From 5c168e3559c50b5c5e80b3d14825f2e989fcc913 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Wed, 21 Jun 2023 10:32:05 -0600 Subject: [PATCH 01/18] fix: action path in examples in readme for pr-preview actions (#41) --- pr-previews/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pr-previews/README.md b/pr-previews/README.md index 400a04a2..578fe4df 100644 --- a/pr-previews/README.md +++ b/pr-previews/README.md @@ -21,7 +21,7 @@ If PR preview of dependant package is found - action will throw an error ```yaml - name: Validate No PR preview references - uses: Kong/shared-actions/pr-previews/validate@main + uses: Kong/public-shared-actions/pr-previews/validate@main ``` To be used `on pullrequest` to prevent merging PRs that references PR previews of depended packages @@ -45,7 +45,7 @@ If action returns `true` this means that the code in PR was `up-to-date` wih mai - name: Check if PR Up to Date id: 'up-to-date' - uses: Kong/shared-actions/pr-previews/up-to-date@main + uses: Kong/public-shared-actions/pr-previews/up-to-date@main with: github_token: ${{ secrets.GITHUB_TOKEN }} ``` @@ -62,7 +62,7 @@ Deprecates and Unpublishes PR preview packages for closed PRs. To be executed fr uses: actions/checkout@v3 - name: Cleanup - uses: Kong/shared-actions/pr-previews/cleanup@main + uses: Kong/public-shared-actions/pr-previews/cleanup@main with: # package to cleanup PR preview versions for package: "@kong-ui/core" From 94e210069c77a26bcea31f2542c4fdedace48bd3 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 26 Jun 2023 09:19:21 -0500 Subject: [PATCH 02/18] Enhance UX for SAST and SCA - lua and rust (#45) * add semgrep sast scanning non blocking lua and rust linting * Fix test workflow for lua and rust * disable console log for code quality checks * filename workflow luacheck results * readme update sast and sca --- .github/workflows/luacheck.yml | 10 +- .github/workflows/rustcheck.yml | 30 ++-- .github/workflows/semgrep.yml | 36 ++++ code-check-actions/luacheck/README.md | 73 ++++---- code-check-actions/luacheck/action.yml | 44 ++++- code-check-actions/rustcheck/README.md | 96 ++++++----- code-check-actions/rustcheck/action.yml | 160 ++++++------------ .../rustcheck/scripts/scan-metadata.sh | 12 +- code-check-actions/semgrep/README.md | 41 +++++ code-check-actions/semgrep/action.yml | 42 +++++ 10 files changed, 329 insertions(+), 215 deletions(-) create mode 100644 .github/workflows/semgrep.yml create mode 100644 code-check-actions/semgrep/README.md create mode 100644 code-check-actions/semgrep/action.yml diff --git a/.github/workflows/luacheck.yml b/.github/workflows/luacheck.yml index 5f82407e..a7a78080 100644 --- a/.github/workflows/luacheck.yml +++ b/.github/workflows/luacheck.yml @@ -14,15 +14,15 @@ on: jobs: test-luacheck: env: - LUA_TEST_REPOSITORY: "Kong/lua-resty-lmdb" + TEST_REPOSITORY: "${{github.repository_owner}}/atc-router" runs-on: ubuntu-latest - name: Test Lua code analysis check + name: Luacheck code analysis steps: - uses: actions/checkout@v3 - uses: actions/checkout@v3 with: - repository: ${{env.LUA_TEST_REPOSITORY}} - path: ${{env.LUA_TEST_REPOSITORY}} + repository: ${{env.TEST_REPOSITORY}} + path: ${{env.TEST_REPOSITORY}} - uses: ./code-check-actions/luacheck with: - args: '--no-default-config --config ${{env.LUA_TEST_REPOSITORY}}/.luacheckrc ${{env.LUA_TEST_REPOSITORY}}' + additional_args: '--no-default-config --config ${{env.TEST_REPOSITORY}}/.luacheckrc ${{env.TEST_REPOSITORY}}' diff --git a/.github/workflows/rustcheck.yml b/.github/workflows/rustcheck.yml index 186d9744..319c8c82 100644 --- a/.github/workflows/rustcheck.yml +++ b/.github/workflows/rustcheck.yml @@ -1,4 +1,4 @@ -name: Rust checks +name: Rust SCA and Lint Test on: pull_request: @@ -12,23 +12,27 @@ on: workflow_dispatch: {} jobs: - test-rust-checks: + test-rust-sca: + permissions: + # required for all workflows + security-events: write + checks: write + pull-requests: write + # only required for workflows in private repositories + actions: read + contents: read env: - RUST_TEST_REPOSITORY: "Kong/atc-router" - outputs: - grype-report: ${{ steps.rust_checks.outputs.grype-sarif-report }} - sbom-spdx-report: ${{ steps.rust_checks.outputs.sbom-spdx-report }} - sbom-cyclonedx-report: ${{ steps.rust_checks.outputs.sbom-cyclonedx-report }} + TEST_REPOSITORY: "${{github.repository_owner}}/atc-router" runs-on: ubuntu-latest - name: Rust scan and vulnerability SCA checks + name: Rust code analysis and SCA checks steps: - uses: actions/checkout@v3 - uses: actions/checkout@v3 with: - repository: ${{env.RUST_TEST_REPOSITORY}} - path: ${{env.RUST_TEST_REPOSITORY}} + repository: ${{env.TEST_REPOSITORY}} + path: ${{env.TEST_REPOSITORY}} - uses: ./code-check-actions/rustcheck with: - asset_prefix: ${{env.RUST_TEST_REPOSITORY}} - dir: ${{ github.workspace }}/${{env.RUST_TEST_REPOSITORY}} - token: ${{secrets.GITHUB_TOKEN}} \ No newline at end of file + asset_prefix: ${{env.TEST_REPOSITORY}} + token: ${{secrets.GITHUB_TOKEN}} + dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}} \ No newline at end of file diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml new file mode 100644 index 00000000..faaf7151 --- /dev/null +++ b/.github/workflows/semgrep.yml @@ -0,0 +1,36 @@ +name: Semgrep + +on: + pull_request: {} + push: + branches: + - master + - main + workflow_dispatch: {} + + +jobs: + semgrep: + name: SAST + runs-on: ubuntu-20.04 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + env: + TEST_REPOSITORY: "${{github.repository_owner}}/atc-router" + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + with: + repository: ${{env.TEST_REPOSITORY}} + token: ${{secrets.GITHUB_TOKEN}} + path: ${{env.TEST_REPOSITORY}} + - uses: Scimia/public-shared-actions/code-check-actions/semgrep@main + with: + additional_config: '--config p/rust' + diff --git a/code-check-actions/luacheck/README.md b/code-check-actions/luacheck/README.md index 34f996ec..07b516a8 100644 --- a/code-check-actions/luacheck/README.md +++ b/code-check-actions/luacheck/README.md @@ -15,53 +15,62 @@ Currently, these repos are using this action: ## Inputs ```yaml -args: +additional_args: description: 'Arguments to luacheck' required: 'false' default: '.' # Default: Run luacheck on workspace dir ``` -## Action status -The status outcome of the action will depend based on the follwing: +## Outputs +- Depending on the event, refer [publishing](https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results) -- Exit code is 0 if no warnings or errors occurred. -- Exit code is 1 if some warnings occurred but there were no syntax errors or invalid inline options. -- Exit code is 2 if there were some syntax errors or invalid inline options. -- Exit code is 3 if some files couldn’t be checked, typically due to an incorrect file name. -- Exit code is 4 if there was a critical error (invalid CLI arguments, config, or cache file). +## Action status +- Always exit with 0 even when there are warnings / errors and be non-blocking ## Example usage ```yaml -uses: Kong/public-shared-actions/code-check-actions/luacheck@main - -``` - -## Detailed example - -```yaml -name: Luacheck +name: Lua Code Quality on: + pull_request: {} + workflow_dispatch: {} push: branches: - main - pull_request: - branches: - - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - luacheck: - runs-on: ubuntu-latest - name: Lua code analysis check + lua: + name: Lua Lint + runs-on: ubuntu-20.04 + permissions: + contents: read + issues: read + checks: write + pull-requests: write + if: (github.actor != 'dependabot[bot]') + steps: - - uses: actions/checkout@v3 - - name: Get changed files - id: changed-files - uses: tj-actions/changed-files@04124efe7560d15e11ea2ba96c0df2989f68f1f4 - with: - base_sha: ${{ github.event.workflow_run.head_sha }} - - uses: Kong/public-shared-actions/code-check-actions/luacheck@main - with: - args: "${{ steps.changed-files.outputs.all_changed_files }}" -``` \ No newline at end of file + - name: Checkout source code + uses: actions/checkout@v3 + + # Optional step to run on only changed files + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v36 + with: + files: | + **.lua + + - name: Lua Check + if: steps.changed-files.outputs.any_changed == 'true' + uses: Kong/public-shared-actions/code-check-actions/luacheck@main + with: + additional_args: '--no-default-config --config .luacheckrc' + files: ${{ steps.changed-files.outputs.all_changed_files }} +``` + diff --git a/code-check-actions/luacheck/action.yml b/code-check-actions/luacheck/action.yml index 5409cbfc..bb445d27 100644 --- a/code-check-actions/luacheck/action.yml +++ b/code-check-actions/luacheck/action.yml @@ -1,9 +1,13 @@ -name: Luacheck satic analysis +name: Luacheck description: Static analysis of Lua author: 'Kong' inputs: - args: - description: 'arguments for Luacheck' + additional_args: + description: 'Arguments for Luacheck' + required: false + default: '' # Scans workspace dir + files: + description: 'List of files, directories and rockspecs to check' required: false default: '.' # Scans workspace dir @@ -13,5 +17,37 @@ runs: - name: Run Luacheck for static analysis uses: lunarmodules/luacheck@fcbdeacad00e643e0d78c56b9ba6d8b3c7fa584f + continue-on-error: true + with: + args: "${{ inputs.additional_args }} -c --codes --ranges --formatter JUnit -q ${{ inputs.files }} > luacheck_${{github.sha}}.xml" + + - name: Upload results to workflow + if: always() + uses: actions/upload-artifact@v3 with: - args: "${{ inputs.args }}" + name: luacheck_results.zip + path: | + luacheck_${{github.sha}}.xml + if-no-files-found: warn + +# - name: Print Luacheck results +# shell: bash +# run: | +# cat luacheck_${{github.sha}}.xml + + # when using the regular GITHUB_TOKEN, the check-run created by this step will be assigned to a + # random workflow in the GH UI. to prevent this, we can force the check-run to be created in a separate + # check-suite, which is created automatically if we use the credentials of a GitHub App + # Ref: https://github.com/EnricoMi/publish-unit-test-result-action/issues/181 + # Publishing: https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results + - name: Luacheck Report + uses: EnricoMi/publish-unit-test-result-action@v2 + if: always() + with: + files: | + luacheck_${{github.sha}}.xml + check_name: Luacheck Report + comment_mode: always + action_fail: false + + diff --git a/code-check-actions/rustcheck/README.md b/code-check-actions/rustcheck/README.md index e3d4cc5c..828aed8f 100644 --- a/code-check-actions/rustcheck/README.md +++ b/code-check-actions/rustcheck/README.md @@ -4,13 +4,10 @@ This action uses syft and grype for SCA. It will only support scanning source co The action runs the following: -- Installs rust and tools like clippy and fmt -- Runs `rust fmt` -- Runs `rust check` -- Runs `rust clippy` for all standard lint groups in Warn Mode -- SBOM in spdx and cyclonedx. -- CVE sarif and json - +- Installs rust and tools like clippy +- Runs `rust clippy` for linting in Warn Mode +- SCA and CVE analysis using Syft and Grype +- Uploads SCA results to Github Security for public repiositories ## User tracking Currently, these repos are using this action: @@ -20,54 +17,69 @@ Currently, these repos are using this action: ## Inputs ```yaml -args: - description: 'Arguments to luacheck' - required: 'false' - default: '.' # Default: Run luacheck on workspace dir +asset_prefix: + description: 'prefix for generated artifacts' + required: false + default: '' +dir: + description: 'Speicify a directory to be checked and scanned' + required: false + default: '.' +fail_build: + description: 'fail the build if the vulnerability is above the severity cutoff' + required: false + default: false + type: choice + options: + - 'true' + - 'false' ``` -## Action status -The status outcome of the action will depend based on the follwing: - -- Exit code is 0 if no warnings or errors occurred. -- Exit code is 1 if some warnings occurred but there were no syntax errors or invalid inline options. -- Exit code is 2 if there were some syntax errors or invalid inline options. -- Exit code is 3 if some files couldn’t be checked, typically due to an incorrect file name. -- Exit code is 4 if there was a critical error (invalid CLI arguments, config, or cache file). +## Outputs: +- Push: the report is available as Github CheckPR's +- PR: Github check and Inline PR annotations +- Code Scanning results: Grype SARIF for CVE for public results -## Example usage - -```yaml -uses: Kong/public-shared-actions/code-check-actions/rustcheck@main - -``` ## Detailed example ```yaml -name: Test Rust Lint and SCA Checks +name: Rust Code Quality on: + pull_request: {} + workflow_dispatch: {} push: branches: - main - pull_request: - branches: - - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: - test-rust-checks: - outputs: - grype-report: ${{ steps.rust_checks.outputs.grype-sarif-report }} - sbom-spdx-report: ${{ steps.rust_checks.outputs.sbom-spdx-report }} - sbom-cyclonedx-report: ${{ steps.rust_checks.outputs.sbom-cyclonedx-report }} - runs-on: ubuntu-latest - name: Rust scan and vulnerability SCA checks + rust: + name: Rust Clippy & SCA + runs-on: ubuntu-20.04 + + permissions: + # required for all workflows + security-events: write + checks: write + pull-requests: write + # only required for workflows in private repositories + actions: read + contents: read + + if: (github.actor != 'dependabot[bot]') + steps: - - uses: actions/checkout@v3 - - id: rust_checks - uses: Kong/public-shared-actions/code-check-actions/rustcheck@main - with: - asset_prefix: ${{ env.DOCKER_BASE_IMAGE_NAME }} - dir: ${{ github.workspace }} + - name: Checkout source code + uses: actions/checkout@v3 + + - name: Rust Check + uses: Kong/public-shared-actions/code-check-actions/rustcheck@main + with: + asset_prefix: 'atc-router' + token: ${{ secrets.GITHUB_TOKEN }} ``` \ No newline at end of file diff --git a/code-check-actions/rustcheck/action.yml b/code-check-actions/rustcheck/action.yml index ee58a267..625c4d81 100644 --- a/code-check-actions/rustcheck/action.yml +++ b/code-check-actions/rustcheck/action.yml @@ -7,7 +7,7 @@ inputs: required: false default: '' dir: - description: 'Speicify a directory to be checked and scanned' + description: 'Speicify a scan directory that must contain cargo.lock and cargo.toml' required: false default: '.' fail_build: @@ -18,8 +18,8 @@ inputs: options: - 'true' - 'false' - token: - description: 'A Github PAT' + token: + description: 'Github token to annotate files with findings' required: true outputs: @@ -29,12 +29,6 @@ outputs: grype-sarif-report: description: 'vulnerability sarif report' value: ${{ steps.grype_analysis.outputs.sarif }} - sbom-spdx-report: - description: 'SBOM spdx report' - value: ${{ steps.meta.outputs.sbom_spdx_file }} - sbom-cyclonedx-report: - description: 'SBOM cyclonedx report' - value: ${{ steps.meta.outputs.sbom_cyclonedx_file }} runs: using: composite @@ -42,153 +36,103 @@ runs: - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f with: - profile: default toolchain: stable - components: rustfmt, clippy + components: clippy - name: Set Scan Job Metadata shell: bash id: meta env: DIR: ${{ inputs.dir }} - FILE: ${{ inputs.file }} ASSET_PREFIX: ${{ inputs.asset_prefix }} run: $GITHUB_ACTION_PATH/scripts/scan-metadata.sh - # fails with an error code / succeeds - # - uses: actions-rs/cargo@v1 + - uses: Swatinem/rust-cache@v1 + + # - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # continue-on-error: true # with: - # command: "fmt" - # args: "--all --manifest-path ${{ steps.meta.outputs.lint_path }}" + # command: install + # args: "clippy-sarif sarif-fmt" - # fails with an error code / succeeds - # Run as part of clippy - # - uses: actions-rs/cargo@v1 + # - name: Run Cargo Clippy + # shell: bash # continue-on-error: true + # run: | + # cargo clippy --manifest-path ${{ steps.meta.outputs.manifest_path }} --message-format=json -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic | clippy-sarif | tee rust_clippy_${{github.sha}}.sarif | sarif-fmt + + # - name: Upload Rust Linting SARIF file to CodeQL + # if: ${{ github.event.repository.visibility == 'public' }} + # uses: github/codeql-action/upload-sarif@v2 # with: - # command: check - # args: "--manifest-path ${{ steps.meta.outputs.lint_path }}" + # sarif_file: rust_clippy_${{github.sha}}.sarif + # category: clippy_rust - # fail on any correctness lint groups - # always warn other lint groups - - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b + - uses: actions-rs/clippy-check@v1 continue-on-error: true with: - command: clippy # Runs all default clippy::all lints for warn mode - args: "--manifest-path ${{ steps.meta.outputs.lint_path }} -- -D clippy::correctness -W clippy::all -W clippy::cargo -W clippy::pedantic" - - # - uses: auguwu/clippy-action@1.1.0 + token: ${{ inputs.token }} + args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic + name: Rust Clippy Report + + # - name: Upload Rust Linting results to workflow + # if: always() + # uses: actions/upload-artifact@v3 # with: - # token: ${{ inputs.token }} - # working-directory: ${{ steps.meta.outputs.lint_path }} - # warn: "all,cargo,pedantic" - # deny: "correctness" - # forbid: "restriction,nursery" - - # Must upload artifact for output file parameter to have effect - - name: Generate SPDX SBOM Using Syft - uses: anchore/sbom-action@v0.13.4 - id: sbom_spdx - with: - image: ${{ steps.meta.outputs.scan_image }} - registry-username: ${{ inputs.registry_username }} - registry-password: ${{ inputs.registry_password }} - path: ${{ steps.meta.outputs.scan_dir }} - file: ${{ steps.meta.outputs.scan_file }} - format: spdx-json - artifact-name: ${{ steps.meta.outputs.sbom_spdx_file }} - output-file: ${{ steps.meta.outputs.sbom_spdx_file }} - upload-artifact: true - upload-release-assets: false - dependency-snapshot: false - - - name: Generate CycloneDX SBOM Using Syft - uses: anchore/sbom-action@v0.13.4 - id: sbom_cyclonedx - with: - image: ${{ steps.meta.outputs.scan_image }} - registry-username: ${{ inputs.registry_username }} - registry-password: ${{ inputs.registry_password }} - path: ${{ steps.meta.outputs.scan_dir }} - file: ${{ steps.meta.outputs.scan_file }} - format: cyclonedx-json - artifact-name: ${{ steps.meta.outputs.sbom_cyclonedx_file }} - output-file: ${{ steps.meta.outputs.sbom_cyclonedx_file }} - upload-artifact: true - upload-release-assets: false - dependency-snapshot: false - - - name: Check SBOM files existence - uses: andstor/file-existence-action@v2 - id: sbom_report - with: - files: "${{ steps.meta.outputs.sbom_spdx_file }}, ${{ steps.meta.outputs.sbom_cyclonedx_file }}" - fail: true + # name: rust_clippy_results.sarif + # path: | + # rust_clippy_${{github.sha}}.sarif + # if-no-files-found: warn # Don't fail during report generation - name: Vulnerability analysis of SBOM uses: anchore/scan-action@v3.3.5 - id: grype_analysis_sarif - if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} + continue-on-error: true + id: scan with: - sbom: ${{ steps.meta.outputs.sbom_spdx_file }} + path: ${{ steps.meta.outputs.scan_dir }} output-format: sarif fail-build: 'false' severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} - - # Don't fail during report generation - # JSON format will report any ignored rules - - name: Vulnerability analysis of SBOM - uses: anchore/scan-action@v3.3.5 - id: grype_analysis_json - if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} - with: - sbom: ${{ steps.meta.outputs.sbom_spdx_file }} - output-format: json - fail-build: 'false' - severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} + add-cpes-if-none: true - - name: Check vulnerability analysis report existence - uses: andstor/file-existence-action@v2 - id: grype_report + - name: Upload SARIF CVE analysis file to CodeQL + if: ${{ always() && github.event.repository.visibility == 'public' }} + continue-on-error: true + uses: github/codeql-action/upload-sarif@v2 with: - files: "${{ steps.grype_analysis_sarif.outputs.sarif }}, ${{ steps.grype_analysis_json.outputs.json }}" - fail: true + sarif_file: ${{ steps.scan.outputs.sarif }} + category: sca_rust # Grype CVE Action generates an ./results.sarif or ./results.report and no way to customize output file name # Hack to increase readability of grype artifacts attached to workflows and releases - name: Rename grype analysis report shell: bash run: | - mv ${{ steps.grype_analysis_sarif.outputs.sarif }} ${{ steps.meta.outputs.grype_sarif_file }} - mv ${{ steps.grype_analysis_json.outputs.json }} ${{ steps.meta.outputs.grype_json_file }} - + mv ${{ steps.scan.outputs.sarif }} ${{ steps.meta.outputs.grype_sarif_file }} + - name: Upload grype analysis report + if: always() uses: actions/upload-artifact@v3 with: name: ${{ steps.meta.outputs.grype_sarif_file }} path: | ${{ steps.meta.outputs.grype_sarif_file }} - if-no-files-found: warn - - # Upload grype cve reports - - name: Upload grype analysis report - uses: actions/upload-artifact@v3 - with: - name: ${{ steps.meta.outputs.grype_json_file }} - path: | - ${{ steps.meta.outputs.grype_json_file }} if-no-files-found: warn # Fail based on severity and input parameters # Notify grype quick scan results in table format # Table format will supress any specified ignore rules - - name: Inspect Vulnerability analysis of SBOM + - name: Vulnerability Report uses: anchore/scan-action@v3.3.5 - if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} with: - sbom: ${{ steps.meta.outputs.sbom_spdx_file }} + path: ${{ steps.meta.outputs.scan_dir }} output-format: table fail-build: ${{ steps.meta.outputs.global_enforce_build_failure == 'true' && steps.meta.outputs.global_enforce_build_failure || inputs.fail_build }} severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} + + # # Rust Clippy - Linting report + # - name: Rust Linting Report - SARIF + # shell: bash + # run: | + # cat rust_clippy_${{github.sha}}.sarif diff --git a/code-check-actions/rustcheck/scripts/scan-metadata.sh b/code-check-actions/rustcheck/scripts/scan-metadata.sh index e96bf7a1..24eb18be 100755 --- a/code-check-actions/rustcheck/scripts/scan-metadata.sh +++ b/code-check-actions/rustcheck/scripts/scan-metadata.sh @@ -2,8 +2,6 @@ set -euo pipefail -readonly spdx_ext="sbom.spdx.json" -readonly cyclonedx_ext="sbom.cyclonedx.json" readonly cve_json_ext="cve-report.json" readonly cve_sarif_ext="cve-report.sarif" @@ -17,21 +15,13 @@ fi if [[ -n ${DIR} ]]; then echo "scan_dir=${DIR}" >> $GITHUB_OUTPUT - echo "lint_path=${DIR}/Cargo.toml" >> $GITHUB_OUTPUT -fi - -if [[ -n ${FILE} ]]; then - echo "scan_file=${FILE}" >> $GITHUB_OUTPUT + echo "manifest_path=${DIR}/Cargo.toml" >> $GITHUB_OUTPUT fi if [[ -n ${ASSET_PREFIX} ]]; then - echo "sbom_spdx_file=${ASSET_PREFIX##*/}-${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${ASSET_PREFIX##*/}-${cyclonedx_ext}" >> $GITHUB_OUTPUT echo "grype_json_file=${ASSET_PREFIX##*/}-${cve_json_ext}" >> $GITHUB_OUTPUT echo "grype_sarif_file=${ASSET_PREFIX##*/}-${cve_sarif_ext}" >> $GITHUB_OUTPUT else - echo "sbom_spdx_file=${spdx_ext}" >> $GITHUB_OUTPUT - echo "sbom_cyclonedx_file=${cyclonedx_ext}" >> $GITHUB_OUTPUT echo "grype_json_file=${cve_json_ext}" >> $GITHUB_OUTPUT echo "grype_sarif_file=${cve_sarif_ext}" >> $GITHUB_OUTPUT fi diff --git a/code-check-actions/semgrep/README.md b/code-check-actions/semgrep/README.md new file mode 100644 index 00000000..aac98d75 --- /dev/null +++ b/code-check-actions/semgrep/README.md @@ -0,0 +1,41 @@ +# Semgrep SAST - Github Action + +This action uses Semgrep CI command to scan all supported platforms on a specified scan path + +The action runs the following: +- Self detects config rules from semgrep registry +## Detailed example + +```yaml +name: Semgrep + +on: + pull_request: {} + push: + branches: + - master + - main + workflow_dispatch: {} + + +jobs: + semgrep: + name: SAST + runs-on: ubuntu-20.04 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + - uses: Kong/public-shared-actions/code-check-actions/semgrep@main + with: + additional_config: '--config p/rust' + + +``` \ No newline at end of file diff --git a/code-check-actions/semgrep/action.yml b/code-check-actions/semgrep/action.yml new file mode 100644 index 00000000..d8ebac7f --- /dev/null +++ b/code-check-actions/semgrep/action.yml @@ -0,0 +1,42 @@ +name: Semgrep SAST +description: Semgrep SAST +author: 'Kong' +inputs: + additional_config: + description: 'Provide additional config to semgrep ci command using --config' + required: false + default: '' +runs: + using: 'composite' + steps: + + - name: SAST Scan + uses: docker://returntocorp/semgrep + continue-on-error: true + with: + args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --suppress-errors --no-autofix ${{ inputs.additional_config }}" + + # Upload grype cve reports + - name: Upload Semgrep SARIF to Workflow + if: always() + uses: actions/upload-artifact@v3 + with: + name: