chore(actions): add static analysis (#32)

ydataai · Jan 17, 2023 · 01a7f7d · 01a7f7d
1 parent 57bf161
commit 01a7f7d
Show file tree

Hide file tree

Showing 4 changed files with 178 additions and 32 deletions.
diff --git a/.github/workflows/merge-main.yml b/.github/workflows/merge-main.yml
@@ -35,13 +35,13 @@ jobs:
 
  - name: Git Short sha
  id: short_sha
- run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
+ run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
 
- dev-release:
+ releases:
  if: needs.prepare.outputs.new_release == 'true'
 
- name: Dev Release
+ name: Dev and Draft Releases
  runs-on: ubuntu-20.04
 
  needs:
@@ -60,17 +60,6 @@ jobs:
  body: ${{ github.event.head_commit.message }}
  prerelease: true
 
-
- draft-release:
- if: needs.prepare.outputs.new_release == 'true'
-
- name: Draft Release
- runs-on: ubuntu-20.04
-
- needs:
- - prepare
-
- steps:
  - name: Delete Previous drafts
  uses: hugo19941994/[email protected]
  env:

diff --git a/.github/workflows/prereleased.yml b/.github/workflows/prereleased.yml
@@ -14,6 +14,10 @@ env:
  DOCKER_REPOSITORY_COMMAND: aws-asg-tags-command
  DOCKER_REPOSITORY_LAMBDA: aws-asg-tags-lambda
 
+ AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+ SBOM_FILENAME: docker-sbom
+ NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
 
 
 permissions:
@@ -49,7 +53,7 @@ jobs:
  steps:
  - name: Version
  id: version
- run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+ run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
 
  build-command:
@@ -69,21 +73,66 @@ jobs:
  restore-keys: |
  ${{ runner.os }}-spm-
 
+ - name: Build Docker Image
+ id: docker_build
+ uses: docker/build-push-action@v3
+ env:
+ DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
+ with:
+ context: .
+ file: command.Dockerfile
+ push: false
+ load: true
+ tags: ${{ env.DOCKER_IMAGE_TAG }}
+
+ - name: Create Docker SBOM
+ uses: anchore/sbom-action@v0
+ with:
+ image: ${{ steps.docker_build.outputs.imageId }}
+ format: spdx-json
+ upload-release-assets: false
+ output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+ - name: Scan SBOM
+ id: scan_sbom
+ uses: anchore/scan-action@v3
+ with:
+ sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+ output-format: sarif
+ fail-build: false
+
+ - name: Determine number of noticiable vulnerabilities
+ id: count_vulnerabilities
+ run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+ - name: Copy SBOM to S3
+ run: |
+ aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}.spdx.json
+ aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}-scan.sarif
+
+ - name: Update Notion Page
+ uses: ydataai/update-notion-page@v1
+ env:
+ STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+ STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'manager', env.SBOM_FILENAME) }}
+ with:
+ notion_secret: ${{ secrets.NOTION_SECRET }}
+ notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+ notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
+ notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
+
  - name: Login to Dockerhub Registry
  uses: docker/login-action@v2
  with:
  username: ${{ secrets.DOCKERHUB_USERNAME }}
  password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
- - name: Build and push docker image
- id: docker_build
- uses: docker/build-push-action@v3
+ - name: Push Docker Image
  env:
  DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
- with:
- file: command.Dockerfile
- push: true
- tags: ${{ env.DOCKER_IMAGE_TAG }}
+ run: |
+ docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
+ docker push ${{ env.DOCKER_IMAGE_TAG }}
 
 
  build-lambda:
@@ -103,21 +152,66 @@ jobs:
  restore-keys: |
  ${{ runner.os }}-spm-
 
+ - name: Build Docker Image
+ id: docker_build
+ uses: docker/build-push-action@v3
+ env:
+ DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
+ with:
+ context: .
+ file: lambda.Dockerfile
+ push: false
+ load: true
+ tags: ${{ env.DOCKER_IMAGE_TAG }}
+
+ - name: Create Docker SBOM
+ uses: anchore/sbom-action@v0
+ with:
+ image: ${{ steps.docker_build.outputs.imageId }}
+ format: spdx-json
+ upload-release-assets: false
+ output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+ - name: Scan SBOM
+ id: scan_sbom
+ uses: anchore/scan-action@v3
+ with:
+ sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+ output-format: sarif
+ fail-build: false
+
+ - name: Determine number of noticiable vulnerabilities
+ id: count_vulnerabilities
+ run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+ - name: Copy SBOM to S3
+ run: |
+ aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}.spdx.json
+ aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}-scan.sarif
+
+ - name: Update Notion Page
+ uses: ydataai/update-notion-page@v1
+ env:
+ STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+ STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'lambda', env.SBOM_FILENAME) }}
+ with:
+ notion_secret: ${{ secrets.NOTION_SECRET }}
+ notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+ notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
+ notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
+
  - name: Login to Dockerhub Registry
  uses: docker/login-action@v2
  with:
  username: ${{ secrets.DOCKERHUB_USERNAME }}
  password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
- - name: Build and push docker image
- id: docker_build
- uses: docker/build-push-action@v3
+ - name: Push Docker Image
  env:
  DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
- with:
- file: lambda.Dockerfile
- push: true
- tags: ${{ env.DOCKER_IMAGE_TAG }}
+ run: |
+ docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
+ docker push ${{ env.DOCKER_IMAGE_TAG }}
 
 
  update-manifests:

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -12,6 +12,20 @@ on:
 
 
 
+env:
+ AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+ SBOM_FILENAME: package-sbom
+ NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
+
+
+permissions:
+ id-token: write
+ contents: read
+ packages: read
+
+
+
 jobs:
  cancel_previous:
  name: 'Cancel Previous Runs'
@@ -53,3 +67,52 @@ jobs:
 
  - name: Build Command for test
  run: swift build --product Command
+
+
+ static-analysis:
+ name: Static Analysis
+ runs-on: ubuntu-20.04
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Create SBOM
+ uses: anchore/sbom-action@v0
+ with:
+ format: spdx-json
+ output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+ - name: Scan SBOM
+ id: scan_sbom
+ uses: anchore/scan-action@v3
+ with:
+ sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+ output-format: sarif
+ fail-build: false
+
+ - name: Determine number of noticiable vulnerabilities
+ id: count_vulnerabilities
+ run: |
+ echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+ - name: Configure AWS credentials
+ uses: aws-actions/configure-aws-credentials@v1
+ with:
+ role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
+ aws-region: ${{ env.AWS_S3_REGION }}
+
+ - name: Copy SBOM to S3
+ run: |
+ aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
+ aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
+
+ - name: Update Notion Page
+ uses: ydataai/update-notion-page@v1
+ env:
+ STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+ STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
+ with:
+ notion_secret: ${{ secrets.NOTION_SECRET }}
+ notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+ notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
+ notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
diff --git a/.github/workflows/released.yml b/.github/workflows/released.yml
@@ -51,19 +51,19 @@ jobs:
  steps:
  - name: Version
  id: new_version
- run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+ run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
  - uses: actions/checkout@v3
  with:
  fetch-depth: 0
 
  - name: Git Short sha
  id: short_sha
- run: echo ::set-output name=value::$(git rev-parse --short HEAD)
+ run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
  - name: Extract original version
  id: old_version
- run: echo ::set-output name=value::$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')
+ run: echo "value=$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')" >> $GITHUB_OUTPUT
 
 
  docker-tag-command: