REF=$BITBUCKET_COMMIT
            - export DT_SAST_SCAN_TARGET_REF=$BITBUCKET_PR_DESTINATION_COMMIT
            - export DT_SAST_FAIL_MODE=true
            - data_theorem_sast_analyzer scan ./

...