semgrep_sast.zip + path: | + semgrep_${{github.sha}}.sarif + if-no-files-found: warn + + - name: Upload SARIF to Github Code Scanning + if: ${{ always() && github.event.repository.visibility == 'public' }} + uses: github/codeql-action/upload-sarif@v2 + with: + # Path to SARIF file relative to the root of the repository + sarif_file: semgrep_${{github.sha}}.sarif + # Optional category for the results + # Used to differentiate multiple results for one commit + category: sast_semgrep + + # - name: Print SAST results - SARIF + # shell: bash + # run: | + # cat semgrep_${{github.sha}}.sarif From b037b9950d987b47b5caf3d418fa09ffc046e6ca Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 26 Jun 2023 12:45:47 -0500 Subject: [PATCH 03/18] refactor(sca): Separate linters and sca for rust (#46) --- .../workflows/{luacheck.yml => lua-lint.yml} | 4 +- .github/workflows/rust-lint.yml | 37 ++++++++++ .../workflows/{rustcheck.yml => rust-sca.yml} | 8 +-- .github/workflows/semgrep.yml | 3 +- .../{luacheck => lua-lint}/README.md | 0 .../{luacheck => lua-lint}/action.yml | 0 code-check-actions/rust-lint/README.md | 64 +++++++++++++++++ code-check-actions/rust-lint/action.yml | 70 +++++++++++++++++++ .../rust-lint/scripts/set-env.sh | 7 ++ code-check-actions/semgrep/action.yml | 10 ++- .../scan-rust}/README.md | 28 +++----- .../scan-rust}/action.yml | 69 ++++-------------- .../scan-rust}/scripts/scan-metadata.sh | 1 - 13 files changed, 217 insertions(+), 84 deletions(-) rename .github/workflows/{luacheck.yml => lua-lint.yml} (90%) create mode 100644 .github/workflows/rust-lint.yml rename .github/workflows/{rustcheck.yml => rust-sca.yml} (80%) rename code-check-actions/{luacheck => lua-lint}/README.md (100%) rename code-check-actions/{luacheck => lua-lint}/action.yml (100%) create mode 100644 code-check-actions/rust-lint/README.md create mode 100644 code-check-actions/rust-lint/action.yml create mode 100755 code-check-actions/rust-lint/scripts/set-env.sh rename {code-check-actions/rustcheck => security-actions/scan-rust}/README.md (62%) rename {code-check-actions/rustcheck => security-actions/scan-rust}/action.yml (56%) rename {code-check-actions/rustcheck => security-actions/scan-rust}/scripts/scan-metadata.sh (94%) diff --git a/.github/workflows/luacheck.yml b/.github/workflows/lua-lint.yml similarity index 90% rename from .github/workflows/luacheck.yml rename to .github/workflows/lua-lint.yml index a7a78080..ae612487 100644 --- a/.github/workflows/luacheck.yml +++ b/.github/workflows/lua-lint.yml @@ -12,7 +12,7 @@ on: workflow_dispatch: {} jobs: - test-luacheck: + test-lua-lint: env: TEST_REPOSITORY: "${{github.repository_owner}}/atc-router" runs-on: ubuntu-latest @@ -23,6 +23,6 @@ jobs: with: repository: ${{env.TEST_REPOSITORY}} path: ${{env.TEST_REPOSITORY}} - - uses: ./code-check-actions/luacheck + - uses: ./code-check-actions/lua-lint with: additional_args: '--no-default-config --config ${{env.TEST_REPOSITORY}}/.luacheckrc ${{env.TEST_REPOSITORY}}' diff --git a/.github/workflows/rust-lint.yml b/.github/workflows/rust-lint.yml new file mode 100644 index 00000000..00755282 --- /dev/null +++ b/.github/workflows/rust-lint.yml @@ -0,0 +1,37 @@ +name: Rust Lint Test + +on: + pull_request: + branches: + - main + push: + branches: + - main + tags: + - '*' + workflow_dispatch: {} + +jobs: + test-rust-lint: + permissions: + # required for all workflows + security-events: write + checks: write + pull-requests: write + # only required for workflows in private repositories + actions: read + contents: read + env: + TEST_REPOSITORY: "${{github.repository_owner}}/atc-router" + runs-on: ubuntu-latest + name: Rust Code Linting checks + steps: + - uses: actions/checkout@v3 + - uses: actions/checkout@v3 + with: + repository: ${{env.TEST_REPOSITORY}} + path: ${{env.TEST_REPOSITORY}} + - uses: ./code-check-actions/rust-lint + with: + token: ${{secrets.GITHUB_TOKEN}} + manifest_dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}} \ No newline at end of file diff --git a/.github/workflows/rustcheck.yml b/.github/workflows/rust-sca.yml similarity index 80% rename from .github/workflows/rustcheck.yml rename to .github/workflows/rust-sca.yml index 319c8c82..ca66fb5f 100644 --- a/.github/workflows/rustcheck.yml +++ b/.github/workflows/rust-sca.yml @@ -1,4 +1,4 @@ -name: Rust SCA and Lint Test +name: Rust SCA Test on: pull_request: @@ -31,8 +31,8 @@ jobs: with: repository: ${{env.TEST_REPOSITORY}} path: ${{env.TEST_REPOSITORY}} - - uses: ./code-check-actions/rustcheck + - uses: ./security-actions/scan-rust with: asset_prefix: ${{env.TEST_REPOSITORY}} - token: ${{secrets.GITHUB_TOKEN}} - dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}} \ No newline at end of file + dir: ${{ github.workspace }}/${{env.TEST_REPOSITORY}} + codeql_upload: false \ No newline at end of file diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index faaf7151..c56bf056 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -30,7 +30,8 @@ jobs: repository: ${{env.TEST_REPOSITORY}} token: ${{secrets.GITHUB_TOKEN}} path: ${{env.TEST_REPOSITORY}} - - uses: Scimia/public-shared-actions/code-check-actions/semgrep@main + - uses: ./code-check-actions/semgrep with: additional_config: '--config p/rust' + codeql_upload: false diff --git a/code-check-actions/luacheck/README.md b/code-check-actions/lua-lint/README.md similarity index 100% rename from code-check-actions/luacheck/README.md rename to code-check-actions/lua-lint/README.md diff --git a/code-check-actions/luacheck/action.yml b/code-check-actions/lua-lint/action.yml similarity index 100% rename from code-check-actions/luacheck/action.yml rename to code-check-actions/lua-lint/action.yml diff --git a/code-check-actions/rust-lint/README.md b/code-check-actions/rust-lint/README.md new file mode 100644 index 00000000..ba2bdab1 --- /dev/null +++ b/code-check-actions/rust-lint/README.md @@ -0,0 +1,64 @@ +# Rust clippy - Github Action + +This action uses Rust Clippy for code quality checks + + +The action runs the following: +- Installs rust +- Run `clippy` to identify linting and code quality checks + +## Inputs + +```yaml +manifest_dir: + description: 'Speicify a directory to be scanned' + required: false + default: '.' +``` + +## Outputs: +- Push: Commit check summary +- PR: Github check Summary and PR annotations + + +## Detailed example + +```yaml +name: Rust Code Quality + +on: + pull_request: {} + workflow_dispatch: {} + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + rust: + name: Rust Clippy + runs-on: ubuntu-20.04 + + permissions: + # required for all workflows + security-events: write + checks: write + pull-requests: write + # only required for workflows in private repositories + actions: read + contents: read + + if: (github.actor != 'dependabot[bot]') + + steps: + - name: Checkout source code + uses: actions/checkout@v3 + + - name: Rust Check + uses: Kong/public-shared-actions/code-check-actions/rust-lint@main + with: + token: ${{ secrets.GITHUB_TOKEN }} +``` \ No newline at end of file diff --git a/code-check-actions/rust-lint/action.yml b/code-check-actions/rust-lint/action.yml new file mode 100644 index 00000000..6484b7e3 --- /dev/null +++ b/code-check-actions/rust-lint/action.yml @@ -0,0 +1,70 @@ +name: Rust Clippy +description: Rust Linting using Clippy +author: 'Kong' +inputs: + manifest_dir: + description: 'Rust Manifest Directory' + required: false + default: '.' + token: + description: 'Github token to annotate files with findings' + required: true + +runs: + using: composite + steps: + + - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f + with: + toolchain: stable + components: clippy + + - name: Set Job Metadata + shell: bash + id: meta + env: + manifest_dir: ${{ inputs.manifest_dir }} + run: $GITHUB_ACTION_PATH/scripts/set-env.sh + + - uses: Swatinem/rust-cache@v1 + + - uses: actions-rs/clippy-check@v1 + continue-on-error: true + with: + token: ${{ inputs.token }} + args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic + name: Rust Clippy Report + + # - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b + # continue-on-error: true + # with: + # command: install + # args: "clippy-sarif sarif-fmt" + + # - name: Run Cargo Clippy + # shell: bash + # continue-on-error: true + # run: | + # cargo clippy --manifest-path ${{ steps.meta.outputs.manifest_path }} --message-format=json -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic | clippy-sarif | tee rust_clippy_${{github.sha}}.sarif | sarif-fmt + + # - name: Upload Rust Linting SARIF file to CodeQL + # if: ${{ github.event.repository.visibility == 'public' }} + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: rust_clippy_${{github.sha}}.sarif + # category: clippy_rust + + # - name: Upload Rust Linting results to workflow + # if: always() + # uses: actions/upload-artifact@v3 + # with: + # name: rust_clippy_results.sarif + # path: | + # rust_clippy_${{github.sha}}.sarif + # if-no-files-found: warn + + # # Rust Clippy - Linting report + # - name: Rust Linting Report - SARIF + # shell: bash + # run: | + # cat rust_clippy_${{github.sha}}.sarif diff --git a/code-check-actions/rust-lint/scripts/set-env.sh b/code-check-actions/rust-lint/scripts/set-env.sh new file mode 100755 index 00000000..05926c12 --- /dev/null +++ b/code-check-actions/rust-lint/scripts/set-env.