From bd79a6eb653a6a7b712111a08f8a54fe07c6a8e8 Mon Sep 17 00:00:00 2001 From: Vasco Ramos Date: Tue, 17 Jan 2023 10:59:19 +0000 Subject: [PATCH] fix(actions): add static analysis (#49) --- .github/workflows/merge-master.yaml | 2 +- .github/workflows/prereleased.yaml | 79 ++++++++++++++++++++++++++--- .github/workflows/pull-request.yaml | 65 ++++++++++++++++++++++++ .github/workflows/released.yaml | 6 +-- 4 files changed, 140 insertions(+), 12 deletions(-) diff --git a/.github/workflows/merge-master.yaml b/.github/workflows/merge-master.yaml index 21444f4..78c0aba 100644 --- a/.github/workflows/merge-master.yaml +++ b/.github/workflows/merge-master.yaml @@ -37,7 +37,7 @@ jobs: - name: Git Short sha id: short_sha - run: echo "::set-output name=value::$(git rev-parse --short HEAD)" + run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT build: diff --git a/.github/workflows/prereleased.yaml b/.github/workflows/prereleased.yaml index 0cd3842..8bd1db7 100644 --- a/.github/workflows/prereleased.yaml +++ b/.github/workflows/prereleased.yaml @@ -20,6 +20,17 @@ env: CONTAINER: authentication-service-container-image DOCKER_REPOSITORY: authentication-service + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + SBOM_FILENAME: docker-sbom + NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }} + + + +permissions: + id-token: write + contents: read + packages: read + jobs: @@ -52,7 +63,7 @@ jobs: steps: - name: Version id: version - run: echo ::set-output name=value::${GITHUB_REF#refs/*/} + run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT build: @@ -67,6 +78,60 @@ jobs: steps: - uses: actions/checkout@v3 + - name: Build Docker Image + id: docker_build + uses: docker/build-push-action@v3 + env: + DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }} + with: + context: . + push: false + load: true + tags: ${{ env.DOCKER_IMAGE_TAG }} + + - name: Create Docker SBOM + uses: anchore/sbom-action@v0 + with: + image: ${{ steps.docker_build.outputs.imageId }} + format: spdx-json + upload-release-assets: false + output-file: ${{ env.SBOM_FILENAME }}.spdx.json + + - name: Scan SBOM + id: scan_sbom + uses: anchore/scan-action@v3 + with: + sbom: ${{ env.SBOM_FILENAME }}.spdx.json + output-format: sarif + fail-build: false + + - name: Determine number of noticiable vulnerabilities + id: count_vulnerabilities + run: | + echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }} + aws-region: ${{ env.AWS_S3_REGION }} + + - name: Copy SBOM to S3 + run: | + aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json + aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif + + - name: Update Notion Page + uses: ydataai/update-notion-page@v1 + env: + STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }} + STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }} + with: + notion_secret: ${{ secrets.NOTION_SECRET }} + notion_database_id: ${{ env.NOTION_DATABASE_ID }} + notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }' + notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }' + - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: @@ -78,14 +143,12 @@ jobs: id: ecr_password uses: aws-actions/amazon-ecr-login@v1 - - name: Build and push - uses: docker/build-push-action@v3 + - name: Push Docker Image env: DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }} - with: - context: . - push: true - tags: ${{ env.DOCKER_IMAGE_TAG }} + run: | + docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }} + docker push ${{ env.DOCKER_IMAGE_TAG }} update-manifests: @@ -107,7 +170,7 @@ jobs: - uses: imranismail/setup-kustomize@v2 with: - kustomize-version: "3.8.5" + kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }} - name: Update kustomization image tag env: diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 4cba90f..8e3b499 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -12,6 +12,20 @@ on: +env: + AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }} + SBOM_FILENAME: package-sbom + NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }} + + + +permissions: + id-token: write + contents: read + packages: read + + + jobs: build: name: Build @@ -45,3 +59,54 @@ jobs: - name: Run tests run: make test + + + static-analysis: + name: Static Analysis + runs-on: + - self-hosted + - large + + steps: + - uses: actions/checkout@v3 + + - name: Create SBOM + uses: anchore/sbom-action@v0 + with: + format: spdx-json + output-file: ${{ env.SBOM_FILENAME }}.spdx.json + + - name: Scan SBOM + id: scan_sbom + uses: anchore/scan-action@v3 + with: + sbom: ${{ env.SBOM_FILENAME }}.spdx.json + output-format: sarif + fail-build: false + + - name: Determine number of noticiable vulnerabilities + id: count_vulnerabilities + run: | + echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }} + aws-region: ${{ env.AWS_S3_REGION }} + + - name: Copy SBOM to S3 + run: | + aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json + aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif + + - name: Update Notion Page + uses: ydataai/update-notion-page@v1 + env: + STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }} + STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }} + with: + notion_secret: ${{ secrets.NOTION_SECRET }} + notion_database_id: ${{ env.NOTION_DATABASE_ID }} + notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }' + notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }' diff --git a/.github/workflows/released.yaml b/.github/workflows/released.yaml index 90ec780..087695b 100644 --- a/.github/workflows/released.yaml +++ b/.github/workflows/released.yaml @@ -53,13 +53,13 @@ jobs: steps: - name: Version id: version - run: echo ::set-output name=value::${GITHUB_REF#refs/*/} + run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT - uses: actions/checkout@v3 - name: Git Short sha id: short_sha - run: echo "::set-output name=value::$(git rev-parse --short HEAD)" + run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT docker-tag: @@ -112,7 +112,7 @@ jobs: - uses: imranismail/setup-kustomize@v2 with: - kustomize-version: "3.8.5" + kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }} - name: Update kustomization image tag env: