From 94468bca895e32515761d54dc2140b2701718f50 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 08:53:13 +0200 Subject: [PATCH 01/34] ci: snyk integration --- .github/workflows/ci.yml | 110 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 46616f69..d5831911 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,6 +12,87 @@ on: branches: - main jobs: + snyk-scan-deps-licences: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-scan-deps-licenses' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Run Snyk to check for deps vulnerabilities - Devops + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical + - name: Run Snyk to check for deps vulnerabilities - Network + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + + snyk-scan-code: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-scan-code' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Run Snyk to check for code vulnerabilities - Devops + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=high + command: code test + - name: Run Snyk to check for code vulnerabilities - Network + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + command: code test + + snyk-sbom: + runs-on: ubuntu-latest + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + needs: + - snyk-scan-deps-licences + - snyk-scan-code + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-sbom' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Generate SBOM # check SBOM can be generated but nothing is done with it + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --format=cyclonedx1.4+json --json-file-output sbom.json + command: sbom + + package_ubuntu_cli: name: "Package cli for Ubuntu" runs-on: ubuntu-22.04 @@ -425,6 +506,35 @@ jobs: NGINX_METRICS_PASSWORD: ${{secrets.NGINX_METRICS_PASSWORD}} NGINX_SUPERADMIN_PASSWORD: ${{secrets.NGINX_SUPERADMIN_PASSWORD}} + snyk-monitor: + runs-on: ubuntu-latest + #needs: + # - upload-release-jammy + permissions: + id-token: write + pull-requests: read + contents: read + deployments: write + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'snyk-monitor' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Enable Snyk online monitoring to check for vulnerabilities + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }} + command: monitor + - name: Enable Snyk online monitoring to check for vulnerabilities + uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + with: + args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} + command: monitor # These do not run on Babylon # test-core-api: From c051e0a66533b1f1155aca3a1f63a474c4b3b5d5 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 09:49:57 +0200 Subject: [PATCH 02/34] ci: snyk integration --- .github/workflows/ci.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d5831911..6e675ab9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -32,11 +32,11 @@ jobs: - name: Run Snyk to check for deps vulnerabilities - Devops uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 with: - args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical + args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - name: Run Snyk to check for deps vulnerabilities - Network uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 with: - args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d snyk-scan-code: runs-on: ubuntu-latest @@ -56,11 +56,6 @@ jobs: secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - name: Run Snyk to check for code vulnerabilities - Devops - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 - with: - args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=high - command: code test - - name: Run Snyk to check for code vulnerabilities - Network uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 with: args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high From 69a47684dbcd8bce6230526f5197ec288c84fba0 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 09:58:50 +0200 Subject: [PATCH 03/34] ci: snyk integration --- .github/workflows/ci.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6e675ab9..772a8d1c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,14 +29,17 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - - name: Run Snyk to check for deps vulnerabilities - Devops - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 - with: - args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d +# - name: Run Snyk to check for deps vulnerabilities - Devops +# uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 +# with: +# args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - name: Run Snyk to check for deps vulnerabilities - Network - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 - with: - args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d + shell: bash + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + snyk test --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d snyk-scan-code: runs-on: ubuntu-latest From 7318fbabf108520da1ed2cbb913d1ea492f4200d Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 10:05:23 +0200 Subject: [PATCH 04/34] ci: snyk integration --- .github/workflows/ci.