Skip to content

Commit

Permalink
ci: tweak the security workflows (#147)
Browse files Browse the repository at this point in the history 
* ci: tweak the security workflows

* ci: trigger CI

* ci: always run security jobs

* ci: add Docker scanning

* ci: drop `x86` support

* ci: tweak `image-ref`

* ci: list all docker images

* ci: use image id directly for scan

* ci: limit sarif severities

* ci: remove list images

* ci: toggle `TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES` to `false`

* ci: limit Terraform to critical issues

For now, until the 42 other issues are ignored or resolved.

* chore: remove trigger CI comments

* ci: bump `aquasecurity/trivy-action`
  • Loading branch information
@JoshuaLicense
JoshuaLicense authored Jun 21, 2024
1 parent 72591c9 commit fad089f
Show file tree
Hide file tree
Showing 5 changed files with 74 additions and 110 deletions.
51 changes: 22 additions & 29 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,28 @@ permissions:
contents: read

jobs:
security-app:
name: Security
uses: ./.github/workflows/security-app.yaml
permissions:
contents: read
security-events: write
secrets: inherit

security-docker:
name: Security
uses: ./.github/workflows/security-docker.yaml
permissions:
contents: read
security-events: write

security-terraform:
name: Security
uses: ./.github/workflows/security-terraform.yaml
permissions:
contents: read
security-events: write

orchestrator:
name: Orchestrator
runs-on: ubuntu-latest
Expand Down Expand Up @@ -324,32 +346,3 @@ jobs:
id-token: write
pull-requests: write
secrets: inherit

security-app:
name: Security App
needs:
- orchestrator
strategy:
matrix:
project:
- api
- selfserve
- internal
exclude:
- project: ${{ (needs.orchestrator.outputs.should-build-api || needs.orchestrator.outputs.should-build-api-docker) && 'ignored' || 'api' }}
- project: ${{ (needs.orchestrator.outputs.should-build-selfserve || needs.orchestrator.outputs.should-build-selfserve-docker) && 'ignored' || 'selfserve' }}
- project: ${{ (needs.orchestrator.outputs.should-build-internal || needs.orchestrator.outputs.should-build-internal-docker) && 'ignored' || 'internal' }}
uses: ./.github/workflows/security-app.yaml
with:
project: ${{ matrix.project }}
permissions:
contents: read
security-events: write
secrets: inherit

security-terraform:
name: Security Terraform
uses: ./.github/workflows/security-terraform.yaml
permissions:
contents: read
security-events: write
8 changes: 7 additions & 1 deletion .github/workflows/docker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,13 +108,19 @@ jobs:
with:
context: ${{ env.WORKING_DIR }}
target: production
platforms: linux/amd64,linux/arm64
platforms: linux/arm64
push: ${{ inputs.push }}
load: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Scan
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.build-and-push.outputs.imageid }}

- name: Setup Notation CLI
if: ${{ inputs.push }}
uses: notaryproject/notation-action/setup@v1
Expand Down
80 changes: 10 additions & 70 deletions .github/workflows/security-app.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,99 +1,39 @@
name: Security App
name: Security

on:
workflow_call:
inputs:
ref:
type: string
required: false
project:
type: string
required: true
schedule:
# Weekly on Monday at 00:00 UTC
- cron: 0 0 * * 1

jobs:
dependency-scan-api:
if: github.event_name == 'schedule' || inputs.project == 'api'
name: API
app-scan:
name: App
runs-on: ubuntu-latest
defaults:
run:
working-directory: app/api
env:
# Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
REMOTE_REPOSITORY: dvsa/olcs-backend
working-directory: app
steps:
- uses: actions/checkout@v4
with:
repository: ${{ env.REMOTE_REPOSITORY }}
repository: dvsa/olcs-backend
path: app/api
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Scan api repository
run: snyk test --sarif-file-output=snyk-results.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Upload Results to GitHub Code Scanning
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: app/api/snyk-results.sarif

dependency-scan-selfserve:
if: github.event_name == 'schedule' || inputs.project == 'selfserve'
name: Selfserve
runs-on: ubuntu-latest
defaults:
run:
working-directory: app/selfserve
env:
# Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
REMOTE_REPOSITORY: dvsa/olcs-selfserve
steps:
- uses: actions/checkout@v4
with:
repository: ${{ env.REMOTE_REPOSITORY }}
repository: dvsa/olcs-selfserve
path: app/selfserve
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Scan selfserve repository
run: snyk test --sarif-file-output=snyk-results.sarif
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Upload Results to GitHub Code Scanning
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: app/selfserve/snyk-results.sarif

dependency-scan-internal:
if: github.event_name == 'schedule' || inputs.project == 'internal'
name: Internal
runs-on: ubuntu-latest
defaults:
run:
working-directory: app/internal
env:
# Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
REMOTE_REPOSITORY: dvsa/olcs-internal
steps:
- uses: actions/checkout@v4
with:
repository: ${{ env.REMOTE_REPOSITORY }}
repository: dvsa/olcs-internal
path: app/internal
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Scan internal repository
run: snyk test --sarif-file-output=snyk-results.sarif
- name: Scan
run: snyk test --sarif-file-output=snyk-results.sarif --all-projects
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

- name: Upload Results to GitHub Code Scanning
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: app/internal/snyk-results.sarif
sarif_file: app/snyk-results.sarif
29 changes: 29 additions & 0 deletions .github/workflows/security-docker.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Security

on:
workflow_call:
schedule:
# Weekly on Monday at 00:00 UTC
- cron: 0 0 * * 1

jobs:
docker-scan:
name: Docker
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Scan
uses: aquasecurity/[email protected]
with:
exit-code: 1
scan-ref: "infra/docker"
scan-type: "config"
format: "sarif"
output: "trivy-results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
limit-severities-for-sarif: true
- name: Upload Results to GitHub Code Scanning
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
16 changes: 6 additions & 10 deletions .github/workflows/security-terraform.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,31 +1,27 @@
name: Security Terraform
name: Security

on:
workflow_call:
schedule:
# Weekly on Monday at 00:00 UTC
- cron: 0 0 * * 1

env:
TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES: true

jobs:
terraform-scan:
name: Terraform Scan
name: Terraform
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4

- name: Scan Terraform
uses: aquasecurity/trivy-action@master
- name: Scan
uses: aquasecurity/[email protected]
with:
exit-code: 1
scan-ref: "infra/terraform"
scan-type: "config"
format: "sarif"
output: "trivy-results.sarif"

severity: "CRITICAL"
limit-severities-for-sarif: true
- name: Upload Results to GitHub Code Scanning
if: ${{ always() }}
uses: github/codeql-action/upload-sarif@v3
Expand Down

0 comments on commit fad089f

Please sign in to comment.