From 156bcabd11d291924d5cce17d21f41d9079f7d20 Mon Sep 17 00:00:00 2001 From: chevvak2 Date: Thu, 31 Oct 2024 11:35:26 -0400 Subject: [PATCH 1/4] fix: remove zap and update snyk --- .../{snyk-zap-ramp-client.yaml => snyk-ramp-client.yaml} | 0 .../{snyk-zap-ramp-server.yaml => snyk-ramp-server.yaml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename .github/workflows/{snyk-zap-ramp-client.yaml => snyk-ramp-client.yaml} (100%) rename .github/workflows/{snyk-zap-ramp-server.yaml => snyk-ramp-server.yaml} (100%) diff --git a/.github/workflows/snyk-zap-ramp-client.yaml b/.github/workflows/snyk-ramp-client.yaml similarity index 100% rename from .github/workflows/snyk-zap-ramp-client.yaml rename to .github/workflows/snyk-ramp-client.yaml diff --git a/.github/workflows/snyk-zap-ramp-server.yaml b/.github/workflows/snyk-ramp-server.yaml similarity index 100% rename from .github/workflows/snyk-zap-ramp-server.yaml rename to .github/workflows/snyk-ramp-server.yaml From e1a455b4b798e34955cbfd0629e77fe3b200a907 Mon Sep 17 00:00:00 2001 From: chevvak2 <114002880+chevvak2@users.noreply.github.com> Date: Thu, 31 Oct 2024 11:37:45 -0400 Subject: [PATCH 2/4] Update codeql.yml --- .github/workflows/codeql.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 2c5af57..deebd84 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,8 @@ jobs: # - https://gh.io/supported-runners-and-hardware-resources # - https://gh.io/using-larger-runners (GitHub.com only) # Consider using larger runners or machines with greater resources for possible analysis time improvements. - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + runs-on: + group: ncats-onprem-internal-runners timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} permissions: # required for all workflows From dbf8db63d5feb83ed4ee73962670e5a5e758e859 Mon Sep 17 00:00:00 2001 From: chevvak2 <114002880+chevvak2@users.noreply.github.com> Date: Thu, 31 Oct 2024 11:41:04 -0400 Subject: [PATCH 3/4] Update snyk-ramp-client.yaml --- .github/workflows/snyk-ramp-client.yaml | 77 +------------------------ 1 file changed, 2 insertions(+), 75 deletions(-) diff --git a/.github/workflows/snyk-ramp-client.yaml b/.github/workflows/snyk-ramp-client.yaml index 0f1d798..8167f80 100644 --- a/.github/workflows/snyk-ramp-client.yaml +++ b/.github/workflows/snyk-ramp-client.yaml @@ -1,5 +1,5 @@ # Define the name of the workflow -name: snyk-zap-client +name: snyk-client # Define variables env: @@ -16,7 +16,6 @@ on: # Define the jobs that will be executed as part of the workflow jobs: - # Job to build and push the ZAP Docker image to Docker Hub Snyk-Docker-Image: runs-on: group: ncats-onprem-internal-runners @@ -80,78 +79,6 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: + command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile - - - name: Replace security-severity undefined for license-related findings - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - # Step 6: Upload result to GitHub Code Scanning - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - # Step 7: Generate Security Report - - name: Generate Security Report - continue-on-error: true - uses: rsdmike/github-security-report-action@v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - sarifReportDir: . - - # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. - - name: Upload Artifacts - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: reports - path: ./*.pdf - - ZAP-Docker-Scan: - needs: Snyk-Docker-Image - runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}} - permissions: - actions: read - contents: read - security-events: write - issues: write - - steps: - # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job - - name: Get BUILD_VERSION from Snyk-Docker-Image job - id: get_runner_ip - run: | - echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV - echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" - - # Step 2: Add the command to start Docker image on port 8000 - - name: Start Docker image on port 8000 - continue-on-error: true - run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }} - - # Step 3: ZAP BASELINE SCAN - - name: ZAP base Scan - continue-on-error: true - uses: zaproxy/action-baseline@v0.12.0 - with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' - token: ${{ secrets.GITHUB_TOKEN }} - fail_action: false - - # Step 4: Stop and remove the Docker container - - name: Stop and remove Docker container - run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true - - # Step 5: Create SARIF file from ZAP results - - name: Create SARIF file from ZAP results - uses: SvanBoxel/zaproxy-to-ghas@main - - # Step 6: Upload SARIF file to GitHub Code Scanning - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif From 5258f2a63796e2f47b839980f533a39c53213538 Mon Sep 17 00:00:00 2001 From: chevvak2 <114002880+chevvak2@users.noreply.github.com> Date: Thu, 31 Oct 2024 11:42:11 -0400 Subject: [PATCH 4/4] Update snyk-ramp-server.yaml --- .github/workflows/snyk-ramp-server.yaml | 76 +------------------------ 1 file changed, 2 insertions(+), 74 deletions(-) diff --git a/.github/workflows/snyk-ramp-server.yaml b/.github/workflows/snyk-ramp-server.yaml index 908d029..ea2c3b1 100644 --- a/.github/workflows/snyk-ramp-server.yaml +++ b/.github/workflows/snyk-ramp-server.yaml @@ -1,5 +1,5 @@ # Define the name of the workflow -name: snyk-zap-server +name: snyk-server # Define variables env: @@ -80,78 +80,6 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: + command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION args: --sarif-file-output=snyk.sarif --file=./apps/ramp-client/Dockerfile - - - name: Replace security-severity undefined for license-related findings - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - # Step 6: Upload result to GitHub Code Scanning - - name: Upload result to GitHub Code Scanning - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - # Step 7: Generate Security Report - - name: Generate Security Report - continue-on-error: true - uses: rsdmike/github-security-report-action@v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - sarifReportDir: . - - # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. - - name: Upload Artifacts - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: reports - path: ./*.pdf - - ZAP-Docker-Scan: - needs: Snyk-Docker-Image - runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}} - permissions: - actions: read - contents: read - security-events: write - issues: write - - steps: - # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job - - name: Get BUILD_VERSION from Snyk-Docker-Image job - id: get_runner_ip - run: | - echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV - echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" - - # Step 2: Add the command to start Docker image on port 8000 - - name: Start Docker image on port 8000 - continue-on-error: true - run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }} - - # Step 3: ZAP BASELINE SCAN - - name: ZAP base Scan - continue-on-error: true - uses: zaproxy/action-baseline@v0.12.0 - with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' - token: ${{ secrets.GITHUB_TOKEN }} - fail_action: false - - # Step 4: Stop and remove the Docker container - - name: Stop and remove Docker container - run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true - - # Step 5: Create SARIF file from ZAP results - - name: Create SARIF file from ZAP results - uses: SvanBoxel/zaproxy-to-ghas@main - - # Step 6: Upload SARIF file to GitHub Code Scanning - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif