diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..f253916 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +--- +version: 2 +updates: + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'daily' diff --git a/.github/workflows/mcvs-pr-validation.yml b/.github/workflows/mcvs-pr-validation.yml new file mode 100644 index 0000000..b337dc2 --- /dev/null +++ b/.github/workflows/mcvs-pr-validation.yml @@ -0,0 +1,19 @@ +--- +name: MCVS-PR-validation-action +'on': + pull_request: + types: + - edited + - opened + - reopened + - synchronize + workflow_call: +permissions: + contents: read + pull-requests: read +jobs: + MCVS-PR-validation-action: + runs-on: ubuntu-22.04 + steps: + - uses: actions/checkout@v4.2.0 + - uses: schubergphilis/mcvs-pr-validation-action@v0.2.0 diff --git a/README.md b/README.md index ddcc112..5a24078 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,37 @@ -# mcvs-python-action +# MCVS-python-action + Mission Critical Vulnerability Scanner (MCVS) Python Action. Create Python code without high and critical vulnerabilities. + +## Usage + +Create a `.github/workflows/python.yml` file with the following content: + +```yaml +--- +name: Python +"on": push +permissions: + contents: read # write if pyinstaller-binary-name is non-empty +jobs: + MCVS-python-action: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v4.1.1 + - uses: schubergphilis/mcvs-python-action@v0.1.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} +``` + + + +| Option | Default | Required | Description | +| :---------------------- | :----------------------------------- | -------- | :---------------------------------------------------------------------------------------------------------------- | +| pyinstaller-binary-name | | | If populated, then a binary will be created using pyinstaller and attached to a release | +| token | ' ' | x | GitHub token that is required to push a package to the registry of the project and to pull cached Trivy DB images | +| trivy-action-db | ghcr.io/aquasecurity/trivy-db:2 | | Replace this with a cached image to prevent bump into pull rate limiting issues | +| trivy-action-java-db | ghcr.io/aquasecurity/trivy-java-db:1 | | Replace this with a cached image to prevent bump into pull rate limiting issues | + + + +Define the Python version of the project by adding it to a `.python-version` +file. diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..cc4babc --- /dev/null +++ b/action.yml @@ -0,0 +1,116 @@ +--- +name: mcvs-python-action +description: | + The Mission Critical Vulnerability Scanner (MCVS) Python action. +inputs: + pyinstaller-binary-name: + description: The name of the binary that is created using pyinstaller. + trivy-action-db: + default: 'ghcr.io/aquasecurity/trivy-db:2' + description: | + OCI repository to retrieve trivy-db from. + trivy-action-java-db: + description: | + OCI repository to retrieve trivy-java-db from. + default: 'ghcr.io/aquasecurity/trivy-java-db:1' + token: + description: | + A token is required to allow the mcvs-python-action to push the + package that it has been built, to the packages repository of the GitHub + repository where the action has been run and to pull the cached trivy DBs + to prevent bump into pull rate limits. + required: true +runs: + using: 'composite' + steps: + # + # YAML linting. + # + - run: | + pip install --user yamllint==1.35.1 + yamllint . + shell: bash + # + # Install the python version that has been defined in the .python-version + # file. + # + - uses: actions/setup-python@v5.2.0 + with: + cache: 'pip' + # + # Code security scanning. + # + - uses: anchore/scan-action@v4.1.2 + with: + only-fixed: false + output-format: table + path: '.' + severity-cutoff: high + - uses: 030/trivyignore-validator-action@v0.1.2 + - name: Log in to GitHub Packages Docker registry + shell: bash + run: | + echo "${{ inputs.token }}" |\ + docker login ghcr.io -u ${{ github.actor }} --password-stdin + - uses: aquasecurity/trivy-action@0.24.0 + env: + TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }} + TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }} + TRIVY_PASSWORD: ${{ inputs.token }} + TRIVY_USERNAME: ${{ github.actor }} + with: + scan-type: 'fs' + scan-ref: '.' + exit-code: '1' + ignore-unfixed: true + severity: 'CRITICAL,HIGH' + trivyignores: .trivyignore + # + # If a requirements file exists in the project, then install the packages. + # + - name: Install PIP packages defined in requirements.txt + shell: bash + run: | + requirements_file=requirements.txt + if [ -f ${requirements_file} ]; then + pip install \ + -r ${requirements_file} + fi + # + # Run pytest if 'import pytest' is found. + # + - name: Run tests + shell: bash + run: | + if grep -r 'import pytest' *.py; then + pytest \ + --capture=no \ + --cov=main test.py \ + --cov-report term-missing \ + --verbose + fi + # + # Build binary using pyinstaller and attach it to a release once a tag has + # been created. + # + # yamllint disable rule:line-length + - name: Check Conditions + id: condition_check + run: echo "Checking conditions..." + shell: bash + if: ${{ github.event_name == 'push' && contains(github.ref, 'refs/tags/') && inputs.pyinstaller-binary-name != '' }} + # yamllint enable rule:line-length + - name: Build binary using pyinstaller + if: ${{ steps.condition_check.outcome == 'success' }} + shell: bash + run: | + pip install pyinstaller==v6.10.0 + pyinstaller --onefile main.py --name gomod-go-version-updater + - name: Attach a binary to a release + if: ${{ steps.condition_check.outcome == 'success' }} + uses: svenstaro/upload-release-action@2.9.0 + with: + repo_token: ${{ inputs.token }} + file: dist/${{ inputs.pyinstaller-binary-name }} + asset_name: ${{ inputs.pyinstaller-binary-name }} + tag: ${{ github.ref }}