diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2c5af57..deebd84 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,8 @@ jobs: # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: + group: ncats-onprem-internal-runners timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows diff --git a/.github/workflows/snyk-zap-ramp-client.yaml b/.github/workflows/snyk-ramp-client.yaml similarity index 50% rename from .github/workflows/snyk-zap-ramp-client.yaml rename to .github/workflows/snyk-ramp-client.yaml index 0f1d798..8167f80 100644 --- a/.github/workflows/snyk-zap-ramp-client.yaml +++ b/.github/workflows/snyk-ramp-client.yaml @@ -1,5 +1,5 @@ # Define the name of the workflow -name: snyk-zap-client +name: snyk-client # Define variables env: @@ -16,7 +16,6 @@ on: # Define the jobs that will be executed as part of the workflow jobs: - # Job to build and push the ZAP Docker image to Docker Hub Snyk-Docker-Image: runs-on: group: ncats-onprem-internal-runners @@ -80,78 +79,6 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: + command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile - - - name: Replace security-severity undefined for license-related findings - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - # Step 6: Upload result to GitHub Code Scanning - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - # Step 7: Generate Security Report - - name: Generate Security Report - continue-on-error: true - uses: rsdmike/github-security-report-action@v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - sarifReportDir: . - - # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. - - name: Upload Artifacts - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: reports - path: ./*.pdf - - ZAP-Docker-Scan: - needs: Snyk-Docker-Image - runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}} - permissions: - actions: read - contents: read - security-events: write - issues: write - - steps: - # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job - - name: Get BUILD_VERSION from Snyk-Docker-Image job - id: get_runner_ip - run: | - echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV - echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" - - # Step 2: Add the command to start Docker image on port 8000 - - name: Start Docker image on port 8000 - continue-on-error: true - run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }} - - # Step 3: ZAP BASELINE SCAN - - name: ZAP base Scan - continue-on-error: true - uses: zaproxy/action-baseline@v0.12.0 - with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' - token: ${{ secrets.GITHUB_TOKEN }} - fail_action: false - - # Step 4: Stop and remove the Docker container - - name: Stop and remove Docker container - run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true - - # Step 5: Create SARIF file from ZAP results - - name: Create SARIF file from ZAP results - uses: SvanBoxel/zaproxy-to-ghas@main - - # Step 6: Upload SARIF file to GitHub Code Scanning - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif diff --git a/.github/workflows/snyk-zap-ramp-server.yaml b/.github/workflows/snyk-ramp-server.yaml similarity index 51% rename from .github/workflows/snyk-zap-ramp-server.yaml rename to .github/workflows/snyk-ramp-server.yaml index 908d029..ea2c3b1 100644 --- a/.github/workflows/snyk-zap-ramp-server.yaml +++ b/.github/workflows/snyk-ramp-server.yaml @@ -1,5 +1,5 @@ # Define the name of the workflow -name: snyk-zap-server +name: snyk-server # Define variables env: @@ -80,78 +80,6 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: + command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile - - - name: Replace security-severity undefined for license-related findings - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - # Step 6: Upload result to GitHub Code Scanning - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - # Step 7: Generate Security Report - - name: Generate Security Report - continue-on-error: true - uses: rsdmike/github-security-report-action@v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - sarifReportDir: . - - # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. - - name: Upload Artifacts - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: reports - path: ./*.pdf - - ZAP-Docker-Scan: - needs: Snyk-Docker-Image - runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}} - permissions: - actions: read - contents: read - security-events: write - issues: write - - steps: - # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job - - name: Get BUILD_VERSION from Snyk-Docker-Image job - id: get_runner_ip - run: | - echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV - echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" - - # Step 2: Add the command to start Docker image on port 8000 - - name: Start Docker image on port 8000 - continue-on-error: true - run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }} - - # Step 3: ZAP BASELINE SCAN - - name: ZAP base Scan - continue-on-error: true - uses: zaproxy/action-baseline@v0.12.0 - with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' - token: ${{ secrets.GITHUB_TOKEN }} - fail_action: false - - # Step 4: Stop and remove the Docker container - - name: Stop and remove Docker container - run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true - - # Step 5: Create SARIF file from ZAP results - - name: Create SARIF file from ZAP results - uses: SvanBoxel/zaproxy-to-ghas@main - - # Step 6: Upload SARIF file to GitHub Code Scanning - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif