Skip to content

Commit 0d85fcd

Browse files
vascoalramosvascoalramos
committed
fix(actions): add static analysis (#32)
1 parent 57bf161 commit 0d85fcd

File tree

4 files changed

+184
-32
lines changed

4 files changed

+184
-32
lines changed

.github/workflows/merge-main.yml

Lines changed: 3 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -35,13 +35,13 @@ jobs:
3535

3636
- name: Git Short sha
3737
id: short_sha
38-
run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
38+
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
3939

4040

41-
dev-release:
41+
releases:
4242
if: needs.prepare.outputs.new_release == 'true'
4343

44-
name: Dev Release
44+
name: Dev and Draft Releases
4545
runs-on: ubuntu-20.04
4646

4747
needs:
@@ -60,17 +60,6 @@ jobs:
6060
body: ${{ github.event.head_commit.message }}
6161
prerelease: true
6262

63-
64-
draft-release:
65-
if: needs.prepare.outputs.new_release == 'true'
66-
67-
name: Draft Release
68-
runs-on: ubuntu-20.04
69-
70-
needs:
71-
- prepare
72-
73-
steps:
7463
- name: Delete Previous drafts
7564
uses: hugo19941994/delete-draft-releases@v1.0.0
7665
env:

.github/workflows/prereleased.yml

Lines changed: 115 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,10 @@ env:
1414
DOCKER_REPOSITORY_COMMAND: aws-asg-tags-command
1515
DOCKER_REPOSITORY_LAMBDA: aws-asg-tags-lambda
1616

17+
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
18+
SBOM_FILENAME: docker-sbom
19+
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
20+
1721

1822

1923
permissions:
@@ -49,7 +53,7 @@ jobs:
4953
steps:
5054
- name: Version
5155
id: version
52-
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
56+
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
5357

5458

5559
build-command:
@@ -69,21 +73,72 @@ jobs:
6973
restore-keys: |
7074
${{ runner.os }}-spm-
7175
76+
- name: Build Docker Image
77+
id: docker_build
78+
uses: docker/build-push-action@v3
79+
env:
80+
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
81+
with:
82+
context: .
83+
file: command.Dockerfile
84+
push: false
85+
load: true
86+
tags: ${{ env.DOCKER_IMAGE_TAG }}
87+
88+
- name: Create Docker SBOM
89+
uses: anchore/sbom-action@v0
90+
with:
91+
image: ${{ steps.docker_build.outputs.imageId }}
92+
format: spdx-json
93+
upload-release-assets: false
94+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
95+
96+
- name: Scan SBOM
97+
id: scan_sbom
98+
uses: anchore/scan-action@v3
99+
with:
100+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
101+
output-format: sarif
102+
fail-build: false
103+
104+
- name: Determine number of noticiable vulnerabilities
105+
id: count_vulnerabilities
106+
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
107+
108+
- name: Configure AWS credentials
109+
uses: aws-actions/configure-aws-credentials@v1
110+
with:
111+
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
112+
aws-region: ${{ env.AWS_S3_REGION }}
113+
114+
- name: Copy SBOM to S3
115+
run: |
116+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}.spdx.json
117+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/command-${{ env.SBOM_FILENAME }}-scan.sarif
118+
119+
- name: Update Notion Page
120+
uses: ydataai/update-notion-page@v1
121+
env:
122+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
123+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'manager', env.SBOM_FILENAME) }}
124+
with:
125+
notion_secret: ${{ secrets.NOTION_SECRET }}
126+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
127+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
128+
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
129+
72130
- name: Login to Dockerhub Registry
73131
uses: docker/login-action@v2
74132
with:
75133
username: ${{ secrets.DOCKERHUB_USERNAME }}
76134
password: ${{ secrets.DOCKERHUB_PASSWORD }}
77135

