chore(actions): add static analysis

.github/workflows/merge-master.yaml

@@ -37,7 +37,7 @@ jobs:
 
     - name: Git Short sha
       id: short_sha
-      run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
+      run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
 
   build:

.github/workflows/prereleased.yaml

@@ -20,6 +20,17 @@ env:
   CONTAINER: authentication-service-container-image
   DOCKER_REPOSITORY: authentication-service
 
+  AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+  SBOM_FILENAME: docker-sbom
+  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
+
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
 
 
 jobs:
@@ -52,7 +63,7 @@ jobs:
     steps:
     - name: Version
       id: version
-      run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+      run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
 
   build:
@@ -67,6 +78,60 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
+    - name: Build Docker Image
+      id: docker_build
+      uses: docker/build-push-action@v3
+      env:
+        DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
+      with:
+        context: .
+        push: false
+        load: true
+        tags: ${{ env.DOCKER_IMAGE_TAG }}
+
+    - name: Create Docker SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ steps.docker_build.outputs.imageId }}
+        format: spdx-json
+        upload-release-assets: false
+        output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+    - name: Scan SBOM
+      id: scan_sbom
+      uses: anchore/scan-action@v3
+      with:
+        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+        output-format: sarif
+        fail-build: false
+
+    - name: Determine number of noticiable vulnerabilities
+      id: count_vulnerabilities
+      run: |
+        echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
+        aws-region: ${{ env.AWS_S3_REGION }}
+
+    - name: Copy SBOM to S3
+      run: |
+        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
+        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
+
+    - name: Update Notion Page
+      uses: ydataai/update-notion-page@v1
+      env:
+        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
+      with:
+        notion_secret: ${{ secrets.NOTION_SECRET }}
+        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
+        notion_page_update_properties: '{  "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
@@ -78,14 +143,12 @@ jobs:
       id: ecr_password
       uses: aws-actions/amazon-ecr-login@v1
 
-    - name: Build and push
-      uses: docker/build-push-action@v3
+    - name: Push Docker Image
       env:
         DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
-      with:
-        context: .
-        push: true
-        tags: ${{ env.DOCKER_IMAGE_TAG }}
+      run: |
+        docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
+        docker push ${{ env.DOCKER_IMAGE_TAG }}
 
 
   update-manifests:
@@ -107,7 +170,7 @@ jobs:
 
     - uses: imranismail/setup-kustomize@v2
       with:
-        kustomize-version: "3.8.5"
+        kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}
 
     - name: Update kustomization image tag
       env:

.github/workflows/pull-request.yaml

@@ -12,6 +12,20 @@ on:
 
 
 
+env:
+  AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+  SBOM_FILENAME: package-sbom
+  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
+
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+
+
 jobs:
   build:
     name: Build
@@ -45,3 +59,54 @@ jobs:
 
     - name: Run tests
       run: make test
+
+
+  static-analysis:
+    name: Static Analysis
+    runs-on:
+    - self-hosted
+    - large
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Create SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        format: spdx-json
+        output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+    - name: Scan SBOM
+      id: scan_sbom
+      uses: anchore/scan-action@v3
+      with:
+        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+        output-format: sarif
+        fail-build: false
+
+    - name: Determine number of noticiable vulnerabilities
+      id: count_vulnerabilities
+      run: |
+        echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
+        aws-region: ${{ env.AWS_S3_REGION }}
+
+    - name: Copy SBOM to S3
+      run: |
+        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
+        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
+
+    - name: Update Notion Page
+      uses: ydataai/update-notion-page@v1
+      env:
+        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
+      with:
+        notion_secret: ${{ secrets.NOTION_SECRET }}
+        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
+        notion_page_update_properties: '{  "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'

.github/workflows/released.yaml

@@ -53,13 +53,13 @@ jobs:
     steps:
     - name: Version
       id: version
-      run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+      run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
     - uses: actions/checkout@v3
 
     - name: Git Short sha
       id: short_sha
-      run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
+      run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
 
   docker-tag:
@@ -112,7 +112,7 @@ jobs:
 
     - uses: imranismail/setup-kustomize@v2
       with:
-        kustomize-version: "3.8.5"
+        kustomize-version: ${{ secrets.KUSTOMIZE_VERSION }}
 
     - name: Update kustomization image tag
       env: