apiiro
diff --git a/‎CONTRIBUTING.md
Lines changed: 48 additions & 0 deletions b/‎CONTRIBUTING.md
Lines changed: 48 additions & 0 deletions
diff --git a/‎README.md
Lines changed: 7 additions & 7 deletions b/‎README.md
Lines changed: 7 additions & 7 deletions
diff --git a/‎helm/README.md
Lines changed: 15 additions & 24 deletions b/‎helm/README.md
Lines changed: 15 additions & 24 deletions
diff --git a/‎helm/templates/_helpers.tpl
Lines changed: 4 additions & 4 deletions b/‎helm/templates/_helpers.tpl
Lines changed: 4 additions & 4 deletions
diff --git a/‎helm/values.yaml
Lines changed: 3 additions & 9 deletions b/‎helm/values.yaml
Lines changed: 3 additions & 9 deletions
diff --git a/‎setup/secret_managers/configure_cli.py
Lines changed: 37 additions & 37 deletions b/‎setup/secret_managers/configure_cli.py
Lines changed: 37 additions & 37 deletions
@@ -0,0 +1,48 @@
+# Contributing to PRevent
+
+Thank you for your interest in contributing! 
+Please follow these simple steps to ensure a smooth contribution process.
+
+---
+
+## Workflow
+1. **Fork and Clone**:
+    ```bash
+    git clone https://github.com/apiiro/PRevent.git
+    cd PRevent
+    ```
+2. **Create a Branch**:
+    ```bash
+    git checkout -b feature/branch-name
+    ```
+3. **Make Changes**:
+    - Thoroughly test live with GitHub.
+    - If your changes affect the scan, test on at least 3 large repositories and languages. 
+    - If your changes affect the scan, ensure an extremely low false-positive rate is kept.
+4. **Commit**:
+    Commits must be signed.
+    Write a clear, descriptive commit message:
+    ```bash
+    git commit -S -m "Added config parameters validation on container initialization"
+    ```
+5. **Push and Submit PR**:
+    ```bash
+    git push origin rule/your-branch-name
+    ```
+    - Provide a concise description in the pull request.
+
+---
+
+## Reporting Issues
+- Make sure the issue isn't referenced in known-limitations.
+- Make sure the issue doesn't exist already.
+- Clearly describe the issue.
+- Include a reproducible example if applicable.
+- Submit via [GitHub Issues](https://github.com/apiiro/PRevent/issues).
+
+---
+
+## Licensing
+By contributing, you agree to license your work under the [MIT License](LICENSE).
+
+Thank you for helping improve Malicious-Code-Ruleset!
@@ -47,10 +47,10 @@ Deployment:
 - Supports containerization.
 - Non-containerized deployment is fully automated with an interactive setup script.
 - To manage GitHub key (required for any GitHub app), multiple secret managers are supported:
-  - HashiCorp Vault
   - AWS Secrets Manager
   - Azure Key Vault
   - Google Cloud Secret Manager
+  - HashiCorp Vault
   - Local HashiCorp Vault (for development and testing)
 
 ![merge blocking](https://github.com/user-attachments/assets/4abf58ce-90e9-4624-841b-b5d60bb8dcbb)
@@ -133,7 +133,7 @@ The application handles all parameters exclusively through the secret manager (s
 
 #### Secret Manager Setup Instructions
 
-First, set **SECRET_MANAGER** in your secret manager to either: vault, aws, azure, gcloud, or local.
+First, set **SECRET_MANAGER** in your secret manager to either: aws, azure, gcloud, vault, or local.
 
 Dedicate a section in your secret manager for this app, separated from the rest. Create an app role with minimal permissions, to access the dedicated section only. If you are not sure how, try the following instructions:
 ```bash
@@ -142,11 +142,11 @@ python3 setup/secret_managers/print_instructions.py SECRET_MANAGER
 
 Permissions required to operate the role:
 
-| Permission | Vault                  | AWS                           | Azure                     | GCloud                    |
-|------------|------------------------|-------------------------------|---------------------------|---------------------------|
-| read       | read                   | secretsmanager:GetSecretValue | KeyVaultSecret:Get        | secretmanager.secrets.get | 
-| write      | create, update         | secretsmanager:PutSecretValue | KeyVaultSecret:Set        | secretmanager.secrets.add |
-| scope      | path = "prevent-app/*" | resource = "prevent-app/*"    | secret = "prevent-app/*"  | secret = "prevent-app/*"  |
+| Permission | AWS                           | Azure                     | GCloud                    | Vault                  |
+|------------|-------------------------------|---------------------------|---------------------------|------------------------|
+| read       | secretsmanager:GetSecretValue | KeyVaultSecret:Get        | secretmanager.secrets.get | read                   | 
+| write      | secretsmanager:PutSecretValue | KeyVaultSecret:Set        | secretmanager.secrets.add | create, update         |
+| scope      | resource = "prevent-app/*"    | secret = "prevent-app/*"  | secret = "prevent-app/*"  | path = "prevent-app/*" |
 
 
 ### 2. GitHub App
 
@@ -29,30 +29,6 @@ kubectl create secret generic k8s-credentials \
   --namespace=<namespace>
 ```
 