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +set -euo pipefail + +if [[ -n ${manifest_dir} ]]; then + echo "manifest_path=${manifest_dir}/Cargo.toml" >> $GITHUB_OUTPUT +fi \ No newline at end of file diff --git a/code-check-actions/semgrep/action.yml b/code-check-actions/semgrep/action.yml index d8ebac7f..7ff84844 100644 --- a/code-check-actions/semgrep/action.yml +++ b/code-check-actions/semgrep/action.yml @@ -6,6 +6,14 @@ inputs: description: 'Provide additional config to semgrep ci command using --config' required: false default: '' + codeql_upload: + description: 'Toggle to upload results to Github code scanning for public repositories' + required: false + default: true + type: choice + options: + - 'true' + - 'false' runs: using: 'composite' steps: @@ -27,7 +35,7 @@ runs: if-no-files-found: warn - name: Upload SARIF to Github Code Scanning - if: ${{ always() && github.event.repository.visibility == 'public' }} + if: ${{ always() && inputs.codeql_upload == 'true' && github.event.repository.visibility == 'public' }} uses: github/codeql-action/upload-sarif@v2 with: # Path to SARIF file relative to the root of the repository diff --git a/code-check-actions/rustcheck/README.md b/security-actions/scan-rust/README.md similarity index 62% rename from code-check-actions/rustcheck/README.md rename to security-actions/scan-rust/README.md index 828aed8f..26564789 100644 --- a/code-check-actions/rustcheck/README.md +++ b/security-actions/scan-rust/README.md @@ -1,18 +1,11 @@ -# Rust Directory Scan - Github Action +# Rust SCA -This action uses syft and grype for SCA. It will only support scanning source code directories / files and will not support the container images +This action uses grype for source code analysis. It will only support scanning source code directories / files and will not support the container images The action runs the following: -- Installs rust and tools like clippy -- Runs `rust clippy` for linting in Warn Mode -- SCA and CVE analysis using Syft and Grype +- SCA and CVE analysis using Grype - Uploads SCA results to Github Security for public repiositories -## User tracking - -Currently, these repos are using this action: - -[] ## Inputs @@ -36,15 +29,13 @@ fail_build: ``` ## Outputs: -- Push: the report is available as Github CheckPR's -- PR: Github check and Inline PR annotations -- Code Scanning results: Grype SARIF for CVE for public results - +- SARIF upload to github code scanning for public repositories +- Console log workflow output / Github check for reporting ## Detailed example ```yaml -name: Rust Code Quality +name: Rust SCA on: pull_request: {} @@ -59,7 +50,7 @@ concurrency: jobs: rust: - name: Rust Clippy & SCA + name: Rust SCA runs-on: ubuntu-20.04 permissions: @@ -77,9 +68,8 @@ jobs: - name: Checkout source code uses: actions/checkout@v3 - - name: Rust Check - uses: Kong/public-shared-actions/code-check-actions/rustcheck@main + - name: Source Code analysis + uses: Kong/public-shared-actions/security-actions/scan-rust@main with: asset_prefix: 'atc-router' - token: ${{ secrets.GITHUB_TOKEN }} ``` \ No newline at end of file diff --git a/code-check-actions/rustcheck/action.yml b/security-actions/scan-rust/action.yml similarity index 56% rename from code-check-actions/rustcheck/action.yml rename to security-actions/scan-rust/action.yml index 625c4d81..1c57a862 100644 --- a/code-check-actions/rustcheck/action.yml +++ b/security-actions/scan-rust/action.yml @@ -1,5 +1,5 @@ -name: Rust Source Code Lints -description: Rust linting and SCA using grype on specified rust source code +name: Rust SCA +description: Rust SCA using grype author: 'Kong' inputs: asset_prefix: @@ -18,9 +18,14 @@ inputs: options: - 'true' - 'false' - token: - description: 'Github token to annotate files with findings' - required: true + codeql_upload: + description: 'Toggle to upload results to Github code scanning for public repositories' + required: false + default: true + type: choice + options: + - 'true' + - 'false' outputs: grype-json-report: @@ -33,11 +38,6 @@ outputs: runs: using: composite steps: - - - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f - with: - toolchain: stable - components: clippy - name: Set Scan Job Metadata shell: bash @@ -47,43 +47,6 @@ runs: ASSET_PREFIX: ${{ inputs.asset_prefix }} run: $GITHUB_ACTION_PATH/scripts/scan-metadata.sh - - uses: Swatinem/rust-cache@v1 - - # - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b - # continue-on-error: true - # with: - # command: install - # args: "clippy-sarif sarif-fmt" - - # - name: Run Cargo Clippy - # shell: bash - # continue-on-error: true - # run: | - # cargo clippy --manifest-path ${{ steps.meta.outputs.manifest_path }} --message-format=json -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic | clippy-sarif | tee rust_clippy_${{github.sha}}.sarif | sarif-fmt - - # - name: Upload Rust Linting SARIF file to CodeQL - # if: ${{ github.event.repository.visibility == 'public' }} - # uses: github/codeql-action/upload-sarif@v2 - # with: - # sarif_file: rust_clippy_${{github.sha}}.sarif - # category: clippy_rust - - - uses: actions-rs/clippy-check@v1 - continue-on-error: true - with: - token: ${{ inputs.token }} - args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic - name: Rust Clippy Report - - # - name: Upload Rust Linting results to workflow - # if: always() - # uses: actions/upload-artifact@v3 - # with: - # name: rust_clippy_results.sarif - # path: | - # rust_clippy_${{github.sha}}.sarif - # if-no-files-found: warn - # Don't fail during report generation - name: Vulnerability analysis of SBOM uses: anchore/scan-action@v3.3.5 @@ -96,8 +59,8 @@ runs: severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} add-cpes-if-none: true - - name: Upload SARIF CVE analysis file to CodeQL - if: ${{ always() && github.event.repository.visibility == 'public' }} + - name: Publish SARIF to github code scanning + if: ${{ always() && inputs.codeql_upload == 'true' && github.event.repository.visibility == 'public' }} continue-on-error: true uses: github/codeql-action/upload-sarif@v2 with: @@ -111,7 +74,7 @@ runs: run: | mv ${{ steps.scan.outputs.sarif }} ${{ steps.meta.outputs.grype_sarif_file }} - - name: Upload grype analysis report + - name: Publish SARIF to github workflow artifact if: always() uses: actions/upload-artifact@v3 with: @@ -130,9 +93,3 @@ runs: output-format: table fail-build: ${{ steps.meta.outputs.global_enforce_build_failure == 'true' && steps.meta.outputs.global_enforce_build_failure || inputs.fail_build }} severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} - - # # Rust Clippy - Linting report - # - name: Rust Linting Report - SARIF - # shell: bash - # run: | - # cat rust_clippy_${{github.sha}}.sarif diff --git a/code-check-actions/rustcheck/scripts/scan-metadata.sh b/security-actions/scan-rust/scripts/scan-metadata.sh similarity index 94% rename from code-check-actions/rustcheck/scripts/scan-metadata.sh rename to security-actions/scan-rust/scripts/scan-metadata.sh index 24eb18be..8338ecfa 100755 --- a/code-check-actions/rustcheck/scripts/scan-metadata.sh +++ b/security-actions/scan-rust/scripts/scan-metadata.sh @@ -15,7 +15,6 @@ fi if [[ -n ${DIR} ]]; then echo "scan_dir=${DIR}" >> $GITHUB_OUTPUT - echo "manifest_path=${DIR}/Cargo.toml" >> $GITHUB_OUTPUT