Skip to content

Commit 01a7f7d

Browse files
committed
chore(actions): add static analysis (#32)
1 parent 57bf161 commit 01a7f7d

File tree

4 files changed

+178
-32
lines changed

4 files changed

+178
-32
lines changed

.github/workflows/merge-main.yml

Lines changed: 3 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -35,13 +35,13 @@ jobs:
3535

3636
- name: Git Short sha
3737
id: short_sha
38-
run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
38+
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
3939

4040

41-
dev-release:
41+
releases:
4242
if: needs.prepare.outputs.new_release == 'true'
4343

44-
name: Dev Release
44+
name: Dev and Draft Releases
4545
runs-on: ubuntu-20.04
4646

4747
needs:
@@ -60,17 +60,6 @@ jobs:
6060
body: ${{ github.event.head_commit.message }}
6161
prerelease: true
6262

63-
64-
draft-release:
65-
if: needs.prepare.outputs.new_release == 'true'
66-
67-
name: Draft Release
68-
runs-on: ubuntu-20.04
69-
70-
needs:
71-
- prepare
72-
73-
steps:
7463
- name: Delete Previous drafts
7564
uses: hugo19941994/delete-draft-releases@v1.0.0
7665
env:

.github/workflows/prereleased.yml

Lines changed: 109 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ env:
1414
DOCKER_REPOSITORY_COMMAND: aws-asg-tags-command
1515
DOCKER_REPOSITORY_LAMBDA: aws-asg-tags-lambda
1616

17+
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
18+
SBOM_FILENAME: docker-sbom
19+
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
20+
1721

1822

1923
permissions:
@@ -49,7 +53,7 @@ jobs:
4953
steps:
5054
- name: Version
5155
id: version
52-
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
56+
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
5357

5458

5559
build-command:
@@ -69,21 +73,66 @@ jobs:
6973
restore-keys: |
7074
${{ runner.os }}-spm-
7175
76+
- name: Build Docker Image
77+
id: docker_build
78+
uses: docker/build-push-action@v3
79+
env:
80+
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
81+
with:
82+
context: .
83+
file: command.Dockerfile
84+
push: false
85+
load: true
86+
tags: ${{ env.DOCKER_IMAGE_TAG }}
87+
88+
- name: Create Docker SBOM
89+
uses: anchore/sbom-action@v0
90+
with:
91+
image: ${{ steps.docker_build.outputs.imageId }}
92+
format: spdx-json
93+
upload-release-assets: false
94+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
95+
96+
- name: Scan SBOM
97+
id: scan_sbom
98+
uses: anchore/scan-action@v3
99+
with:
100+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
101+
output-format: sarif
102+
fail-build: false
103+
104+
- name: Determine number of noticiable vulnerabilities
105+
id: count_vulnerabilities
106+
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
107+
108+
- name: Copy SBOM to S3
109+
run: |
110+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}.spdx.json
111+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}-scan.sarif
112+
113+
- name: Update Notion Page
114+
uses: ydataai/update-notion-page@v1
115+
env:
116+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
117+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'manager', env.SBOM_FILENAME) }}
118+
with:
119+
notion_secret: ${{ secrets.NOTION_SECRET }}
120+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
121+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
122+
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
123+
72124
- name: Login to Dockerhub Registry
73125
uses: docker/login-action@v2
74126
with:
75127
username: ${{ secrets.DOCKERHUB_USERNAME }}
76128
password: ${{ secrets.DOCKERHUB_PASSWORD }}
77129

