diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46616f69..c2527592 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,51 @@ on: branches: - main jobs: + snyk-scan: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-scan-deps-licenses' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Setup python + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Snyk cli + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + - name: Run Snyk to check for deps vulnerabilities + run: snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run Snyk to check for code vulnerabilities + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Test SBOM generation + run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json + package_ubuntu_cli: name: "Package cli for Ubuntu" runs-on: ubuntu-22.04 @@ -96,6 +141,7 @@ jobs: if: ${{ github.event_name == 'push' }} needs: - package_ubuntu_cli + - snyk-scan permissions: id-token: write contents: read @@ -135,6 +181,7 @@ jobs: if: ${{ github.event_name == 'release' }} needs: - package_ubuntu_cli + - snyk-scan steps: - name: Download packaged cli uses: actions/download-artifact@v3 @@ -151,11 +198,54 @@ jobs: asset_content_type: application/octet-stream if: ${{ github.event_name == 'release' }} + upload-sbom: + runs-on: ubuntu-latest + if: ${{ github.event_name == 'release' }} + permissions: write-all + needs: + - package_ubuntu_cli + - snyk-scan + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'upload-sbom' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Setup python + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Snyk cli + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + - name: Generate SBOM + run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json + - name: Upload SBOM + uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 + with: + files: sbom.json + repo-token: ${{ secrets.GITHUB_TOKEN }} + upload-release-focal: runs-on: ubuntu-20.04 if: ${{ github.event_name == 'release' }} needs: - package_ubuntu_cli + - snyk-scan steps: - name: Download packaged cli uses: actions/download-artifact@v3 @@ -176,6 +266,7 @@ jobs: runs-on: [node-only] needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -252,6 +343,7 @@ jobs: runs-on: ubuntu-22.04 needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -340,6 +432,7 @@ jobs: contents: read needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -425,6 +518,48 @@ jobs: NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}} + snyk-monitor: + runs-on: ubuntu-latest + if: ${{ github.event_name == 'release' }} + needs: + - package_ubuntu_cli + - snyk-scan + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-monitor' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Setup python + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Snyk cli + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + - name: Enable Snyk online monitoring - Devops + run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }} + - name: Enable Snyk online monitoring - Network + run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} # These do not run on Babylon # test-core-api: diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..c26e264c --- /dev/null +++ b/.snyk @@ -0,0 +1,7 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: {} +patch: {} +exclude: + global: + - ./node-runner-cli/utils/utils.py