-
Notifications
You must be signed in to change notification settings - Fork 2.4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(ci/security): add separated code security scanning workflows
- Loading branch information
1 parent
83fd6aa
commit 67f30b3
Showing
2 changed files
with
287 additions
and
163 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,230 @@ | ||
name: Nightly Code Security Scan | ||
|
||
on: | ||
schedule: | ||
- cron: '0 8 * * *' | ||
workflow_dispatch: | ||
|
||
jobs: | ||
client-dependencies: | ||
name: Client dependency check | ||
runs-on: ubuntu-latest | ||
if: >- # only run for develop branch | ||
github.ref == 'refs/heads/develop' | ||
outputs: | ||
js: ${{ steps.set-matrix.outputs.js_result }} | ||
steps: | ||
- uses: actions/checkout@master | ||
|
||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/node@master | ||
continue-on-error: true # To make sure that artifact upload gets called | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
json: true | ||
|
||
- name: Upload js security scan result as artifact | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: js-security-scan-develop-result | ||
path: snyk.json | ||
|
||
- name: Export scan result to html file | ||
run: | | ||
$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/js-result") | ||
- name: Upload js result html file | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: html-js-result-${{github.run_id}} | ||
path: js-result.html | ||
|
||
- name: Analyse the js result | ||
id: set-matrix | ||
run: | | ||
result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix) | ||
echo "::set-output name=js_result::${result}" | ||
server-dependencies: | ||
name: Server dependency check | ||
runs-on: ubuntu-latest | ||
if: >- # only run for develop branch | ||
github.ref == 'refs/heads/develop' | ||
outputs: | ||
go: ${{ steps.set-matrix.outputs.go_result }} | ||
steps: | ||
- uses: actions/checkout@master | ||
|
||
- name: Download go modules | ||
run: cd ./api && go get -t -v -d ./... | ||
|
||
- name: Run Snyk to check for vulnerabilities | ||
uses: snyk/actions/golang@master | ||
continue-on-error: true # To make sure that artifact upload gets called | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
args: --file=./api/go.mod | ||
json: true | ||
|
||
- name: Upload go security scan result as artifact | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: go-security-scan-develop-result | ||
path: snyk.json | ||
|
||
- name: Export scan result to html file | ||
run: | | ||
$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/go-result") | ||
- name: Upload go result html file | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: html-go-result-${{github.run_id}} | ||
path: go-result.html | ||
|
||
- name: Analyse the go result | ||
id: set-matrix | ||
run: | | ||
result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix) | ||
echo "::set-output name=go_result::${result}" | ||
image-vulnerability: | ||
name: Build docker image and Image vulnerability check | ||
runs-on: ubuntu-latest | ||
if: >- | ||
github.ref == 'refs/heads/develop' | ||
outputs: | ||
image: ${{ steps.set-matrix.outputs.image_result }} | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@master | ||
|
||
- name: Use golang 1.17.x | ||
uses: actions/setup-go@v3 | ||
with: | ||
go-version: '>=1.17.0' | ||
|
||
- name: Use Node.js 12.x | ||
uses: actions/setup-node@v1 | ||
with: | ||
node-version: 12.x | ||
|
||
- name: Install packages and build | ||
run: yarn install && yarn build | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v1 | ||
|
||
- name: Build and push | ||
uses: docker/build-push-action@v2 | ||
with: | ||
context: . | ||
file: build/linux/Dockerfile | ||
tags: trivy-portainer:${{ github.sha }} | ||
outputs: type=docker,dest=/tmp/trivy-portainer-image.tar | ||
|
||
- name: Load docker image | ||
run: | | ||
docker load --input /tmp/trivy-portainer-image.tar | ||
- name: Run Trivy vulnerability scanner | ||
uses: docker://docker.io/aquasec/trivy:latest | ||
continue-on-error: true | ||
with: | ||
args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }} | ||
|
||
- name: Upload image security scan result as artifact | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: image-security-scan-develop-result | ||
path: image-trivy.json | ||
|
||
- name: Export scan result to html file | ||
run: | | ||
$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=table -export -export-filename="/data/image-result") | ||
- name: Upload go result html file | ||
uses: actions/upload-artifact@v3 | ||
with: | ||
name: html-image-result-${{github.run_id}} | ||
path: image-result.html | ||
|
||
- name: Analyse the trivy result | ||
id: set-matrix | ||
run: | | ||
result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=matrix) | ||
echo "::set-output name=image_result::${result}" | ||
result-analysis: | ||
name: Analyse scan result | ||
needs: [client-dependencies, server-dependencies, image-vulnerability] | ||
runs-on: ubuntu-latest | ||
if: >- | ||
github.ref == 'refs/heads/develop' | ||
strategy: | ||
matrix: | ||
js: ${{fromJson(needs.client-dependencies.outputs.js)}} | ||
go: ${{fromJson(needs.server-dependencies.outputs.go)}} | ||
image: ${{fromJson(needs.image-vulnerability.outputs.image)}} | ||
steps: | ||
- name: Display the results of js, go and image | ||
run: | | ||
echo ${{ matrix.js.status }} | ||
echo ${{ matrix.go.status }} | ||
echo ${{ matrix.image.status }} | ||
echo ${{ matrix.js.summary }} | ||
echo ${{ matrix.go.summary }} | ||
echo ${{ matrix.image.summary }} | ||
- name: Send Slack message | ||
if: >- | ||
matrix.js.status == 'failure' || | ||
matrix.go.status == 'failure' || | ||
matrix.image.status == 'failure' | ||
uses: slackapi/slack-github-action@v1.18.0 | ||
with: | ||
payload: | | ||
{ | ||
"attachments": [ | ||
{ | ||
"color": "#FF0000", | ||
"blocks": [ | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": "Code Scanning Result (*${{ github.event.repository.name}}*)\n*<${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*" | ||
} | ||
}, | ||
{ | ||
"type": "divider" | ||
}, | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}" | ||
} | ||
}, | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}" | ||
} | ||
}, | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n" | ||
} | ||
} | ||
] | ||
} | ||
] | ||
} | ||
env: | ||
SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }} |
Oops, something went wrong.