Skip to content

Commit

Permalink
fix(actions): add static analysis (#49)
Browse files Browse the repository at this point in the history
  • Loading branch information
@vascoalramos
vascoalramos committed Jan 18, 2023
1 parent 8234dfa commit bd79a6e
Show file tree
Hide file tree
Showing 4 changed files with 140 additions and 12 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/merge-master.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:

- name: Git Short sha
id: short_sha
run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT


build:
Expand Down
79 changes: 71 additions & 8 deletions .github/workflows/prereleased.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,17 @@ env:
CONTAINER: authentication-service-container-image
DOCKER_REPOSITORY: authentication-service

AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
SBOM_FILENAME: docker-sbom
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}



permissions:
id-token: write
contents: read
packages: read



jobs:
Expand Down Expand Up @@ -52,7 +63,7 @@ jobs:
steps:
- name: Version
id: version
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT


build:
Expand All @@ -67,6 +78,60 @@ jobs:
steps:
- uses: actions/checkout@v3

- name: Build Docker Image
id: docker_build
uses: docker/build-push-action@v3
env:
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
with:
context: .
push: false
load: true
tags: ${{ env.DOCKER_IMAGE_TAG }}

- name: Create Docker SBOM
uses: anchore/sbom-action@v0
with:
image: ${{ steps.docker_build.outputs.imageId }}
format: spdx-json
upload-release-assets: false
output-file: ${{ env.SBOM_FILENAME }}.spdx.json

- name: Scan SBOM
id: scan_sbom
uses: anchore/scan-action@v3
with:
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
output-format: sarif
fail-build: false

- name: Determine number of noticiable vulnerabilities
id: count_vulnerabilities
run: |
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
aws-region: ${{ env.AWS_S3_REGION }}

- name: Copy SBOM to S3
run: |
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
- name: Update Notion Page
uses: ydataai/update-notion-page@v1
env:
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
with:
notion_secret: ${{ secrets.NOTION_SECRET }}
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
Expand All @@ -78,14 +143,12 @@ jobs:
id: ecr_password
uses: aws-actions/amazon-ecr-login@v1

- name: Build and push
uses: docker/build-push-action@v3
- name: Push Docker Image
env:
DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
with:
context: .
push: true
tags: ${{ env.DOCKER_IMAGE_TAG }}
run: |
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
docker push ${{ env.DOCKER_IMAGE_TAG }}
update-manifests:
Expand All @@ -107,7 +170,7 @@ jobs:

- uses: imranismail/setup-kustomize@v2
with:
kustomize-version: "3.8.5"
kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}

- name: Update kustomization image tag
env:
Expand Down
65 changes: 65 additions & 0 deletions .github/workflows/pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,20 @@ on:



env:
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
SBOM_FILENAME: package-sbom
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}



permissions:
id-token: write
contents: read
packages: read



jobs:
build:
name: Build
Expand Down Expand Up @@ -45,3 +59,54 @@ jobs:

- name: Run tests
run: make test


static-analysis:
name: Static Analysis
runs-on:
- self-hosted
- large

steps:
- uses: actions/checkout@v3

- name: Create SBOM
uses: anchore/sbom-action@v0
with:
format: spdx-json
output-file: ${{ env.SBOM_FILENAME }}.spdx.json

- name: Scan SBOM
id: scan_sbom
uses: anchore/scan-action@v3
with:
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
output-format: sarif
fail-build: false

- name: Determine number of noticiable vulnerabilities
id: count_vulnerabilities
run: |
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
aws-region: ${{ env.AWS_S3_REGION }}

- name: Copy SBOM to S3
run: |
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
- name: Update Notion Page
uses: ydataai/update-notion-page@v1
env:
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
with:
notion_secret: ${{ secrets.NOTION_SECRET }}
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
6 changes: 3 additions & 3 deletions .github/workflows/released.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,13 @@ jobs:
steps:
- name: Version
id: version
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT

- uses: actions/checkout@v3

- name: Git Short sha
id: short_sha
run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT


docker-tag:
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:

- uses: imranismail/setup-kustomize@v2
with:
kustomize-version: "3.8.5"
kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}

- name: Update kustomization image tag
env:
Expand Down

0 comments on commit bd79a6e

Please sign in to comment.