78-
- name: Build and push docker image
79-
id: docker_build
80-
uses: docker/build-push-action@v3
136+
- name: Push Docker Image
81137
env:
82138
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_COMMAND }}:${{ needs.prepare.outputs.version }}
83-
with:
84-
file: command.Dockerfile
85-
push: true
86-
tags: ${{ env.DOCKER_IMAGE_TAG }}
139+
run: |
140+
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
141+
docker push ${{ env.DOCKER_IMAGE_TAG }}
87142
88143
89144
build-lambda:
@@ -103,21 +158,66 @@ jobs:
103158
restore-keys: |
104159
${{ runner.os }}-spm-
105160
161+
- name: Build Docker Image
162+
id: docker_build
163+
uses: docker/build-push-action@v3
164+
env:
165+
DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
166+
with:
167+
context: .
168+
file: lambda.Dockerfile
169+
push: false
170+
load: true
171+
tags: ${{ env.DOCKER_IMAGE_TAG }}
172+
173+
- name: Create Docker SBOM
174+
uses: anchore/sbom-action@v0
175+
with:
176+
image: ${{ steps.docker_build.outputs.imageId }}
177+
format: spdx-json
178+
upload-release-assets: false
179+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
180+
181+
- name: Scan SBOM
182+
id: scan_sbom
183+
uses: anchore/scan-action@v3
184+
with:
185+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
186+
output-format: sarif
187+
fail-build: false
188+
189+
- name: Determine number of noticiable vulnerabilities
190+
id: count_vulnerabilities
191+
run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
192+
193+
- name: Copy SBOM to S3
194+
run: |
195+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}.spdx.json
196+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/lambda-${{ env.SBOM_FILENAME }}-scan.sarif
197+
198+
- name: Update Notion Page
199+
uses: ydataai/update-notion-page@v1
200+
env:
201+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
202+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-{3}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, 'lambda', env.SBOM_FILENAME) }}
203+
with:
204+
notion_secret: ${{ secrets.NOTION_SECRET }}
205+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
206+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
207+
notion_page_update_properties: '{ "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'
208+
106209
- name: Login to Dockerhub Registry
107210
uses: docker/login-action@v2
108211
with:
109212
username: ${{ secrets.DOCKERHUB_USERNAME }}
110213
password: ${{ secrets.DOCKERHUB_PASSWORD }}
111214

112-
- name: Build and push docker image
113-
id: docker_build
114-
uses: docker/build-push-action@v3
215+
- name: Push Docker Image
115216
env:
116217
DOCKER_IMAGE_TAG: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.DOCKER_REPOSITORY_LAMBDA }}:${{ needs.prepare.outputs.version }}
117-
with:
118-
file: lambda.Dockerfile
119-
push: true
120-
tags: ${{ env.DOCKER_IMAGE_TAG }}
218+
run: |
219+
docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
220+
docker push ${{ env.DOCKER_IMAGE_TAG }}
121221
122222
123223
update-manifests:

.github/workflows/pull-request.yml

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,20 @@ on:
1212

1313

1414

15+
env:
16+
AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
17+
SBOM_FILENAME: package-sbom
18+
NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
19+
20+
21+
22+
permissions:
23+
id-token: write
24+
contents: read
25+
packages: read
26+
27+
28+
1529
jobs:
1630
cancel_previous:
1731
name: 'Cancel Previous Runs'
@@ -53,3 +67,52 @@ jobs:
5367

5468
- name: Build Command for test
5569
run: swift build --product Command
70+
71+
72+
static-analysis:
73+
name: Static Analysis
74+
runs-on: ubuntu-20.04
75+
76+
steps:
77+
- uses: actions/checkout@v3
78+
79+
- name: Create SBOM
80+
uses: anchore/sbom-action@v0
81+
with:
82+
format: spdx-json
83+
output-file: ${{ env.SBOM_FILENAME }}.spdx.json
84+
85+
- name: Scan SBOM
86+
id: scan_sbom
87+
uses: anchore/scan-action@v3
88+
with:
89+
sbom: ${{ env.SBOM_FILENAME }}.spdx.json
90+
output-format: sarif
91+
fail-build: false
92+
93+
- name: Determine number of noticiable vulnerabilities
94+
id: count_vulnerabilities
95+
run: |
96+
echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
97+
98+
- name: Configure AWS credentials
99+
uses: aws-actions/configure-aws-credentials@v1
100+
with:
101+
role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
102+
aws-region: ${{ env.AWS_S3_REGION }}
103+
104+
- name: Copy SBOM to S3
105+
run: |
106+
aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
107+
aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
108+
109+
- name: Update Notion Page
110+
uses: ydataai/update-notion-page@v1
111+
env:
112+
STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
113+
STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
114+
with:
115+
notion_secret: ${{ secrets.NOTION_SECRET }}
116+
notion_database_id: ${{ env.NOTION_DATABASE_ID }}
117+
notion_database_query_filter: '{ "property": "Repo", "title": { "equals": "${{ github.event.repository.name }}" } }'
118+
notion_page_update_properties: '{ "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" } }'

.github/workflows/released.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -51,19 +51,19 @@ jobs:
5151
steps:
5252
- name: Version
5353
id: new_version
54-
run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
54+
run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
5555

5656
- uses: actions/checkout@v3
5757
with:
5858
fetch-depth: 0
5959

6060
- name: Git Short sha
6161
id: short_sha
62-
run: echo ::set-output name=value::$(git rev-parse --short HEAD)
62+
run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
6363

6464
- name: Extract original version
6565
id: old_version
66-
run: echo ::set-output name=value::$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')
66+
run: echo "value=$(git tag | grep ${{ steps.short_sha.outputs.value }} | sed -r 's|([0-9].[0-9].[0-9]).*|\1|g')" >> $GITHUB_OUTPUT
6767

6868

6969
docker-tag-command:

0 commit comments

Comments
 (0)