fi if [[ -n ${ASSET_PREFIX} ]]; then From 290c6903ba9a62fa7144b80e62d6dddc561e2b8d Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 26 Jun 2023 13:04:32 -0500 Subject: [PATCH 04/18] move semgrep to security-actions (#47) --- .github/workflows/semgrep.yml | 2 +- {code-check-actions => security-actions}/semgrep/README.md | 2 +- {code-check-actions => security-actions}/semgrep/action.yml | 0 3 files changed, 2 insertions(+), 2 deletions(-) rename {code-check-actions => security-actions}/semgrep/README.md (91%) rename {code-check-actions => security-actions}/semgrep/action.yml (100%) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index c56bf056..0348af04 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -30,7 +30,7 @@ jobs: repository: ${{env.TEST_REPOSITORY}} token: ${{secrets.GITHUB_TOKEN}} path: ${{env.TEST_REPOSITORY}} - - uses: ./code-check-actions/semgrep + - uses: ./security-actions/semgrep with: additional_config: '--config p/rust' codeql_upload: false diff --git a/code-check-actions/semgrep/README.md b/security-actions/semgrep/README.md similarity index 91% rename from code-check-actions/semgrep/README.md rename to security-actions/semgrep/README.md index aac98d75..06d66db8 100644 --- a/code-check-actions/semgrep/README.md +++ b/security-actions/semgrep/README.md @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@v3 - - uses: Kong/public-shared-actions/code-check-actions/semgrep@main + - uses: Kong/public-shared-actions/security-actions/semgrep@main with: additional_config: '--config p/rust' diff --git a/code-check-actions/semgrep/action.yml b/security-actions/semgrep/action.yml similarity index 100% rename from code-check-actions/semgrep/action.yml rename to security-actions/semgrep/action.yml From 33449c46c6766a3d3c8f167cc383381225862b36 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 26 Jun 2023 13:58:14 -0500 Subject: [PATCH 05/18] reporting check result shouldn't be based on test results (#48) --- code-check-actions/lua-lint/action.yml | 1 + code-check-actions/rust-lint/action.yml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/code-check-actions/lua-lint/action.yml b/code-check-actions/lua-lint/action.yml index bb445d27..f83d4353 100644 --- a/code-check-actions/lua-lint/action.yml +++ b/code-check-actions/lua-lint/action.yml @@ -49,5 +49,6 @@ runs: check_name: Luacheck Report comment_mode: always action_fail: false + fail_on: 'nothing' # Explicitly don't fail reporting check based on test results diff --git a/code-check-actions/rust-lint/action.yml b/code-check-actions/rust-lint/action.yml index 6484b7e3..bd1886a9 100644 --- a/code-check-actions/rust-lint/action.yml +++ b/code-check-actions/rust-lint/action.yml @@ -32,7 +32,8 @@ runs: continue-on-error: true with: token: ${{ inputs.token }} - args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::pedantic + # Explicitly report all findings as warnings to not fail the reporiting status check + args: --manifest-path ${{ steps.meta.outputs.manifest_path }} -- -W clippy::correctness -W clippy::cargo -W clippy::suspicious -W clippy::style name: Rust Clippy Report # - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b From 92fb10ede738f04f917230d01da70ec0c69ce4b3 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Tue, 27 Jun 2023 11:01:51 -0600 Subject: [PATCH 06/18] fix: cleanup starting with newer PR versions [KHCP-7461] (#44) --- pr-previews/cleanup/action.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pr-previews/cleanup/action.yml b/pr-previews/cleanup/action.yml index 796695f5..5c6b6834 100644 --- a/pr-previews/cleanup/action.yml +++ b/pr-previews/cleanup/action.yml @@ -26,7 +26,11 @@ runs: # get the list of the "-pr." published version for the packages pkgDetails=$(npm view "${pkgName}" --json) - prVersions=($(echo ${pkgDetails}| jq -r '.versions' | grep '\-pr.'| sed 's/[,\"]//g')) + prVersions=($(echo ${pkgDetails}| jq -r '.versions' | grep '\-pr.'| tac | sed 's/[,\"]//g')) + if [[ -z "${prVersions}" ]]; then + echo "No preview versions found, exiting..." + exit 0 + fi distTags=$(echo ${pkgDetails}|jq -r '."dist-tags"') @@ -43,7 +47,7 @@ runs: echo "${pkgName}@${verToRemove}" prNumber=$(echo ${verToRemove} | sed 's/.*\-pr\.//g'| cut -d'.' -f 1) - if [[ ! -z $(echo ${openPRs} | grep "\"${prNumber}\"") ]]; then + if [[ ! -z $(echo ${openPRs} | sed 's/\"//g'| sed 's/\[/,/g' | sed 's/\]/,/g' | grep ",${prNumber},") ]]; then if [[ ! -z $(echo ${distTags}|grep "${verToRemove}") ]]; then echo "${pkgName}@${verToRemove}: belongs to open PR and tagged as PR preview, skip..." continue From 4517bad0f9414091f830ddc739cfc3df214d903a Mon Sep 17 00:00:00 2001 From: Mike Swierenga Date: Tue, 27 Jun 2023 14:13:13 -0400 Subject: [PATCH 07/18] fix(build-js-sdk): hardcode src as the output directory (#49) --- code-build-actions/build-js-sdk/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/code-build-actions/build-js-sdk/action.yaml b/code-build-actions/build-js-sdk/action.yaml index 994ec42f..09160baf 100644 --- a/code-build-actions/build-js-sdk/action.yaml +++ b/code-build-actions/build-js-sdk/action.yaml @@ -50,7 +50,7 @@ runs: shell: bash working-directory: ${{inputs.sdk_output_directory}} run: | - openapi-generator-cli generate --generator-key client + openapi-generator-cli generate --generator-key client -o src - name: "Clean up generator files" shell: bash working-directory: ${{inputs.sdk_output_directory}}/src From 3d93b96af46a4f38d62cb65ab0c221aa3531522c Mon Sep 17 00:00:00 2001 From: Andrew Wylde Date: Mon, 3 Jul 2023 11:04:29 -0700 Subject: [PATCH 08/18] fix: use input string instead of boolean (#50) Co-authored-by: Adam DeHaven <2229946+adamdehaven@users.noreply.github.com> --- .github/workflows/build-sdk-js.yml | 2 +- README.md | 14 ++++++++++++++ code-build-actions/build-js-sdk/README.md | 2 +- code-build-actions/build-js-sdk/action.yaml | 4 ++-- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-sdk-js.yml b/.github/workflows/build-sdk-js.yml index d0c8d0be..65360566 100644 --- a/.github/workflows/build-sdk-js.yml +++ b/.github/workflows/build-sdk-js.yml @@ -25,7 +25,7 @@ jobs: path: ${{github.workspace}}/sdk - uses: ./code-build-actions/build-js-sdk with: - dry-run: true + dry-run: 'true' app_directory: ${{ github.workspace }} sdk_output_directory: ${{github.workspace}}/sdk token: ${{secrets.GITHUB_TOKEN}} diff --git a/README.md b/README.md index 5e0684e0..8b8ddab3 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,16 @@ # public-shared-actions Shared actions available to both public and private repositories + +## Usage + + ```yaml + - uses: Kong/public-shared-actions/@ + ``` + + For example: + + ```yaml + - uses: Kong/public-shared-actions/code-build-actions/build-js-sdk@v1.6.0 + ``` + + \ No newline at end of file diff --git a/code-build-actions/build-js-sdk/README.md b/code-build-actions/build-js-sdk/README.md index 7a740d42..9a19e0c4 100644 --- a/code-build-actions/build-js-sdk/README.md +++ b/code-build-actions/build-js-sdk/README.md @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Build JS SDK - uses: Kong/public-shared-actions/build-js-sdk@main + uses: Kong/public-shared-actions/code-build-actions/build-js-sdk ``` diff --git a/code-build-actions/build-js-sdk/action.yaml b/code-build-actions/build-js-sdk/action.yaml index 09160baf..a2029711 100644 --- a/code-build-actions/build-js-sdk/action.yaml +++ b/code-build-actions/build-js-sdk/action.yaml @@ -5,7 +5,7 @@ inputs: dry-run: description: 'If true, the action will not push the changes to the PR' required: false - default: false + default: 'false' token: description: 'A Github Token' required: true @@ -58,7 +58,7 @@ runs: rm -rf openapitools.json templates-js .openapi-generator-ignore .openapi-generator git_push.sh - name: Commit SDK changes to the PR uses: EndBug/add-and-commit@v9 - if: ${{ !inputs.dry-run }} + if: ${{ inputs.dry-run != 'true' }} with: cwd: ${{inputs.sdk_output_directory}} add: src From 1c1db81d4bc99d8c87058fba34203419a0fd0604 Mon Sep 17 00:00:00 2001 From: Zachary Hu <6426329+outsinre@users.noreply.github.com> Date: Thu, 6 Jul 2023 22:30:46 +0800 Subject: [PATCH 09/18] feat: ingore unfixed for trivy image scan (#51) --- security-actions/scan-docker-image/action.