Merge pull request #14 from PaperMtn/release/3.1.0

Release/3.1.0

Author: PaperMtn

.github/workflows/docker_build_test.yml

@@ -0,0 +1,29 @@
+name: Build and Test Docker Image
+
+on:
+  push:
+
+env:
+  TEST_TAG: papermountain/gitlab-watchman:test
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          load: true
+          tags: ${{ env.TEST_TAG }}
+
+      - name: Inspect
+        run: |
+          docker image inspect ${{ env.TEST_TAG }}
+
+      - name: Test
+        run: |
+          docker run --rm ${{ env.TEST_TAG }} --version
+          docker run --rm ${{ env.TEST_TAG }} --help

.github/workflows/dockerpublish.yml .github/workflows/docker_publish.yml

@@ -1,8 +1,8 @@
-name: ci
+name: Publish Docker Image
 
 on:
   push:
-    branches: [ master ]
+    branches: [ master, main ]
 
 jobs:
   build:

.github/workflows/python_package.yml

@@ -0,0 +1,34 @@
+name: Test Python Package
+
+on:
+  push:
+    branches: [ develop, feature/**, release/**, hotfix/** ]
+  pull_request:
+    branches: [ develop, feature/**, release/**, hotfix/** ]
+
+jobs:
+  build-ubuntu:
+
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v2
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        pip install poetry
+        poetry install
+    - name: Test setup & install
+      run: |
+        poetry build
+        python3 -m pip install dist/*.whl
+    - name: Test run
+      run: |
+        gitlab-watchman --version
+        gitlab-watchman --help

.github/workflows/python_publish.yml

@@ -0,0 +1,24 @@
+name: Poetry Publish
+
+on:
+  push:
+    branches: [ master, main ]
+
+jobs:
+  deploy:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set up Python
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.12'
+    - name: Install dependencies
+      run: |
+        pip install poetry
+        poetry install
+        poetry config pypi-token.pypi "${{ secrets.PYPI_TOKEN }}"
+    - name: Publish package
+      run: poetry publish --build

.github/workflows/python_run_tests.yml

@@ -0,0 +1,33 @@
+name: Run Unit Test via Pytest
+
+on:
+  push:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.10", "3.11", "3.12", "3.13"]
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v4
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |  
+          python -m pip install --upgrade pip
+          pip install poetry
+          poetry install --with dev
+      - name: Analysing the code with pylint
+        run: |
+          poetry run pylint $(git ls-files '*.py')
+        continue-on-error: true
+      - name: Test with pytest
+        run: |
+          poetry run coverage run -m pytest  -v -s
+      - name: Generate Coverage Report
+        run: |  
+          poetry run coverage report -m

.github/workflows/pythonpackage.yml

@@ -1,3 +1,28 @@
+## [3.1.0] - 2024-11-18
+### Added
+- Signatures now loaded into memory instead of being saved to disk. This allows for running on read-only filesystems.
+- Ability to disable signatures by their ID in the watchman.conf config file.
+  - These signatures will not be used when running Slack Watchman
+  - Signature IDs for each signature can be found in the Watchman Signatures repository
+- Tests for Docker build
+- Enhanced deduplication of findings
+  - The same match should not be returned multiple times within the same scope. E.g. if a token is found in a commit, it should not be returned multiple times in the same commit.
+- All dates are now converted and logged in UTC
+- Unit tests added for models and utils
+
+### Changed
+- Package management and deployment moved to Poetry
+- Docker build process improved using multi-stage builds. The Dockerfile now doesn't contain any unnecessary files, and is much smaller.
+- Refactor to separate GitLab client and Watchman processing into modules
+- Refactor to implement [python-gitlab](https://python-gitlab.readthedocs.io/) library for GitLab API calls, instead of the custom client used previously.
+  - This change gives more efficient and easier to read code, is more reliable, and also allows for enhancements to be added more easily in the future.
+
+### Fixed
+- Error when searching wiki-blobs
+  - There would often be failures when trying to find projects or groups associated with blobs. This is now fixed by adding logic to check if the blob is associated with a project or group, and get the correct information accordingly.
+- URL encoding for wiki-blobs where the URL contains special characters
+- Error when enumerating pages when there is no `X-Total-Pages` header
+
 ## [3.0.0] - 2023-05-15
 This major version release brings multiple updates to GitLab Watchman in usability, functionality and behind the scenes improvements.
 ### Added

.github/workflows/pythonpublish.yml

@@ -1,13 +1,20 @@
 # syntax=docker/dockerfile:1
+FROM python:3.12-slim-bullseye AS builder
+WORKDIR /opt/gitlab-watchman
+COPY . .
+RUN pip install poetry
+RUN poetry config virtualenvs.create false && \
+    poetry install --no-dev && \
+    poetry build
 
-FROM python:3.10
-COPY . /opt/gitlab-watchman
+FROM python:3.12-slim-bullseye
 WORKDIR /opt/gitlab-watchman
-ENV PYTHONPATH=/opt/gitlab-watchman GITLAB_WATCHMAN_TOKEN="" GITLAB_WATCHMAN_URL=""
-RUN pip3 install -r requirements.txt build && \
-    chmod -R 700 . && \
-    python3 -m build && \
-    python3 -m pip install dist/*.whl
+COPY --from=builder /opt/gitlab-watchman/dist/*.whl /opt/gitlab-watchman/dist/
+COPY --from=builder /opt/gitlab-watchman/pyproject.toml /opt/gitlab-watchman/poetry.lock /opt/gitlab-watchman/
+ENV PYTHONPATH=/opt/gitlab-watchman \
+    GITLAB_WATCHMAN_TOKEN="" \
+    GITLAB_WATCHMAN_URL=""
+RUN pip install dist/*.whl && \
+    chmod -R 700 .
 STOPSIGNAL SIGINT
-WORKDIR /opt/gitlab-watchman
 ENTRYPOINT ["gitlab-watchman"]

CHANGELOG.md

@@ -55,6 +55,18 @@ GitLab Watchman can enumerate potentially useful information from a GitLab insta
 ### Signatures
 GitLab Watchman uses custom YAML signatures to detect matches in GitLab. These signatures are pulled from the central [Watchman Signatures repository](https://github.com/PaperMtn/watchman-signatures). Slack Watchman automatically updates its signature base at runtime to ensure its using the latest signatures to detect secrets.
 
+#### Suppressing Signatures
+You can define signatures that you want to disable when running GitLab Watchman by adding their IDs to the `disabled_signatures` section of the `watchman.conf` file. For example:
+
+```yaml
+gitlab_watchman:
+  disabled_signatures:
+    - tokens_generic_bearer_tokens
+    - tokens_generic_access_tokens
+```
+
+You can find the ID of a signature in the individual YAML files in [Watchman Signatures repository](https://github.com/PaperMtn/watchman-signatures).
+
 ### Logging
 
 GitLab Watchman gives the following logging options:
@@ -106,6 +118,16 @@ You also need to provide the URL of your GitLab instance.
 #### Providing token & URL
 GitLab Watchman will get the GitLab token and URL from the environment variables `GITLAB_WATCHMAN_TOKEN` and `GITLAB_WATCHMAN_URL`.
 
+### watchman.conf file
+Configuration options can be passed in a file named `watchman.conf` which must be stored in your home directory. The file should follow the YAML format, and should look like below:
+```yaml
+gitlab_watchman:
+  disabled_signatures:
+    - tokens_generic_bearer_tokens
+    - tokens_generic_access_tokens
+```
+GitLab Watchman will look for this file at runtime, and use the configuration options from here.
+
 ## Installation
 You can install the latest stable version via pip: