-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #4440 from GSA-TTS/main
- Loading branch information
Showing
62 changed files
with
2,036 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true and TRIVY_SKIP_JAVA_DB_UPDATE=true. | ||
name: Update Trivy Cache | ||
|
||
on: | ||
schedule: | ||
- cron: '0 0 * * *' # Run daily at midnight UTC | ||
workflow_dispatch: # Allow manual triggering | ||
|
||
jobs: | ||
update-trivy-db: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Setup oras | ||
uses: oras-project/setup-oras@v1 | ||
|
||
- name: Get current date | ||
id: date | ||
run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT | ||
|
||
- name: Download and extract the vulnerability DB | ||
run: | | ||
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db | ||
oras pull ghcr.io/aquasecurity/trivy-db:2 | ||
tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db | ||
rm db.tar.gz | ||
- name: Download and extract the Java DB | ||
run: | | ||
mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db | ||
oras pull ghcr.io/aquasecurity/trivy-java-db:1 | ||
tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db | ||
rm javadb.tar.gz | ||
- name: Cache DBs | ||
uses: actions/cache/save@v4 | ||
with: | ||
path: ${{ github.workspace }}/.cache/trivy | ||
key: cache-trivy-${{ steps.date.outputs.date }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20,6 +20,7 @@ jobs: | |
security-events: write | ||
actions: read | ||
env: | ||
repo_name: gsa-tts/fac | ||
DOCKER_NAME: fac | ||
WORKING_DIRECTORY: ./backend | ||
name: Trivy Scan FAC Web Container | ||
|
@@ -40,6 +41,11 @@ jobs: | |
|
||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/[email protected] | ||
env: | ||
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db | ||
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | ||
TRIVY_SKIP_DB_UPDATE: true | ||
TRIVY_SKIP_JAVA_DB_UPDATE: true | ||
with: | ||
image-ref: '${{ env.DOCKER_NAME }}:${{ steps.date.outputs.date }}' | ||
scan-type: 'image' | ||
|
@@ -63,6 +69,8 @@ jobs: | |
actions: read | ||
name: Trivy Scan Third Party Images | ||
runs-on: ubuntu-latest | ||
env: | ||
repo_name: gsa-tts/fac | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
|
@@ -75,6 +83,11 @@ jobs: | |
|
||
- name: Run Trivy vulnerability scanner on Third Party Images | ||
uses: aquasecurity/[email protected] | ||
env: | ||
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db | ||
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | ||
TRIVY_SKIP_DB_UPDATE: true | ||
TRIVY_SKIP_JAVA_DB_UPDATE: true | ||
with: | ||
image-ref: '${{ matrix.image.name }}' | ||
scan-type: 'image' | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -227,8 +227,7 @@ | |
|
||
# Environment specific configurations | ||
DEBUG = False | ||
|
||
if ENVIRONMENT not in ["DEVELOPMENT", "PREVIEW", "STAGING", "PRODUCTION"]: | ||
if ENVIRONMENT not in ["SANDBOX", "DEVELOPMENT", "PREVIEW", "STAGING", "PRODUCTION"]: | ||
DATABASES = { | ||
"default": env.dj_db_url( | ||
"DATABASE_URL", default="postgres://postgres:[email protected]/backend" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
source tools/util_startup.sh | ||
|
||
function materialized_views { | ||
startup_log "RUN_MATERIALIZEDVIEWS" "BEGIN" | ||
python manage.py materialized_views --create && | ||
local result=$? | ||
startup_log "RUN_MATERIALIZEDVIEWS" "END" | ||
return $result | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -70,4 +70,4 @@ cat << EOF | |
cf_user = $username | ||
cf_password = $password | ||
EOF | ||
EOF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
#!/usr/bin/env bash | ||
|
||
org="gsa-tts-oros-fac" | ||
|
||
usage=" | ||
$0: Create a Service User Account for a given space | ||
Usage: | ||
$0 -h | ||
$0 -s <SPACE NAME> -u <USER NAME> [-r <ROLE NAME>] [-o <ORG NAME>] | ||
Options: | ||
-h: show help and exit | ||
-s <SPACE NAME>: configure the space to act on. Required | ||
-u <USER NAME>: set the service user name. Required | ||
-r <ROLE NAME>: set the service user's role to either space-deployer or space-auditor. Default: space-deployer | ||
-o <ORG NAME>: configure the organization to act on. Default: $org | ||
" | ||
|
||
set -e | ||
set -o pipefail | ||
|
||
space="" | ||
service="" | ||
role="space-deployer" | ||
|
||
while getopts ":hs:u:r:o:" opt; do | ||
case "$opt" in | ||
s) | ||
space=${OPTARG} | ||
;; | ||
u) | ||
service=${OPTARG} | ||
;; | ||
r) | ||
role=${OPTARG} | ||
;; | ||
o) | ||
org=${OPTARG} | ||
;; | ||
h) | ||
echo "$usage" | ||
exit 0 | ||
;; | ||
esac | ||
done | ||
|
||
if [[ $space = "" || $service = "" ]]; then | ||
echo "$usage" | ||
exit 1 | ||
fi | ||
|
||
>&2 echo "Targeting org $org and space $space" | ||
cf target -o $org -s $space > /dev/null 2>&1 | ||
|
||
# get service key | ||
cf service-key $service ${service}-key > /dev/null 2>&1 | ||
|
||
# output service key to stdout in secrets.auto.tfvars format | ||
creds=`cf service-key $service ${service}-key | tail -n 7` | ||
username=`echo $creds | jq '.credentials.username'` | ||
password=`echo $creds | jq '.credentials.password'` | ||
|
||
cat <<EOM | ||
# generated with $0 -s $space -u $service -r $role -o $org | ||
# revoke with $(dirname $0)/destroy_service_account.sh -s $space -u $service -o $org | ||
cf_user = $username | ||
cf_password = $password | ||
EOM |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,7 @@ | ||
*/backend.tfvars | ||
*/.terraform | ||
*/terraform.tfstate | ||
*/terraform.tfstate.backup | ||
*/deployer-creds.auto.tfvars | ||
shared/config/backend.tfvars | ||
*/backend.tfvars | ||
*/.terraform | ||
*/terraform.tfstate | ||
*/terraform.tfstate.backup | ||
*/deployer-creds.auto.tfvars | ||
shared/config/backend.tfvars | ||
*/*.tfplan |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.