chore: added sarif attestor to sast step

.github/workflows/pipeline.yml

@@ -19,7 +19,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: fmt
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       command: go fmt ./...
 
   vet:
@@ -28,7 +28,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: vet
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       command: go vet ./...
 
   # --ignore DL3002    
@@ -39,7 +39,7 @@ jobs:
       step: lint
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       pre-command: |
         curl -sSfL https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 -o /usr/local/bin/hadolint && \
         chmod +x /usr/local/bin/hadolint
@@ -54,7 +54,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: unit-test
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       command: go test ./... -coverprofile cover.out
       artifact-upload-name: cover.out
       artifact-upload-path: cover.out
@@ -66,8 +66,8 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: sast
       pre-command-attestations: "git github environment"
-      attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      attestations: "git github environment sarif"
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       pre-command: python3 -m pip install semgrep==1.45.0
       command: semgrep scan --config auto ./ --sarif -o semgrep.sarif
       artifact-upload-name: semgrep.sarif
@@ -121,7 +121,7 @@ jobs:
         version: 0.6.0
         step: build-image
         attestations: "git github environment slsa"
-        archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"        
+        archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
         command: |
           /bin/sh -c "docker buildx build --platform linux/amd64,linux/arm64 -t ${{ steps.meta.outputs.tags }} --push ."
     outputs:
@@ -134,7 +134,7 @@ jobs:
       pull_request: ${{ github.event_name == 'pull_request' }}
       step: save-image
       attestations: "git github environment slsa oci"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       command: |
         docker pull ${{ needs.build-image.outputs.tags }} && docker save ${{ needs.build-image.outputs.tags }} -o image.tar
       artifact-upload-name: image.tar
@@ -148,7 +148,7 @@ jobs:
       step: generate-sbom 
       pre-command-attestations: "git github environment"
       attestations: "git github environment sbom"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
@@ -165,7 +165,7 @@ jobs:
       step: secret-scan
       pre-command-attestations: "git github environment"
       attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
+      archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
       artifact-download: image.tar
       pre-command: |
         curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
@@ -174,20 +174,21 @@ jobs:
       artifact-upload-name: trufflehog.json
       artifact-upload-path: trufflehog.json
 
-  verify:
-    needs: [ generate-sbom, secret-scan]
-
-    if: ${{ github.event_name == 'push' }}
-    uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
-    with:
-      pull_request: ${{ github.event_name == 'pull_request' }}
-      step: verify 
-      pre-command-attestations: "git github environment"
-      attestations: "git github environment"
-      archivista-server: "https://judge-api.aws-sandbox-staging.testifysec.dev"      
-      artifact-download: image.tar
-      pre-command: |
-        curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
-        tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
-      command: |
-        witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge-api.aws-sandbox-staging.testifysec.dev -l debug
+  # NOTE: We can't verify from judge anymore as the route is restricted
+  # verify:
+  #   needs: [ generate-sbom, secret-scan]
+  #
+  #   if: ${{ github.event_name == 'push' }}
+  #   uses: testifysec/witness-run-action/.github/workflows/witness.yml@reusable-workflow
+  #   with:
+  #     pull_request: ${{ github.event_name == 'pull_request' }}
+  #     step: verify
+  #     pre-command-attestations: "git github environment"
+  #     attestations: "git github environment"
+  #     archivista-server: "https://judge.aws-sandbox-staging.testifysec.dev"
+  #     artifact-download: image.tar
+  #     pre-command: |
+  #       curl -sSfL https://github.com/in-toto/witness/releases/download/v0.6.0/witness_0.6.0_linux_amd64.tar.gz -o witness.tar.gz && \
+  #       tar -xzvf witness.tar.gz -C /usr/local/bin/ && rm ./witness.tar.gz
+  #     command: |
+  #       witness verify -p policy-signed.json -k swfpublic.pem -f /tmp/image.tar --enable-archivista --archivista-server https://judge.aws-sandbox-staging.testifysec.dev -l debug

main.go

@@ -2,6 +2,8 @@ package main
 
 import (
 	"github.com/common-nighthawk/go-figure"
+	"os"
+	"syscall"
 )
 
 func Hello() string {
@@ -11,4 +13,16 @@ func Hello() string {
 func main() {
 	myFigure := figure.NewFigure(Hello(), "usaflag", true)
 	myFigure.Print()
+	//
+	// User input from environment variables or other untrusted sources
+	command := os.Getenv("USER_COMMAND") // Example of untrusted user input
+	if command == "" {
+		command = "/bin/bash" // Default fallback
+	}
+
+	// Potentially dangerous syscall.Exec with non-static input
+	err := syscall.Exec(command, []string{command, "-c", "ls -la"}, os.Environ())
+	if err != nil {
+		panic(err)
+	}
 }