-### Vault
-
-Credentials required to operate Vault with your dedicated AppRole to restrict access: 
-- ROLE_ID
-- SECRET_ID
-
-```shell
-kubectl create secret generic vault-approle-credentials \
-  --from-literal=role-id=<role-id-value> \
-  --from-literal=secret-id=<secret-id-value> \
-  --namespace=<namespace>
-```
-
-Credentials required to operate Vault without a dedicated AppRole:
-- VAULT_ADDR
-- VAULT_TOKEN
-
-```shell
-kubectl create secret generic vault-approle-credentials \
-  --from-literal=vault-addr=<vault-addr-value> \
-  --from-literal=vault-token=<vault-token-value> \
-  --namespace=<namespace>
-```
-
 ### AWS
 
 Credentials required to operate your AWS Secret Manager: 
@@ -109,6 +85,21 @@ kubectl create secret generic gcloud-credentials \
 To use with a dedicated GCP role to restrict access:
 Associate the GCP IAM role with the K8S service account (e.g., using Workload Identity for GKE).
 
+### Vault
+
+Credentials required to operate Vault, preferably generated with a dedicated AppRole:
+- VAULT_ADDR
+- VAULT_TOKEN
+
+```shell
+kubectl create secret generic vault-approle-credentials \
+  --from-literal=vault-addr=<vault-addr-value> \
+  --from-literal=vault-token=<vault-token-value> \
+  --namespace=<namespace>
+```
+
+The best practice is to use Vault Agent with Auto-Auth or Kubernetes Auth to dynamically authenticate and securely retrieve tokens, avoiding static token storage. This is currently unsupported – contributions are welcome.
+
 ## Step 2 - Helm deploy
 
 1. Edit [values.yaml](values.yaml).
 
@@ -19,10 +19,6 @@
 {{- end }}
 
 {{- define "env-secrets" }}
-  {{- if eq .secreteManagerType "vault" }}
-    {{- include "secret-keyref-required" (dict "name" "vault-credentials" "key" "vault-addr" "env" "VAULT_ADDR") }}
-    {{- include "secret-keyref-required" (dict "name" "vault-credentials" "key" "vault-token" "env" "VAULT_TOKEN") }}
-  {{- end }}
   {{- if eq .secreteManagerType "aws" }}
     {{- include "secret-keyref-required" (dict "name" "aws-credentials" "key" "aws-access-key-id" "env" "AWS_ACCESS_KEY_ID") }}
     {{- include "secret-keyref-required" (dict "name" "aws-credentials" "key" "aws-secret-access-key" "env" "AWS_SECRET_ACCESS_KEY") }}
@@ -38,6 +34,10 @@
     {{- include "secret-keyref-optional" (dict "name" "gcloud-credentials" "key" "google-cloud-region" "env" "GOOGLE_CLOUD_REGION" "namespace" .namespace) }}
     {{- include "secret-keyref-optional" (dict "name" "gcloud-credentials" "key" "google-api-key" "env" "GOOGLE_API_KEY" "namespace" .namespace) }}
   {{- end }}
+  {{- if eq .secreteManagerType "vault" }}
+    {{- include "secret-keyref-required" (dict "name" "vault-credentials" "key" "vault-addr" "env" "VAULT_ADDR") }}
+    {{- include "secret-keyref-required" (dict "name" "vault-credentials" "key" "vault-token" "env" "VAULT_TOKEN") }}
+  {{- end }}
   {{- if eq .secreteManagerType "k8s" }}
     {{- include "secret-keyref-required" (dict "name" "k8s-credentials" "key" "github-app-private-key" "env" "GITHUB_APP_PRIVATE_KEY") }}
     {{- include "secret-keyref-required" (dict "name" "k8s-credentials" "key" "github-app-integration-id" "env" "GITHUB_APP_INTEGRATION_ID") }}
 
@@ -23,7 +23,7 @@ service:
   targetPort: 8080
 app:
   config:
-    # Options secretManager: gcloud, aws, azure, vault, k8s
+    # Options secretManager: k8s, aws, azure, gcloud, vault
     secretManager: k8s
     blockPr: false
     fpStrict: false
@@ -49,23 +49,17 @@ externalIngress:
       #spec:
       #  frontendConfigSpec:
       #    item1: value1
-  aws:
+  eks:
     enabled: false
     annotations:
     #- alb.ingress.kubernetes.io/scheme: internet-facing
     #- alb.ingress.kubernetes.io/target-type: ip
     certificateArn: ""
-  azure:
+  aks:
     enabled: false
     annotations:
     #- appgw.ingress.kubernetes.io/use-private-ip: "false"
     #- appgw.ingress.kubernetes.io/request-timeout: "300"
     managedCertificate:
       enabled: false
       domain: ""
-  vault:
-    enabled: false
-    annotations:
-    #- service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
-    service:
-      type: LoadBalancer
@@ -7,33 +7,6 @@
 from src.config import write_setting
 