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 63539764..93a2541d 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -6,7 +6,7 @@ inputs: description: 'prefix for generated scan artifacts' required: false default: '' - dir: + dir: description: 'Speicify a directory to be scanned. This is mutually exclusive to file and image' required: false default: '' @@ -92,7 +92,7 @@ runs: with: image: ${{ steps.meta.outputs.scan_image }} registry-username: ${{ inputs.registry_username }} - registry-password: ${{ inputs.registry_password }} + registry-password: ${{ inputs.registry_password }} path: ${{ steps.meta.outputs.scan_dir }} file: ${{ steps.meta.outputs.scan_file }} format: cyclonedx-json @@ -101,14 +101,14 @@ runs: upload-artifact: true upload-release-assets: false dependency-snapshot: false - + - name: Check SBOM files existence uses: andstor/file-existence-action@v2 id: sbom_report with: files: "${{ steps.meta.outputs.sbom_spdx_file }}, ${{ steps.meta.outputs.sbom_cyclonedx_file }}" fail: true - + # Don't fail during report generation - name: Vulnerability analysis of SBOM uses: anchore/scan-action@v3.3.5 @@ -131,14 +131,14 @@ runs: output-format: json fail-build: 'false' severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} - + - name: Check vulnerability analysis report existence uses: andstor/file-existence-action@v2 id: grype_report with: files: "${{ steps.grype_analysis_sarif.outputs.sarif }}, ${{ steps.grype_analysis_json.outputs.json }}" fail: true - + # Grype CVE Action generates an ./results.sarif or ./results.report and no way to customize output file name # Hack to increase readability of grype artifacts attached to workflows and releases - name: Rename grype analysis report @@ -146,15 +146,15 @@ runs: run: | mv ${{ steps.grype_analysis_sarif.outputs.sarif }} ${{ steps.meta.outputs.grype_sarif_file }} mv ${{ steps.grype_analysis_json.outputs.json }} ${{ steps.meta.outputs.grype_json_file }} - + - name: Upload grype analysis report uses: actions/upload-artifact@v3 with: name: ${{ steps.meta.outputs.grype_sarif_file }} path: | ${{ steps.meta.outputs.grype_sarif_file }} - if-no-files-found: warn - + if-no-files-found: warn + # Upload grype cve reports - name: Upload grype analysis report uses: actions/upload-artifact@v3 @@ -175,7 +175,7 @@ runs: id: cis_json with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --severity ${{ env.severity }} -o ${{ steps.meta.outputs.cis_json_file }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --severity ${{ env.severity }} --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}" env: compliance: docker-cis severity: ${{ steps.meta.outputs.global_severity_cutoff }} @@ -205,7 +205,7 @@ runs: uses: docker://ghcr.io/aquasecurity/trivy:0.37.2 with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --severity ${{ env.severity }} --exit-code ${{ env.exit-code }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --severity ${{ env.severity }} --ignore-unfixed --exit-code ${{ env.exit-code }}" env: exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }} compliance: docker-cis From 052816facfea621ca1d555d69fb84cd9b4c446ec Mon Sep 17 00:00:00 2001 From: Adam DeHaven <2229946+adamdehaven@users.noreply.github.com> Date: Tue, 11 Jul 2023 11:38:46 -0400 Subject: [PATCH 10/18] fix(validate): check all pr formats (#52) * fix(validate): check all pr formats * chore: update codeowners --- CODEOWNERS | 3 ++- pr-previews/validate/action.yaml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CODEOWNERS b/CODEOWNERS index 175cca76..6ebacd5d 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -1,3 +1,4 @@ * @Kong/team-shared-actions-reviewers -security-actions/ @Kong/team-security-engineering \ No newline at end of file +security-actions/ @Kong/team-security-engineering +pr-previews/ @adamdehaven @ValeryG @Drew-Kimberly diff --git a/pr-previews/validate/action.yaml b/pr-previews/validate/action.yaml index 00841ccc..f0f8d5e6 100644 --- a/pr-previews/validate/action.yaml +++ b/pr-previews/validate/action.yaml @@ -11,7 +11,7 @@ runs: for pkg in $(find ./ -name package.json ! -path '*/node_modules/*' ! -path '*/__template__/*') do - inPackage=$(jq -r '{dependencies: .dependencies, devDependencies: .devDependencies, peerDependencies: .peerDependencies}' ${pkg} | jq .[] | cut -d":" -f2|grep -E "\-pr\.[0-9]+\." || true) + inPackage=$(jq -r '{dependencies: .dependencies, devDependencies: .devDependencies, peerDependencies: .peerDependencies}' ${pkg} | jq '.[]' | cut -d":" -f2 | grep -E "(\-pr\.[0-9]+\.|@pr\-[0-9]+)" || true) if [[ "${inPackage}" != "" ]]; then if [[ "${previewPkgsDetected}" != "" ]]; then previewPkgsDetected="${previewPkgsDetected}\n" From f8a85a55e79832daf2f233afb5fe27c895cddd1f Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Tue, 11 Jul 2023 10:45:49 -0500 Subject: [PATCH 11/18] chore(ci): update codeowner (#53) --- CODEOWNERS | 1 + 1 file changed, 1 insertion(+) diff --git a/CODEOWNERS b/CODEOWNERS index 6ebacd5d..6ecdfa7a 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,3 +2,4 @@ security-actions/ @Kong/team-security-engineering pr-previews/ @adamdehaven @ValeryG @Drew-Kimberly +code-check-actions/ @Kong/team-security-engineering From 44c347d8ff724739eba33159fbd3cf69c7ac3993 Mon Sep 17 00:00:00 2001 From: Devon Langendoerfer Date: Thu, 13 Jul 2023 12:26:41 -0700 Subject: [PATCH 12/18] remove commit step from composite action (#54) --- code-build-actions/build-js-sdk/action.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/code-build-actions/build-js-sdk/action.yaml b/code-build-actions/build-js-sdk/action.yaml index a2029711..67efedb9 100644 --- a/code-build-actions/build-js-sdk/action.yaml +++ b/code-build-actions/build-js-sdk/action.yaml @@ -56,11 +56,3 @@ runs: working-directory: ${{inputs.sdk_output_directory}}/src run: | rm -rf openapitools.json templates-js .openapi-generator-ignore .openapi-generator git_push.sh - - name: Commit SDK changes to the PR - uses: EndBug/add-and-commit@v9 - if: ${{ inputs.dry-run != 'true' }} - with: - cwd: ${{inputs.sdk_output_directory}} - add: src - default_author: github_actions - message: Update SDK based on openapi.yaml changes From bc77fa65f43dfb6b3ef0b9d258c02faf5892aab1 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 24 Jul 2023 13:18:34 -0500 Subject: [PATCH 13/18] chore(ci): configurable failure mode for semgrep (#55) * chore(ci): configurable failure mode for semgrep chore(ci): document action outcome for linters * Fix semgrep error msg text --- .github/workflows/semgrep.yml | 1 + code-check-actions/lua-lint/README.md | 9 ++------- code-check-actions/rust-lint/README.md | 10 ++++++++-- security-actions/semgrep/README.md | 9 +++++++++ security-actions/semgrep/action.yml | 21 ++++++++++++++++----- 5 files changed, 36 insertions(+), 14 deletions(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 0348af04..b16daf01 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -34,4 +34,5 @@ jobs: with: additional_config: '--config p/rust' codeql_upload: false + fail_on_findings: true diff --git a/code-check-actions/lua-lint/README.md b/code-check-actions/lua-lint/README.md index 07b516a8..eff376c7 100644 --- a/code-check-actions/lua-lint/README.md +++ b/code-check-actions/lua-lint/README.md @@ -6,12 +6,6 @@ This action analyzes all changed lua files using [lunarmodules/luacheck](https:/ This action looks for any `cli` arguments and a deafult `.luacheckrc` config to derive the final configuaration as mentioned in [docs](https://luacheck.readthedocs.io/en/stable/cli.html#command-line-options) -## User tracking - -Currently, these repos are using this action: - -[] - ## Inputs ```yaml @@ -24,8 +18,9 @@ additional_args: ## Outputs - Depending on the event, refer [publishing](https://github.com/EnricoMi/publish-unit-test-result-action#publishing-test-results) -## Action status +## Action Output - Always exit with 0 even when there are warnings / errors and be non-blocking +- The failure mode of build is not configurable based on shared action outcome ## Example usage diff --git a/code-check-actions/rust-lint/README.md b/code-check-actions/rust-lint/README.md index ba2bdab1..fa2fd4de 100644 --- a/code-check-actions/rust-lint/README.md +++ b/code-check-actions/rust-lint/README.md @@ -17,9 +17,15 @@ manifest_dir: ``` ## Outputs: -- Push: Commit check summary -- PR: Github check Summary and PR annotations +- All Clippy Findings are