diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml index 0675985..2f50ddc 100644 --- a/.github/workflows/code-scan.yml +++ b/.github/workflows/code-scan.yml @@ -78,7 +78,7 @@ jobs: ) if five_recently_updated_closed_prs.status_code != 200: - print('::error ::Error fetching closed PRs') + print('::warning ::Failed to fetch closed PRs, defaulting to running a new scan') skip_job_and_continue_scan = True else: five_recently_updated_closed_prs = five_recently_updated_closed_prs.json() @@ -101,7 +101,7 @@ jobs: ) if workflow_runs.status_code != 200: - print('::error ::Error fetching workflow run') + print('::warning ::Failed to fetch PR workflow runs, defaulting to running a new scan') skip_job_and_continue_scan = True else: workflow_runs = workflow_runs.json().get('workflow_runs', []) @@ -115,11 +115,11 @@ jobs: break if run_id is None: - print('::notice ::No matching workflow run found') + print('::warning ::Failed to find a matching workflow run on the PR, defaulting to running a new scan') skip_job_and_continue_scan = True else: - print('::notice ::No matching PR found') + print('::warning ::Failed to fetch a matching PR, defaulting to running a new scan') skip_job_and_continue_scan = True with open(env_file, 'a') as f: @@ -334,7 +334,7 @@ jobs: except IOError: pass if allowlist == False: - print(f'::notice ::Allowlist file not found') + print(f'::notice ::Allowlist file not found in current repository, skipping remaining steps') if external_repository != '': headers = { @@ -346,13 +346,13 @@ jobs: for file_name in _config_file_names: response = requests.get(f'https://api.github.com/repos/entur/{external_repository}/contents/{_file_location}/{file_name}', headers=headers) if response.status_code != 404 and response.status_code != 200: - print(f'::error ::Could not get external allowlist file ({response.status_code} - {response.reason})') + print(f'::warning ::Failed to fetch allowlist file from external repository ({response.status_code} - {response.reason})') break if response.status_code == 200: external_allowlist = True break if external_allowlist == False: - print(f'::notice ::External allowlist file not found') + print(f'::warning ::Failed to find allowlist in external repository') if external_allowlist: with open(os.path.join(_file_location, 'external_codescan.yml'), 'w') as f: @@ -378,16 +378,16 @@ jobs: _file_location = '.entur/security' schema = { - 'apiVersion': {'type': 'string', 'required': True, 'allowed': 'entur.io/securitytools/v1'}, + 'apiVersion': {'type': 'string', 'required': True, 'allowed': ['entur.io/securitytools/v1']}, 'kind': {'type': 'string', 'required': True, 'allowed': ['CodeScanConfig']}, 'metadata': { 'type': 'dict', 'required': True, 'schema': { - 'id' : {'type': 'string', 'required': True} - 'name': {'type': 'string', 'required': True} - 'owner': {'type': 'string', 'required': True} - } + 'id' : {'type': 'string', 'required': True}, + 'name': {'type': 'string', 'required': True}, + 'owner': {'type': 'string', 'required': True}, + }, }, 'spec': { 'type': 'dict', @@ -402,12 +402,12 @@ jobs: 'schema': { 'cwe': {'type': 'string', 'required': True}, 'comment': {'type': 'string', 'required': True}, - 'reason': {'type': 'string', 'required': True} - } - } - } - } - } + 'reason': {'type': 'string', 'required': True}, + }, + }, + }, + }, + }, } v = Validator(schema) @@ -421,13 +421,11 @@ jobs: pass if data == '': - print('::error ::Allowlist file not found') + print('::error ::Allowlist file not found in current repository') sys.exit(1) - if v.validate(data): - print('The allowlist file is valid.') - else: - print(f'::error ::The allowlist file is invalid. Here are the errors: {v.errors}') + if not v.validate(data): + print(f'::error ::Allowlist file is invalid. Here are the errors: {v.errors}') sys.exit(1) if os.getenv('GHA_SECURITY_CODE_SCAN_EXTERNAL_ALLOWLIST') == 'True': @@ -436,12 +434,10 @@ jobs: with open(os.path.join(_file_location, 'external_codescan.yml'), 'r') as f: data = yaml.safe_load(f) except IOError: - print('::error ::External allowlist file not found') + print('::error ::Cached copy of external allowlist file not found') sys.exit(1) - if v.validate(data): - print('The external allowlist file is valid.') - else: - print(f'::error ::The external allowlist file is invalid. Here are the errors: {v.errors}') + if not v.validate(data): + print(f'::error ::External allowlist file is invalid. Here are the errors: {v.errors}') sys.exit(1) " - name: "Allowlist code scan alerts" diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml index b672a36..3f33053 100644 --- a/.github/workflows/docker-scan.yml +++ b/.github/workflows/docker-scan.yml @@ -73,7 +73,7 @@ jobs: pass if allowlist == False: - print(f'::notice ::Allowlist file not found') + print(f'::notice ::Allowlist file not found in current repository, skipping remaining steps') if external_repository != '': headers = { @@ -85,13 +85,13 @@ jobs: for file_name in _config_file_names: response = requests.get(f'https://api.github.com/repos/entur/{external_repository}/contents/{_file_location}/{file_name}', headers=headers) if response.status_code != 404 and response.status_code != 200: - print(f'::error ::Could not get external allowlist file ({response.status_code} - {response.reason})') + print(f'::warning ::Failed to fetch allowlist file from external repository ({response.status_code} - {response.reason})') break if response.status_code == 200: external_allowlist = True break if external_allowlist == False: - print(f'::notice ::External allowlist file not found') + print(f'::warning ::Failed to find an allowlist in external repository') if external_allowlist: with open(os.path.join(_file_location, 'external_dockerscan.yml'), 'w') as f: @@ -117,16 +117,16 @@ jobs: _file_location = '.entur/security' schema = { - 'apiVersion': {'type': 'string', 'required': True, 'allowed': 'entur.io/securitytools/v1'}, + 'apiVersion': {'type': 'string', 'required': True, 'allowed': ['entur.io/securitytools/v1']}, 'kind': {'type': 'string', 'required': True, 'allowed': ['DockerScanConfig']}, 'metadata': { 'type': 'dict', 'required': True, 'schema': { - 'id' : {'type': 'string', 'required': True} - 'name': {'type': 'string', 'required': True} - 'owner': {'type': 'string', 'required': True} - } + 'id' : {'type': 'string', 'required': True}, + 'name': {'type': 'string', 'required': True}, + 'owner': {'type': 'string', 'required': True}, + }, }, 'spec': { 'type': 'dict', @@ -141,12 +141,12 @@ jobs: 'schema': { 'cve': {'type': 'string', 'required': True}, 'comment': {'type': 'string', 'required': True}, - 'reason': {'type': 'string', 'required': True} - } - } - } - } - } + 'reason': {'type': 'string', 'required': True}, + }, + }, + }, + }, + }, } v = Validator(schema) @@ -159,13 +159,11 @@ jobs: except IOError: pass if data == '': - print('::error ::Allowlist file not found') + print('::error ::Allowlist file not found in current repository') sys.exit(1) - if v.validate(data): - print('The allowlist file is valid.') - else: - print(f'::error ::The allowlist file is invalid. Here are the errors: {v.errors}') + if not v.validate(data): + print(f'::error ::Allowlist file is invalid. Here are the errors: {v.errors}') sys.exit(1) if os.getenv('GHA_SECURITY_DOCKER_SCAN_EXTERNAL_ALLOWLIST') == 'True': @@ -174,12 +172,10 @@ jobs: with open(os.path.join(_file_location, 'external_dockerscan.yml'), 'r') as f: data = yaml.safe_load(f) except IOError: - print('::error ::External allowlist file not found') + print('::error ::Cached copy of external allowlist file not found') sys.exit(1) - if v.validate(data): - print('The external allowlist file is valid.') - else: - print(f'::error ::The external allowlist file is invalid. Here are the errors: {v.errors}') + if not v.validate(data): + print(f'::error ::External allowlist file is invalid. Here are the errors: {v.errors}') sys.exit(1) " - name: Convert allowlist content to base64 diff --git a/README-code-scan.md b/README-code-scan.md index b90a34d..dec463b 100644 --- a/README-code-scan.md +++ b/README-code-scan.md @@ -8,7 +8,7 @@ Add the following step to your workflow configuration: jobs: code-scan: name: Code Scan - uses: entur/gha-security/.github/workflows/code-scan.yml@v1 + uses: entur/gha-security/.github/workflows/code-scan.yml@v2 secrets: inherit ``` or add the Entur Shared Workflow _CodeQL Scan_. Go to the _Actions_ tab in your repository, click on _New workflow_ and select the button _Configure_ on the _CodeQL Scan_ workflow. diff --git a/README-docker-scan.md b/README-docker-scan.md index 643fc3a..458247b 100644 --- a/README-docker-scan.md +++ b/README-docker-scan.md @@ -75,7 +75,7 @@ jobs: docker-scan: name: Scan Docker Image needs: docker-build - uses: entur/gha-security/.github/workflows/docker-scan.yml@v1 + uses: entur/gha-security/.github/workflows/docker-scan.yml@v2 with: image_artifact: ${{ needs.docker-build.outputs.image_artifact }}