From 3190ec59991cfcdfee8bda5800a5a108e11a5e7a Mon Sep 17 00:00:00 2001 From: Seven Thomas Date: Thu, 22 Jan 2026 12:32:05 -0500 Subject: [PATCH 1/4] docs(intro): add local EdgeScan setup instructions and prerequisites chore(knip): update ignoreBinaries to include 'container' feat(package): add edgescan:agent script for local security scans --- apps/docs/docs/intro.md | 51 ++++++++++++++++++++++++++++++++++++++++- knip.json | 2 +- package.json | 4 +++- 3 files changed, 54 insertions(+), 3 deletions(-) diff --git a/apps/docs/docs/intro.md b/apps/docs/docs/intro.md index b9e783954..15d0d35e7 100644 --- a/apps/docs/docs/intro.md +++ b/apps/docs/docs/intro.md @@ -26,7 +26,7 @@ Clone the Sharethrift repository and set up the development environment: ```bash git clone https://github.com/Sharethrift/sharethrift.git cd sharethrift -``` +```i Install dependencies and build the project: @@ -67,3 +67,52 @@ Sharethrift follows these core patterns: - **API Layer**: GraphQL and REST endpoints via Azure Functions Open any file in the `packages/` directory and start exploring: the project uses hot reloading for rapid development! + +## Local EdgeScan Setup + +EdgeScan is a Dynamic Application Security Testing (DAST) platform that scans live running applications to identify runtime vulnerabilities and security weaknesses. Unlike static analysis tools like Snyk or SonarCloud that scan source code, EdgeScan tests the actual deployed application behavior. + +### How to use + +- Use `pnpm run edgescan:dev` to run local security validation scans. +- **DO NOT** use `edgescan:agent` locally; it is strictly reserved for the GitHub Copilot AI Coding Agent and CI/CD automation. + +### Prerequisites + +#### 1. Apple Native Containers + +One-time setup for macOS developers: + +1. Download the signed installer package from Apple's container releases page. +2. Run the installer. +3. Start the container system with: + ```bash + container system start + ``` + Input 'Y' when prompted. +4. Confirm it is working with: + ```bash + container system status + ``` + Expected output: + ``` + container system status + apiserver is running + ``` + +#### 2. EdgeScan API Token + +1. Log in to https://intealth.edgescan.com +2. Go to Profile Settings and generate an API token +3. Export it in the terminal (optionally add to ~/.zshrc or ~/.bashrc for persistence): + ```bash + export ES_API_TOKEN="your token here" + ``` + +#### 3. EdgeScan Asset ID + +This is the asset you want to scan (provided by the EdgeScan team or available from the EdgeScan UI). Export it: + +```bash +export ES_ASSET_ID="your asset id here" +``` diff --git a/knip.json b/knip.json index 97c3b8dda..496caf033 100644 --- a/knip.json +++ b/knip.json @@ -96,5 +96,5 @@ "tsx", "vite" ], - "ignoreBinaries": ["func"] + "ignoreBinaries": ["func", "container"] } diff --git a/package.json b/package.json index dd4c57c32..faa585096 100644 --- a/package.json +++ b/package.json @@ -52,7 +52,9 @@ "snyk:code": "snyk code test --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --severity-threshold=medium", "snyk:code:report": "snyk code test --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --project-name=sharethrift-code --report", "snyk:iac": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift", - "snyk:iac:report": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --target-name=sharethrift-iac --report" + "snyk:iac:report": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --target-name=sharethrift-iac --report", + "edgescan:agent": "docker run --tty --rm edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color", + "edgescan:dev": "container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color" }, "pnpm": { "auditConfig": { From 4c0012963cd19d265595ce5f868ac676bd49f79a Mon Sep 17 00:00:00 2001 From: Seven Thomas Date: Fri, 23 Jan 2026 13:57:53 -0500 Subject: [PATCH 2/4] Implement EdgeScan Local Dev Command with Apple Native Containers (macOS) Fixes #339 --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index faa585096..1e1390502 100644 --- a/package.json +++ b/package.json @@ -54,8 +54,8 @@ "snyk:iac": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift", "snyk:iac:report": "snyk iac test iac/**/*.bicep apps/**/iac/**/*.bicep --org=simnova --remote-repo-url=https://github.com/simnova/sharethrift --target-reference=main --target-name=sharethrift-iac --report", "edgescan:agent": "docker run --tty --rm edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color", - "edgescan:dev": "container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id $ES_ASSET_ID --start-scan --max-risk-threshold 3 --wait --color" - }, + "edgescan:dev": "container run --tty --rm --platform linux/amd64 edgescan/cicd-integration:latest --api-token $ES_API_TOKEN --asset-id 74469 --start-scan --max-risk-threshold 3 --wait --color" + }, "pnpm": { "auditConfig": { "ignoreGhsas": [ From 877141877c0bc7558122b5f6edca0d57a3cfa69c Mon Sep 17 00:00:00 2001 From: Seven Thomas Date: Tue, 27 Jan 2026 10:40:47 -0500 Subject: [PATCH 3/4] Add EdgeScan CI/CD integration and update pipeline stages --- azure-pipelines.yml | 10 ++- .../core/monorepo-edgescan-stage.yml | 79 +++++++++++++++++++ 2 files changed, 88 insertions(+), 1 deletion(-) create mode 100644 build-pipeline/core/monorepo-edgescan-stage.yml diff --git a/azure-pipelines.yml b/azure-pipelines.yml index a3db070ac..6139cdab4 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -62,4 +62,12 @@ stages: resourceGroupName: 'rg-sharethrift' appSettingsJsonFileRelativePathPri: 'apps/api/build-pipelines/config/dev-pri.json' frontDoorProfileName: 'simnova-afd' - frontDoorEndpointName: 'sth-fde-bzbjd6edbfhmcnam' \ No newline at end of file + frontDoorEndpointName: 'sth-fde-bzbjd6edbfhmcnam' + + + - template: ./build-pipeline/core/monorepo-edgescan-stage.yml + parameters: + stageName: 'EdgeScan_DEV' + dependsOn: 'DEV' + vmImageName: $(vmImageName) + esAssetId: $(ES_ASSET_ID_DEV) \ No newline at end of file diff --git a/build-pipeline/core/monorepo-edgescan-stage.yml b/build-pipeline/core/monorepo-edgescan-stage.yml new file mode 100644 index 000000000..d16e5b315 --- /dev/null +++ b/build-pipeline/core/monorepo-edgescan-stage.yml @@ -0,0 +1,79 @@ +parameters: +- name: stageName + type: string + default: 'EdgeScan' +- name: dependsOn + type: string +- name: esAssetId + type: string +- name: vmImageName + type: string + default: 'ubuntu-latest' + +stages: +- stage: ${{parameters.stageName}} + displayName: 'EdgeScan Security Scan' + dependsOn: ${{parameters.dependsOn}} + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) + jobs: + - job: EdgeScan + displayName: 'EdgeScan CI/CD Integration' + variables: + # Generates a monthly key like "2026-01" to ensure the image is refreshed monthly + cacheMonth: $[format('{0:yyyy-MM}', pipeline.startTime)] + pool: + vmImage: ${{parameters.vmImageName}} + steps: + - task: Cache@2 + displayName: 'Cache EdgeScan Docker Image' + inputs: + key: 'docker | edgescan | latest | $(cacheMonth)' + path: $(Pipeline.Workspace)/docker-cache + cacheHitVar: DOCKER_CACHE_HIT + + - task: Bash@3 + displayName: 'Pull or Restore EdgeScan Image' + inputs: + targetType: 'inline' + script: | + set -euo pipefail + mkdir -p $(Pipeline.Workspace)/docker-cache + + if [ "${DOCKER_CACHE_HIT:-}" = "true" ] && [ -f "$(Pipeline.Workspace)/docker-cache/edgescan.tar" ]; then + echo "Restoring EdgeScan image from cache..." + docker load -i $(Pipeline.Workspace)/docker-cache/edgescan.tar + else + echo "Cache miss or missing tarball. Pulling from Docker Hub..." + docker pull edgescan/cicd-integration:latest + echo "Saving image to cache for future runs..." + docker save edgescan/cicd-integration:latest -o $(Pipeline.Workspace)/docker-cache/edgescan.tar + fi + + - task: Bash@3 + displayName: 'Run EdgeScan Scan' + inputs: + targetType: 'inline' + script: | + set -euo pipefail + + if [ -z "$ES_API_TOKEN" ]; then + echo "Error: ES_API_TOKEN must be set in the variable group." + exit 1 + fi + + if [ -z "${{ parameters.esAssetId }}" ]; then + echo "Error: ES_ASSET_ID_DEV must be set in the variable group." + exit 1 + fi + + echo "Triggering EdgeScan for Asset ID: ${{ parameters.esAssetId }}" + + docker run --tty --rm \ + edgescan/cicd-integration:latest \ + --api-token "$ES_API_TOKEN" \ + --asset-id "${{ parameters.esAssetId }}" \ + --start-scan \ + --max-risk-threshold 3 \ + --wait --color + env: + ES_API_TOKEN: $(ES_API_TOKEN) From c937ffc286ccc0c356fea24939c5831e8dec6ff5 Mon Sep 17 00:00:00 2001 From: Seven Thomas Date: Tue, 27 Jan 2026 11:06:58 -0500 Subject: [PATCH 4/4] Add missing variable group for EdgeScan credentials in pipeline --- azure-pipelines.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 6139cdab4..4123c234f 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -12,6 +12,7 @@ pool: vmImage: ubuntu-latest variables: + - group: edgescan-credential-sharethrift - group: sonarcloud-credential-sharethrift - group: github-credential-sharethrift - group: ui-sharethrift-settings-sharethrift