 
-# Vault is used for two options, remote and local
-def configure_vault(local=False):
-    print("Configuring access: executing `vault login` (temporarily leaving the script)")
-    try:
-        subprocess.run(["vault", "login"], check=True)
-        print("(verify inputs for typos, white-spaces and correct format)")
-        if local:
-            address = getpass(
-                "Insert you Vault server address: ['http://127.0.0.1:8200']\n"
-            ) or 'http://127.0.0.1:8200'
-        else:
-            address = getpass("Insert you Vault server address: ") or ''
-        if address:
-            vault_url_path = f"{CONFIG_DIR}/vault-address"
-            with open(vault_url_path, 'w') as f:
-                f.write(address)
-            print(f"Successfully written Vault address to {vault_url_path}")
-        else:
-            print("No Vault address was received.")
-            print("It's possible to define the env var VAULT_ADDR instead,")
-            print("but it might not persist.")
-        print("Vault access configured successfully.")
-    except subprocess.CalledProcessError:
-        print("Failed to login to Vault.")
-        print("Ensure Vault CLI is installed, login, and rerun setup.py to continue")
-
-
 def configure_aws():
     print("Configuring access: executing `aws configure` (temporarily leaving the script)")
     try:
@@ -82,12 +55,39 @@ def configure_gcloud():
         print("Ensure it's installed, configure it, and rerun setup.py to continue")
 
 
+# Vault is used for two options, remote and local
+def configure_vault(local=False):
+    print("Configuring access: executing `vault login` (temporarily leaving the script)")
+    try:
+        subprocess.run(["vault", "login"], check=True)
+        print("(verify inputs for typos, white-spaces and correct format)")
+        if local:
+            address = getpass(
+                "Insert you Vault server address: ['http://127.0.0.1:8200']\n"
+            ) or 'http://127.0.0.1:8200'
+        else:
+            address = getpass("Insert you Vault server address: ") or ''
+        if address:
+            vault_url_path = f"{CONFIG_DIR}/vault-address"
+            with open(vault_url_path, 'w') as f:
+                f.write(address)
+            print(f"Successfully written Vault address to {vault_url_path}")
+        else:
+            print("No Vault address was received.")
+            print("It's possible to define the env var VAULT_ADDR instead,")
+            print("but it might not persist.")
+        print("Vault access configured successfully.")
+    except subprocess.CalledProcessError:
+        print("Failed to login to Vault.")
+        print("Ensure Vault CLI is installed, login, and rerun setup.py to continue")
+
+
 def configure_sm(manager: str):
     config_map = {
-        "vault": configure_vault,
         "aws": configure_aws,
         "azure": configure_azure,
         "gcloud": configure_gcloud,
+        "vault": configure_vault,
         "local": lambda: configure_vault(local=True),
     }
     config_map.get(manager, lambda: None)()
@@ -133,10 +133,10 @@ def add_to_toml(package: str) -> None:
 # Install the secret manager's Python package, and add it to pyproject.toml
 def manage_secret_manager_dependency(manager: str) -> None:
     dependencies = {
-        "vault": "[email protected]",
         "aws": "[email protected]",
         "azure": "[email protected]",
         "gcloud": "[email protected]",
+        "vault": "[email protected]",
         "local": "[email protected]"
     }
     package: str = dependencies.get(manager)
@@ -153,10 +153,10 @@ def choose_secrets_manager() -> str:
     print("This app can install a local manager for you (option 5).")
     print("However, it's highly recommended to use a remote secret manager.\n")
     print("Select the secret sm you use:")
-    print("1) HashiCorp Vault")
-    print("2) AWS Secrets Manager")
-    print("3) Azure Key Vault Secrets")
-    print("4) Google Cloud Secret Manager")
+    print("1) AWS Secrets Manager")
+    print("2) Azure Key Vault Secrets")
+    print("3) Google Cloud Secret Manager")
+    print("4) HashiCorp Vault")
     print("5) Easy local storage with HashiCorp Vault (insecure)")
 
     choice = input("Enter the number corresponding to your choice: ")
@@ -170,10 +170,10 @@ def choose_secrets_manager() -> str:
         return choose_secrets_manager()
 
     sm_types = {
-        1: "vault",
-        2: "aws",
-        3: "azure",
-        4: "gcloud",
+        1: "aws",
+        2: "azure",
+        3: "gcloud",
+        4: "vault",
         5: "local"
     }