reported as `Warnings` on the github check `Rust Clippy Report` + +- On Push: Commit check summary +- On PR: Github check Summary and PR annotations + +## Action Output +- Report findings as warnings and be non-blocking +- The failure mode of build is not configurable based on shared action outcome ## Detailed example diff --git a/security-actions/semgrep/README.md b/security-actions/semgrep/README.md index 06d66db8..6c8dc4be 100644 --- a/security-actions/semgrep/README.md +++ b/security-actions/semgrep/README.md @@ -4,6 +4,15 @@ This action uses Semgrep CI command to scan all supported platforms on a specifi The action runs the following: - Self detects config rules from semgrep registry +- Applies any additional arguments / configuration rules passed to semgrep +- Provides a optional input to fail downstream builds based on semgrep findings + +## Action Output +- Report Semgrep Finding Summary as Console output +- Report Findings + - Private repositories: workflow artifact file + - Public repositories: Github Security tab +- The failure mode of build is configurable based on shared action outcome ## Detailed example ```yaml diff --git a/security-actions/semgrep/action.yml b/security-actions/semgrep/action.yml index 7ff84844..8494a402 100644 --- a/security-actions/semgrep/action.yml +++ b/security-actions/semgrep/action.yml @@ -14,15 +14,24 @@ inputs: options: - 'true' - 'false' + fail_on_findings: + description: 'Fail build / job on semgrep findings/errors' + required: false + default: false + type: choice + options: + - 'true' + - 'false' runs: using: 'composite' steps: - name: SAST Scan uses: docker://returntocorp/semgrep + id: semgrep continue-on-error: true with: - args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --suppress-errors --no-autofix ${{ inputs.additional_config }}" + args: "semgrep ci --config auto --sarif -o semgrep_${{github.sha}}.sarif --no-autofix ${{ inputs.additional_config }}" # Upload grype cve reports - name: Upload Semgrep SARIF to Workflow @@ -44,7 +53,9 @@ runs: # Used to differentiate multiple results for one commit category: sast_semgrep - # - name: Print SAST results - SARIF - # shell: bash - # run: | - # cat semgrep_${{github.sha}}.sarif + - name: Fail on findings + if: ${{ always() && inputs.fail_on_findings == 'true' && steps.semgrep.outcome == 'failure' }} + shell: bash + run: | + echo "::error::Semgrep has detected findings. For findings, check workflow artifact: semgrep_sast.zip / Github Security analysis" + exit 1 From c283a28ac0159a9d5960b3c22816e21fb8e4b777 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Mon, 24 Jul 2023 13:23:59 -0500 Subject: [PATCH 14/18] non blocking semgrep workflow test (#56) --- .github/workflows/semgrep.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index b16daf01..38ba402b 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -34,5 +34,5 @@ jobs: with: additional_config: '--config p/rust' codeql_upload: false - fail_on_findings: true + fail_on_findings: false From 28046231055b99899d55d32eda2a5f4a6075db36 Mon Sep 17 00:00:00 2001 From: "Qirui(Keery) Nie" Date: Wed, 16 Aug 2023 02:05:40 +0800 Subject: [PATCH 15/18] fix(lint): does not specify global standard in luacheck command line arguments (#57) --- code-check-actions/lua-lint/action.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/code-check-actions/lua-lint/action.yml b/code-check-actions/lua-lint/action.yml index f83d4353..1f4b0b44 100644 --- a/code-check-actions/lua-lint/action.yml +++ b/code-check-actions/lua-lint/action.yml @@ -10,7 +10,7 @@ inputs: description: 'List of files, directories and rockspecs to check' required: false default: '.' # Scans workspace dir - + runs: using: composite steps: @@ -19,8 +19,8 @@ runs: uses: lunarmodules/luacheck@fcbdeacad00e643e0d78c56b9ba6d8b3c7fa584f continue-on-error: true with: - args: "${{ inputs.additional_args }} -c --codes --ranges --formatter JUnit -q ${{ inputs.files }} > luacheck_${{github.sha}}.xml" - + args: "${{ inputs.additional_args }} --codes --ranges --formatter JUnit -q ${{ inputs.files }} > luacheck_${{github.sha}}.xml" + - name: Upload results to workflow if: always() uses: actions/upload-artifact@v3 @@ -32,7 +32,7 @@ runs: # - name: Print Luacheck results # shell: bash -# run: | +# run: | # cat luacheck_${{github.sha}}.xml # when using the regular GITHUB_TOKEN, the check-run created by this step will be assigned to a @@ -51,4 +51,4 @@ runs: action_fail: false fail_on: 'nothing' # Explicitly don't fail reporting check based on test results - + From 3c05dce1fddb81fa49b2eb6c57e613be238bb917 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Wed, 16 Aug 2023 16:30:25 -0600 Subject: [PATCH 16/18] feat: limit cleanup to versions created in last X days [KHCP-7885] (#58) --- pr-previews/cleanup/action.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pr-previews/cleanup/action.yml b/pr-previews/cleanup/action.yml index 5c6b6834..6a3b989e 100644 --- a/pr-previews/cleanup/action.yml +++ b/pr-previews/cleanup/action.yml @@ -4,6 +4,9 @@ inputs: package: description: Package to cleanup PR versions required: true + days: + description: Only clean up the versions that are days-to-cleanup newer + default: 40 openPRs: description: List of open PRs in the repo @@ -21,12 +24,15 @@ runs: echo "package: ${pkgName}" echo "openPRs: ${openPRs}" + oldestDate=$(date -d '-${{ inputs.days }} day' +%s) + echo "oldestDate:${oldestDate}" + current=1 canDelete="true" # get the list of the "-pr." published version for the packages pkgDetails=$(npm view "${pkgName}" --json) - prVersions=($(echo ${pkgDetails}| jq -r '.versions' | grep '\-pr.'| tac | sed 's/[,\"]//g')) + prVersions=($(echo ${pkgDetails} | jq -r '.time' | jq -r 'to_entries' | jq --arg jq_oldestDate ${oldestDate} '[.[] | select(.value |.[0:19] +"Z" | fromdateiso8601 > ($jq_oldestDate|tonumber))]' | jq '[.[] | .key]'| grep "\-pr." | tac | sed 's/[,\"]//g')) if [[ -z "${prVersions}" ]]; then echo "No preview versions found, exiting..." exit 0 From 32dac54b94ba0e1c2d1ab7e9c78543dc8ad358d5 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Thu, 17 Aug 2023 07:30:45 -0600 Subject: [PATCH 17/18] fix: do not attempt to proceed already removed version [KHCP-7885] (#59) --- pr-previews/cleanup/action.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/pr-previews/cleanup/action.yml b/pr-previews/cleanup/action.yml index 6a3b989e..f5c9fc6f 100644 --- a/pr-previews/cleanup/action.yml +++ b/pr-previews/cleanup/action.yml @@ -47,6 +47,11 @@ runs: echo " " echo "$((current++))/${total}" + if [[ -z "$(echo ${pkgDetails} | jq -r '.versions'|grep ${verToRemove})" ]]; then + echo "Version already removed, skip..." + continue + fi + verDetails=$(npm view "${pkgName}@${verToRemove}" --json) # validate that the version doesn't belong to open PR From 1c13057ab7d056e218693af49f19f01ecb209b50 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 09:51:23 -0500 Subject: [PATCH 18/18] github-actions(deps): bump anchore/scan-action (#42) Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 3.3.5 to 3.3.6. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/anchore/scan-action/compare/v3.3.5...v3.3.6) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: saisatishkarra --- security-actions/scan-docker-image/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 93a2541d..8c6c048c 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -111,7 +111,7 @@ runs: # Don't fail during report generation - name: Vulnerability analysis of SBOM - uses: anchore/scan-action@v3.3.5 + uses: anchore/scan-action@v3.3.6 id: grype_analysis_sarif if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} with: @@ -123,7 +123,7 @@ runs: # Don't fail during report generation # JSON format will report any ignored rules - name: Vulnerability analysis of SBOM - uses: anchore/scan-action@v3.3.5 + uses: anchore/scan-action@v3.3.6 id: grype_analysis_json if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} with: @@ -193,7 +193,7 @@ runs: # Notify grype quick scan results in table format # Table format will supress any specified ignore rules - name: Inspect Vulnerability analysis of SBOM - uses: anchore/scan-action@v3.3.5 + uses: anchore/scan-action@v3.3.6 if: ${{ steps.sbom_report.outputs.files_exists == 'true' }} with: sbom: ${{ steps.meta.outputs.sbom_spdx_file }}