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 772a8d1c..8a725a56 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,8 +33,11 @@ jobs: # uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 # with: # args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d + - name: Install pipenv + run: | + sudo apt-get update + sudo apt-get -y install pipenv - name: Run Snyk to check for deps vulnerabilities - Network - shell: bash run: | npm install snyk -g snyk -v From a07c11ddd5b7fe3ef1a0e5e6e0bcd67b5e4ece6a Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 10:13:03 +0200 Subject: [PATCH 05/34] ci: snyk integration --- .github/workflows/ci.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a725a56..0d38e2ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -35,8 +35,7 @@ jobs: # args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - name: Install pipenv run: | - sudo apt-get update - sudo apt-get -y install pipenv + python -m pip install --upgrade pipenv wheel - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g From d43fdbc5f06a25663f2ebff6a165de5fa4684838 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 10:16:26 +0200 Subject: [PATCH 06/34] ci: snyk integration --- .github/workflows/ci.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 0d38e2ab..8aab41ec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,15 +33,18 @@ jobs: # uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 # with: # args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - - name: Install pipenv - run: | - python -m pip install --upgrade pipenv wheel + - name: setup python + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.10.6 - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g snyk -v snyk auth ${{ env.SNYK_TOKEN }} snyk test --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} snyk-scan-code: runs-on: ubuntu-latest From 563743aeb8901ab08252c9577878ab7abe3e4d0b Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 10:18:05 +0200 Subject: [PATCH 07/34] ci: snyk integration --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8aab41ec..64173566 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,6 +37,9 @@ jobs: uses: actions/setup-python@v4.5.0 with: python-version: 3.10.6 + - name: Install pipenv + run: | + python -m pip install --upgrade pipenv wheel - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g From 25bad15508f609d16b93917494c52294faf045c0 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:02:12 +0200 Subject: [PATCH 08/34] ci: snyk integration --- .github/workflows/ci.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64173566..4a15632c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,6 +42,8 @@ jobs: python -m pip install --upgrade pipenv wheel - name: Run Snyk to check for deps vulnerabilities - Network run: | + whereis pipenv + pipenv -v npm install snyk -g snyk -v snyk auth ${{ env.SNYK_TOKEN }} @@ -100,6 +102,7 @@ jobs: package_ubuntu_cli: + if: ${{ github.event_name == 'release' }} name: "Package cli for Ubuntu" runs-on: ubuntu-22.04 steps: From a2c107235373d0abf600720ad4991ffa5701e6da Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:03:15 +0200 Subject: [PATCH 09/34] ci: snyk integration --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4a15632c..f7d37bf6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -102,7 +102,6 @@ jobs: package_ubuntu_cli: - if: ${{ github.event_name == 'release' }} name: "Package cli for Ubuntu" runs-on: ubuntu-22.04 steps: From 6f3d3277a38f88e9a19eadbfa5be546e837e9b8a Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:09:17 +0200 Subject: [PATCH 10/34] ci: snyk integration --- .github/workflows/ci.yml | 2 -- node-runner-cli/Pipfile | 1 - 2 files changed, 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f7d37bf6..64173566 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -42,8 +42,6 @@ jobs: python -m pip install --upgrade pipenv wheel - name: Run Snyk to check for deps vulnerabilities - Network run: | - whereis pipenv - pipenv -v npm install snyk -g snyk -v snyk auth ${{ env.SNYK_TOKEN }} diff --git a/node-runner-cli/Pipfile b/node-runner-cli/Pipfile index ed6f8b1e..cfc98570 100644 --- a/node-runner-cli/Pipfile +++ b/node-runner-cli/Pipfile @@ -4,7 +4,6 @@ verify_ssl = true name = "pypi" [packages] -core_client = {git = "https://github.com/radixdlt/python-core-client", editable = true, ref = "v1.1.1"} requests = "==2.26.0" PyYAML = "==6.0.0" deepmerge = "==0.3.0" From 82b903e158e294016a71a92caf4ccc9c128a624f Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:11:30 +0200 Subject: [PATCH 11/34] ci: snyk integration --- .github/workflows/ci.yml | 5 +++-- node-runner-cli/Pipfile | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 64173566..586f887e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -38,8 +38,9 @@ jobs: with: python-version: 3.10.6 - name: Install pipenv - run: | - python -m pip install --upgrade pipenv wheel + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: pipenv install - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g diff --git a/node-runner-cli/Pipfile b/node-runner-cli/Pipfile index cfc98570..ed6f8b1e 100644 --- a/node-runner-cli/Pipfile +++ b/node-runner-cli/Pipfile @@ -4,6 +4,7 @@ verify_ssl = true name = "pypi" [packages] +core_client = {git = "https://github.com/radixdlt/python-core-client", editable = true, ref = "v1.1.1"} requests = "==2.26.0" PyYAML = "==6.0.0" deepmerge = "==0.3.0" From ca59346731871648aacae148025469832f550b86 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:14:57 +0200 Subject: [PATCH 12/34] ci: snyk integration --- .github/workflows/ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 586f887e..1d41dde0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,7 +40,9 @@ jobs: - name: Install pipenv run: python -m pip install --upgrade pipenv wheel - name: Install dependencies - run: pipenv install + run: | + pipenv install + pipenv update - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g From d87d7dc25f6e5e7d4871c1042fe1e1eaf0500338 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:18:04 +0200 Subject: [PATCH 13/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- node-runner-cli/Pipfile | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1d41dde0..58644b68 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -48,7 +48,7 @@ jobs: npm install snyk -g snyk -v snyk auth ${{ env.SNYK_TOKEN }} - snyk test --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d + snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/node-runner-cli/Pipfile b/node-runner-cli/Pipfile index ed6f8b1e..cfc98570 100644 --- a/node-runner-cli/Pipfile +++ b/node-runner-cli/Pipfile @@ -4,7 +4,6 @@ verify_ssl = true name = "pypi" [packages] -core_client = {git = "https://github.com/radixdlt/python-core-client", editable = true, ref = "v1.1.1"} requests = "==2.26.0" PyYAML = "==6.0.0" deepmerge = "==0.3.0" From 1900dc1cb2aa8fbabca7aae3622b16cdbb1b572a Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:21:03 +0200 Subject: [PATCH 14/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 58644b68..1dbbd7df 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,8 +41,8 @@ jobs: run: python -m pip install --upgrade pipenv wheel - name: Install dependencies run: | + cd ./node-runner-cli pipenv install - pipenv update - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g From ff0b4c98af5ce6f5a8879577c108fde0ebe9ee94 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:24:11 +0200 Subject: [PATCH 15/34] ci: snyk integration --- .github/workflows/ci.yml | 4 +++- node-runner-cli/Pipfile | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1dbbd7df..3afcc618 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -33,7 +33,7 @@ jobs: # uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 # with: # args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - - name: setup python + - name: Setup python uses: actions/setup-python@v4.5.0 with: python-version: 3.10.6 @@ -43,6 +43,8 @@ jobs: run: | cd ./node-runner-cli pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for deps vulnerabilities - Network run: | npm install snyk -g diff --git a/node-runner-cli/Pipfile b/node-runner-cli/Pipfile index cfc98570..ed6f8b1e 100644 --- a/node-runner-cli/Pipfile +++ b/node-runner-cli/Pipfile @@ -4,6 +4,7 @@ verify_ssl = true name = "pypi" [packages] +core_client = {git = "https://github.com/radixdlt/python-core-client", editable = true, ref = "v1.1.1"} requests = "==2.26.0" PyYAML = "==6.0.0" deepmerge = "==0.3.0" From 06659365f57dfa4ddc00d76d1a0e6af921b0f9f3 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:34:47 +0200 Subject: [PATCH 16/34] ci: snyk integration --- .github/workflows/ci.yml | 46 ++++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3afcc618..d1637c58 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,30 +29,30 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true -# - name: Run Snyk to check for deps vulnerabilities - Devops -# uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 -# with: -# args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d - - name: Setup python - uses: actions/setup-python@v4.5.0 + - name: Run Snyk to check for deps vulnerabilities - Devops + uses: snyk/actions/python3.10@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 with: - python-version: 3.10.6 - - name: Install pipenv - run: python -m pip install --upgrade pipenv wheel - - name: Install dependencies - run: | - cd ./node-runner-cli - pipenv install - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run Snyk to check for deps vulnerabilities - Network - run: | - npm install snyk -g - snyk -v - snyk auth ${{ env.SNYK_TOKEN }} - snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + args: --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d +# - name: Setup python +# uses: actions/setup-python@v4.5.0 +# with: +# python-version: 3.10.6 +# - name: Install pipenv +# run: python -m pip install --upgrade pipenv wheel +# - name: Install dependencies +# run: | +# cd ./node-runner-cli +# pipenv install +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# - name: Run Snyk to check for deps vulnerabilities - Network +# run: | +# npm install snyk -g +# snyk -v +# snyk auth ${{ env.SNYK_TOKEN }} +# snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d +# env: +# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} snyk-scan-code: runs-on: ubuntu-latest From cbded16fbb55eeaf1c7aaec849887c2b50f73877 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:35:56 +0200 Subject: [PATCH 17/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d1637c58..ebc771fa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -30,7 +30,7 @@ jobs: secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - name: Run Snyk to check for deps vulnerabilities - Devops - uses: snyk/actions/python3.10@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + uses: snyk/actions/python-3.10@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 with: args: --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d # - name: Setup python From 018db55180be285bfce53f31b6e620b6fcee5418 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:39:27 +0200 Subject: [PATCH 18/34] ci: snyk integration --- .github/workflows/ci.yml | 92 +++++++++++++++++++++++++--------------- 1 file changed, 57 insertions(+), 35 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ebc771fa..4cfdcfc3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -29,30 +29,26 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - - name: Run Snyk to check for deps vulnerabilities - Devops - uses: snyk/actions/python-3.10@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + - name: Setup python + uses: actions/setup-python@v4.5.0 with: - args: --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --severity-threshold=critical -d -# - name: Setup python -# uses: actions/setup-python@v4.5.0 -# with: -# python-version: 3.10.6 -# - name: Install pipenv -# run: python -m pip install --upgrade pipenv wheel -# - name: Install dependencies -# run: | -# cd ./node-runner-cli -# pipenv install -# env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -# - name: Run Snyk to check for deps vulnerabilities - Network -# run: | -# npm install snyk -g -# snyk -v -# snyk auth ${{ env.SNYK_TOKEN }} -# snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical -d -# env: -# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run Snyk to check for deps vulnerabilities - Network + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} snyk-scan-code: runs-on: ubuntu-latest @@ -71,11 +67,26 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - - name: Run Snyk to check for code vulnerabilities - Devops - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + - name: Setup python + uses: actions/setup-python@v4.5.0 with: - args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high - command: code test + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Run Snyk to check for deps vulnerabilities - Network + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} snyk-sbom: runs-on: ubuntu-latest @@ -84,9 +95,6 @@ jobs: pull-requests: read contents: read deployments: write - needs: - - snyk-scan-deps-licences - - snyk-scan-code steps: - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main @@ -97,12 +105,26 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - - name: Generate SBOM # check SBOM can be generated but nothing is done with it - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + - name: Setup python + uses: actions/setup-python@v4.5.0 with: - args: --all-projects --format=cyclonedx1.4+json --json-file-output sbom.json - command: sbom - + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate SBOM + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + snyk sbom --file=./node-runner-cli/Pipfile ---format=cyclonedx1.4+json --json-file-output sbom.json + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} package_ubuntu_cli: name: "Package cli for Ubuntu" From 235cb549a0aaf0ea71de4328c436d386b3b136c5 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:42:39 +0200 Subject: [PATCH 19/34] ci: snyk integration --- .github/workflows/ci.yml | 85 ++++------------------------------------ 1 file changed, 8 insertions(+), 77 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4cfdcfc3..e0b62221 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ on: branches: - main jobs: - snyk-scan-deps-licences: + snyk-scan: runs-on: ubuntu-latest permissions: id-token: write @@ -41,90 +41,21 @@ jobs: pipenv install env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run Snyk to check for deps vulnerabilities - Network + - name: Install Snyk cli run: | npm install snyk -g snyk -v snyk auth ${{ env.SNYK_TOKEN }} - snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + - name: Run Snyk to check for deps vulnerabilities + run: snyk test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - snyk-scan-code: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'babylon-nodecli' - step_name: 'snyk-scan-code' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Setup python - uses: actions/setup-python@v4.5.0 - with: - python-version: 3.10.6 - - name: Install pipenv - run: python -m pip install --upgrade pipenv wheel - - name: Install dependencies - run: | - cd ./node-runner-cli - pipenv install - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Run Snyk to check for deps vulnerabilities - Network - run: | - npm install snyk -g - snyk -v - snyk auth ${{ env.SNYK_TOKEN }} - snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - snyk-sbom: - runs-on: ubuntu-latest - permissions: - id-token: write - pull-requests: read - contents: read - deployments: write - steps: - - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main - with: - role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} - app_name: 'babylon-nodecli' - step_name: 'snyk-sbom' - secret_prefix: 'SNYK' - secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} - parse_json: true - - name: Setup python - uses: actions/setup-python@v4.5.0 - with: - python-version: 3.10.6 - - name: Install pipenv - run: python -m pip install --upgrade pipenv wheel - - name: Install dependencies - run: | - cd ./node-runner-cli - pipenv install - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Generate SBOM - run: | - npm install snyk -g - snyk -v - snyk auth ${{ env.SNYK_TOKEN }} - snyk sbom --file=./node-runner-cli/Pipfile ---format=cyclonedx1.4+json --json-file-output sbom.json + - name: Run Snyk to check for code vulnerabilities + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Test SBOM generation + run: snyk sbom --file=./node-runner-cli/Pipfile ---format=cyclonedx1.4+json --json-file-output sbom.json package_ubuntu_cli: name: "Package cli for Ubuntu" From 9d9fda55d42b298cf4b58a3c70ccd5598193f9df Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:44:55 +0200 Subject: [PATCH 20/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0b62221..3c292c8e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From e6278422b5aa3ee99aba12153aefd87287425383 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Wed, 2 Aug 2023 11:49:35 +0200 Subject: [PATCH 21/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3c292c8e..e0b62221 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=critical + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From 6d83c3cebda0c9cca2a567d7fbc65174e7bac940 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:37:48 +0200 Subject: [PATCH 22/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0b62221..6963f948 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --report env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From 90682b0fa37459df18115f11cb3a406b0b6ef1ce Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:40:49 +0200 Subject: [PATCH 23/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6963f948..d7c8b6bc 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --report + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --report --project-name="babylon-nodecli" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From 11a2ee4740e11d5480e0ad353bf367d651417665 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:44:11 +0200 Subject: [PATCH 24/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d7c8b6bc..e0b62221 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --report --project-name="babylon-nodecli" + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From 1f6b3fbcca97ebd704b1e401ec82c1194b77b8b5 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:45:03 +0200 Subject: [PATCH 25/34] ci: snyk integration --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0b62221..1b93b54e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation From f8d836bbd8f17f842184ecdc8903fcd94364aa04 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:50:27 +0200 Subject: [PATCH 26/34] ci: snyk integration --- .snyk | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..beea245a --- /dev/null +++ b/.snyk @@ -0,0 +1,5 @@ +ignore: + python/SSLVerificationBypass: + - node-runner-cli > utils > utils.py + reason: None given + expires: '2050-06-19T20:36:54.553Z' From 02c02ccc10022cf454412da86576c94ab7eb3c2b Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:52:48 +0200 Subject: [PATCH 27/34] ci: snyk integration --- node-runner-cli/.snyk | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 node-runner-cli/.snyk diff --git a/node-runner-cli/.snyk b/node-runner-cli/.snyk new file mode 100644 index 00000000..beea245a --- /dev/null +++ b/node-runner-cli/.snyk @@ -0,0 +1,5 @@ +ignore: + python/SSLVerificationBypass: + - node-runner-cli > utils > utils.py + reason: None given + expires: '2050-06-19T20:36:54.553Z' From 