78-
- name: Build and push docker image
79-
id: docker_build
80-
uses: docker/build-push-action@v3
130+
- name: Push Docker Image
81131
env:
82132
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
83-
with:
84-
file: command.Dockerfile
85-
push: true
86-
tags: ${{ env.DOCKER_IMAGE_TAG }}
133+
run: |
134+
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
135+
docker push ${{ env.DOCKER_IMAGE_TAG }}
87136
88137
89138
build-lambda:
@@ -103,21 +152,66 @@ jobs:
103152
restore-keys: |
104153
${{ runner.os }}-spm-
105154
155+
- name: Build Docker Image
156+
id: docker_build
157+
uses: docker/build-push-action@v3
158+
env:
159+
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
160+
with:
161+
context: .
162+
file: lambda.Dockerfile
163+
push: false
164+
load: true
165+
tags: ${{ env.DOCKER_IMAGE_TAG }}
166+
167+
- name: Create Docker SBOM
168+
uses: anchore/sbom-action@v0
169+
with:
170+
image: ${{ steps.docker_build.outputs.imageId }}
171+
format: spdx-json
172+
upload-release-assets: false
173+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
174+
175+
- name: Scan SBOM
176+
id: scan_sbom
177+
uses: anchore/scan-action@v3
178+
with:
179+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
180+
output-format: sarif
181+
fail-build: false
182+
183+
- name: Determine number of noticiable vulnerabilities
184+
id: count_vulnerabilities
185+
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
186+
187+
- name: Copy SBOM to S3
188+
run: |
189+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}.spdx.json
190+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}-scan.sarif
191+
192+
- name: Update Notion Page
193+
uses: ydataai/update-notion-page@v1
194+
env:
195+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
196+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'lambda', env.SBOM_FILENAME) }}
197+
with:
198+
notion_secret: ${{ secrets.NOTION_SECRET }}
199+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
200+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
201+
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
202+
106203
- name: Login to Dockerhub Registry
107204
uses: docker/login-action@v2
108205
with:
109206
username: ${{ secrets.DOCKERHUB_USERNAME }}
110207
password: ${{ secrets.DOCKERHUB_PASSWORD }}
111208

112-
- name: Build and push docker image
113-
id: docker_build
114-
uses: docker/build-push-action@v3
209+
- name: Push Docker Image
115210
env:
116211
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
117-
with:
118-
file: lambda.Dockerfile
119-
push: true
120-
tags: ${{ env.DOCKER_IMAGE_TAG }}
212+
run: |
213+
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
214+
docker push ${{ env.DOCKER_IMAGE_TAG }}
121215
122216
123217
update-manifests:

.github/workflows/pull-request.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,20 @@ on:
1212

1313

1414

15+
env:
16+
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
17+
SBOM_FILENAME: package-sbom
18+
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
19+
20+
21+
22+
permissions:
23+
id-token: write
24+
contents: read
25+
packages: read
26+
27+
28+
1529
jobs:
1630
cancel_previous:
1731
name: 'Cancel Previous Runs'
@@ -53,3 +67,52 @@ jobs:
5367

5468
- name: Build Command for test
5569
run: swift build --product Command
70+
71+
72+
static-analysis:
73+
name: Static Analysis
74+
runs-on: ubuntu-20.04
75+
76+
steps:
77+
- uses: actions/checkout@v3
78+
79+
- name: Create SBOM
80+
uses: anchore/sbom-action@v0
81+
with:
82+
format: spdx-json
83+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
84+
85+
- name: Scan SBOM
86+
id: scan_sbom
87+
uses: anchore/scan-action@v3
88+
with:
89+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
90+
output-format: sarif
91+
fail-build: false
92+
93+
- name: Determine number of noticiable vulnerabilities
94+
id: count_vulnerabilities
95+
run: |
96+
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
97+
98+
- name: Configure AWS credentials
99+
uses: aws-actions/configure-aws-credentials@v1
100+
with:
101+
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
102+
aws-region: ${{ env.AWS_S3_REGION }}
103+
104+
- name: Copy SBOM to S3
105+
run: |
106+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
107+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
108+
109+
- name: Update Notion Page
110+
uses: ydataai/update-notion-page@v1
111+
env:
112+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
113+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
114+
with:
115+
notion_secret: ${{ secrets.NOTION_SECRET }}
116+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
117+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
118+
notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'

.github/workflows/released.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,19 +51,19 @@ jobs:
5151
steps:
5252
- name: Version
5353
id: new_version
54-
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
54+
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
5555

5656
- uses: actions/checkout@v3
5757
with:
5858
fetch-depth: 0
5959

6060
- name: Git Short sha
6161
id: short_sha
62-
run: echo ::set-output name=value::$(git rev-parse --short HEAD)
62+
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
6363

6464
- name: Extract original version
6565
id: old_version
66-
run: echo ::set-output name=value::$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')
66+
run: echo "value=$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')" >> $GITHUB_OUTPUT
6767

6868

6969
docker-tag-command:

0 commit comments

Comments
 (0)