-
Notifications
You must be signed in to change notification settings - Fork 2
195 lines (166 loc) · 5.85 KB
/
scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
# vars.PCC_CONSOLE_URL
# vars.PRISMA_API_URL
# secrets.PC_ACCESS_KEY
# secrets.PC_SECRET_KEY
name: Prisma Cloud Checks
on:
pull_request:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
IMAGE_NAME: demo:latest
jobs:
build-and-scan-image:
name: Build & scan image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Container Image Scan
id: scan
uses: PaloAltoNetworks/prisma-cloud-scan@v1
with:
pcc_console_url: ${{ vars.PCC_CONSOLE_URL }}
pcc_user: ${{ secrets.PC_ACCESS_KEY }}
pcc_pass: ${{ secrets.PC_SECRET_KEY }}
image_name: ${{ env.IMAGE_NAME }}
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results twistcli
path: ${{ steps.scan.outputs.sarif_file }}
# # Only for public repos or enterprise accounts
# # (Optional) for compatibility with GitHub's code scanning alerts
# - name: Upload SARIF file
# if: ${{ always() }} # necessary if using failure thresholds in the image scan
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ${{ steps.scan.outputs.sarif_file }}
build-and-scan-image-checkov:
name: Checkov Build & scan image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@master
with:
quiet: true # optional: display only failed checks
soft_fail: true # optional: do not return an error code if there are failed checks
docker_image: ${{ env.IMAGE_NAME }} # define the name of the image to scan
dockerfile_path: "Dockerfile" # path to the Dockerfile
container_user: 1000 # optional: Define what UID and / or what GID to run the container under to prevent permission issues
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }} # Bridgecrew API key stored as a GitHub secret
prisma-api-url: ${{ vars.PRISMA_API_URL }}
use_enforcement_rules: true
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results twistcli
path: ${{ steps.scan.outputs.sarif_file }}
sandbox-image:
name: Sandbox image
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Build the image
run: docker build -t $IMAGE_NAME .
- name: Download Twistcli
if: ${{ always() }}
run: |
chmod +x twistcli_download.sh
./twistcli_download.sh
env:
PCC_URL: ${{ vars.PCC_CONSOLE_URL }}
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }}
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }}
- name: Run Image Sandbox
if: ${{ always() }}
run: sudo -E ./twistcli sandbox --address "${PCC_CONSOLE_URL}" ${{ env.IMAGE_NAME }}
env:
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }}
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }}
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }}
openapi-scan:
name: Scan OpenAPI Spec
runs-on: ubuntu-latest
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Download Twistcli
run: |
chmod +x twistcli_download.sh
./twistcli_download.sh
env:
PCC_URL: ${{ vars.PCC_CONSOLE_URL }}
PC_ACCESS_KEY: ${{ secrets.PC_ACCESS_KEY }}
PC_SECRET_KEY: ${{ secrets.PC_SECRET_KEY }}
- name: Run Scan
run: ./twistcli waas openapi-scan springboot_spec.yaml --address "${PCC_CONSOLE_URL}"
env:
PCC_CONSOLE_URL: ${{ vars.PCC_CONSOLE_URL }}
TWISTLOCK_USER: ${{ secrets.PC_ACCESS_KEY }}
TWISTLOCK_PASSWORD: ${{ secrets.PC_SECRET_KEY }}
checkov-scan:
name: Scan Repo with checkov
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write # For SARIF
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Run Bridgecrew Action
id: Bridgecrew
uses: bridgecrewio/bridgecrew-action@master
env:
PRISMA_API_URL: ${{ vars.PRISMA_API_URL }}
with:
api-key: ${{ secrets.PC_ACCESS_KEY }}::${{ secrets.PC_SECRET_KEY }}
quiet: true # only show failed
- name: Upload SARIF report
uses: actions/upload-artifact@v2
if: ${{ always() }}
with:
name: SARIF results Checkov
path: results.sarif
# Only for public repos or enterprise accounts
# Uploads results.sarif to GitHub repository using the upload-sarif action
- uses: github/codeql-action/upload-sarif@v2
with:
# Path to SARIF file relative to the root of the repository
sarif_file: results.sarif
pipeline-exploit:
name: Pull Request annotation
runs-on: ubuntu-latest
if: ${{ github.event_name == 'pull_request' }}
permissions: write-all
steps:
- name: Check out the repository
uses: actions/checkout@v2
- name: Show Pull Request Data
run: |
echo ${{ github.event.pull_request.title }}