8b632a50d80ba69aa934fcd8b58a02f6be68d055 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:55:52 +0200 Subject: [PATCH 28/34] ci: snyk integration --- .snyk | 5 ----- node-runner-cli/.snyk | 2 +- 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 .snyk diff --git a/.snyk b/.snyk deleted file mode 100644 index beea245a..00000000 --- a/.snyk +++ /dev/null @@ -1,5 +0,0 @@ -ignore: - python/SSLVerificationBypass: - - node-runner-cli > utils > utils.py - reason: None given - expires: '2050-06-19T20:36:54.553Z' diff --git a/node-runner-cli/.snyk b/node-runner-cli/.snyk index beea245a..7b816986 100644 --- a/node-runner-cli/.snyk +++ b/node-runner-cli/.snyk @@ -1,5 +1,5 @@ ignore: python/SSLVerificationBypass: - node-runner-cli > utils > utils.py - reason: None given + reason: 'Accepted the risk' expires: '2050-06-19T20:36:54.553Z' From df6afc13b626feef81a51e1101b19873171c60e9 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 07:58:26 +0200 Subject: [PATCH 29/34] ci: snyk integration --- node-runner-cli/.snyk | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/node-runner-cli/.snyk b/node-runner-cli/.snyk index 7b816986..0cef2fb6 100644 --- a/node-runner-cli/.snyk +++ b/node-runner-cli/.snyk @@ -1,5 +1,5 @@ ignore: - python/SSLVerificationBypass: - - node-runner-cli > utils > utils.py - reason: 'Accepted the risk' - expires: '2050-06-19T20:36:54.553Z' + 'python/SSLVerificationBypass': + - node-runner-cli > utils > utils.py : + reason: 'Accepted the risk' + expires: '2050-06-19T20:36:54.553Z' \ No newline at end of file From 0840f6a6f43c0afd7edea2477fcf55c7c803dbf4 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 08:03:54 +0200 Subject: [PATCH 30/34] ci: snyk integration --- .github/workflows/ci.yml | 6 +++++- node-runner-cli/.snyk | 5 ----- 2 files changed, 5 insertions(+), 6 deletions(-) delete mode 100644 node-runner-cli/.snyk diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1b93b54e..31f23111 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,7 +51,11 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --json + run: | + snyk ignore --file-path=./node-runner-cli/utils/utils.py + ls -al + cat .snyk + snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --json env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation diff --git a/node-runner-cli/.snyk b/node-runner-cli/.snyk deleted file mode 100644 index 0cef2fb6..00000000 --- a/node-runner-cli/.snyk +++ /dev/null @@ -1,5 +0,0 @@ -ignore: - 'python/SSLVerificationBypass': - - node-runner-cli > utils > utils.py : - reason: 'Accepted the risk' - expires: '2050-06-19T20:36:54.553Z' \ No newline at end of file From b36714b9585163b2f58170c21b003d5b4c5102aa Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 08:09:21 +0200 Subject: [PATCH 31/34] ci: snyk integration --- .github/workflows/ci.yml | 35 +++++++++++++++++++++-------------- .snyk | 7 +++++++ 2 files changed, 28 insertions(+), 14 deletions(-) create mode 100644 .snyk diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 31f23111..14aaa530 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -51,11 +51,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Run Snyk to check for code vulnerabilities - run: | - snyk ignore --file-path=./node-runner-cli/utils/utils.py - ls -al - cat .snyk - snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high --json + run: snyk code test --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --severity-threshold=high env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation @@ -493,16 +489,27 @@ jobs: secret_prefix: 'SNYK' secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} parse_json: true - - name: Enable Snyk online monitoring to check for vulnerabilities - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 - with: - args: --all-projects --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }} - command: monitor - - name: Enable Snyk online monitoring to check for vulnerabilities - uses: snyk/actions/python@b98d498629f1c368650224d6d212bf7dfa89e4bf # v0.4.0 + - name: Setup python + uses: actions/setup-python@v4.5.0 with: - args: --all-projects --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} - command: monitor + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Snyk cli + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + - name: Enable Snyk online monitoring - Devops + run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_DEVOPS_ORG_ID }} --target-reference=${{ github.ref_name }} + - name: Enable Snyk online monitoring - Network + run: snyk monitor --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --target-reference=${{ github.ref_name }} # These do not run on Babylon # test-core-api: diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..c26e264c --- /dev/null +++ b/.snyk @@ -0,0 +1,7 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +ignore: {} +patch: {} +exclude: + global: + - ./node-runner-cli/utils/utils.py From 062586172b148c82fcf4472c06e566de92e7f0c8 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 08:19:31 +0200 Subject: [PATCH 32/34] ci: snyk integration --- .github/workflows/ci.yml | 43 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 14aaa530..a39b5903 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation - run: snyk sbom --file=./node-runner-cli/Pipfile ---format=cyclonedx1.4+json --json-file-output sbom.json + run: snyk sbom --file=./node-runner-cli/Pipfile --format=cyclonedx1.4+json --json-file-output sbom.json package_ubuntu_cli: name: "Package cli for Ubuntu" @@ -196,6 +196,47 @@ jobs: asset_content_type: application/octet-stream if: ${{ github.event_name == 'release' }} + upload-sbom: + runs-on: ubuntu-latest + if: ${{ github.event_name == 'release' }} + permissions: write-all + needs: + - upload-release-jammy + steps: + - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b + - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main + with: + role_name: ${{ secrets.AWS_ROLE_NAME_SNYK_SECRET }} + app_name: 'babylon-nodecli' + step_name: 'upload-sbom' + secret_prefix: 'SNYK' + secret_name: ${{ secrets.AWS_SECRET_NAME_SNYK }} + parse_json: true + - name: Setup python + uses: actions/setup-python@v4.5.0 + with: + python-version: 3.10.6 + - name: Install pipenv + run: python -m pip install --upgrade pipenv wheel + - name: Install dependencies + run: | + cd ./node-runner-cli + pipenv install + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Install Snyk cli + run: | + npm install snyk -g + snyk -v + snyk auth ${{ env.SNYK_TOKEN }} + - name: Generate SBOM + run: snyk sbom --file=./node-runner-cli/Pipfile --format=cyclonedx1.4+json --json-file-output sbom.json + - name: Upload SBOM + uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 + with: + files: sbom.json + repo-token: ${{ secrets.GITHUB_TOKEN }} + upload-release-focal: runs-on: ubuntu-20.04 if: ${{ github.event_name == 'release' }} From ef0338c1497f33f25194c42e8b52e99ee1d3a362 Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 08:24:06 +0200 Subject: [PATCH 33/34] ci: snyk integration --- .github/workflows/ci.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a39b5903..efc9e0d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -55,7 +55,7 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Test SBOM generation - run: snyk sbom --file=./node-runner-cli/Pipfile --format=cyclonedx1.4+json --json-file-output sbom.json + run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json package_ubuntu_cli: name: "Package cli for Ubuntu" @@ -201,7 +201,7 @@ jobs: if: ${{ github.event_name == 'release' }} permissions: write-all needs: - - upload-release-jammy + - package_ubuntu_cli steps: - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main @@ -230,7 +230,7 @@ jobs: snyk -v snyk auth ${{ env.SNYK_TOKEN }} - name: Generate SBOM - run: snyk sbom --file=./node-runner-cli/Pipfile --format=cyclonedx1.4+json --json-file-output sbom.json + run: snyk sbom --file=./node-runner-cli/Pipfile --org=${{ env.SNYK_NETWORK_ORG_ID }} --format=cyclonedx1.4+json --json-file-output sbom.json - name: Upload SBOM uses: AButler/upload-release-assets@c94805dc72e4b20745f543da0f62eaee7722df7a # v2.0.2 with: @@ -513,8 +513,9 @@ jobs: snyk-monitor: runs-on: ubuntu-latest - #needs: - # - upload-release-jammy + if: ${{ github.event_name == 'release' }} + needs: + - package_ubuntu_cli permissions: id-token: write pull-requests: read From 055f1bb8ca83620040d7791f124675becd76e78a Mon Sep 17 00:00:00 2001 From: Marek Karwacki Date: Thu, 3 Aug 2023 08:26:12 +0200 Subject: [PATCH 34/34] ci: snyk integration --- .github/workflows/ci.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index efc9e0d0..c2527592 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -141,6 +141,7 @@ jobs: if: ${{ github.event_name == 'push' }} needs: - package_ubuntu_cli + - snyk-scan permissions: id-token: write contents: read @@ -180,6 +181,7 @@ jobs: if: ${{ github.event_name == 'release' }} needs: - package_ubuntu_cli + - snyk-scan steps: - name: Download packaged cli uses: actions/download-artifact@v3 @@ -202,6 +204,7 @@ jobs: permissions: write-all needs: - package_ubuntu_cli + - snyk-scan steps: - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b - uses: radixdlt/public-iac-resuable-artifacts/fetch-secrets@main @@ -242,6 +245,7 @@ jobs: if: ${{ github.event_name == 'release' }} needs: - package_ubuntu_cli + - snyk-scan steps: - name: Download packaged cli uses: actions/download-artifact@v3 @@ -262,6 +266,7 @@ jobs: runs-on: [node-only] needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -338,6 +343,7 @@ jobs: runs-on: ubuntu-22.04 needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -426,6 +432,7 @@ jobs: contents: read needs: - package_ubuntu_cli + - snyk-scan steps: - name: Checkout uses: actions/checkout@v3.4.0 @@ -516,6 +523,7 @@ jobs: if: ${{ github.event_name == 'release' }} needs: - package_ubuntu_cli + - snyk-scan permissions: id-token: write pull-requests: read