3.1.288 #321
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: daily-build-and-scan | |
| #on: | |
| # schedule: | |
| # - cron: "0 0 * * *" | |
| #- cron: "*/10 * * * *" | |
| on: | |
| release: | |
| types: [published] | |
| env: | |
| CURRENT_VERSION_TAG: "7.4.8" | |
| #github.event.repository.name is a special environment variable that gives us the repo name. There isn't great documentation on it. | |
| IMAGE_NAME: ${{ vars.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest | |
| MITRE_SAF_VERSION: "1.4.16" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Build image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| tags: ${{ vars.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:${{ env.CURRENT_VERSION_TAG }}, ${{ vars.DOCKERHUB_USERNAME }}/${{ github.event.repository.name }}:latest | |
| labels: ${{ steps.meta.outputs.labels }} | |
| scap: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| container: | |
| image: alpine:3.20.3@sha256:1e42bbe2508154c9126d48c2b8a75420c3544343bf86fd041fb7527e017a4b4a | |
| env: | |
| SCAP_SECURITY_GUIDE_VERSION: "0.1.75" | |
| WOLFI_STIG_VERSION: "0.1.2" | |
| SSG_DIR: "ssg" | |
| TOOL: "openscap" | |
| OUTPUT_NAME: "openscap-results" | |
| steps: | |
| - | |
| name: Install prerequisites | |
| run: | | |
| set -eu | |
| apk add curl docker jq openscap-docker npm gcompat unzip git | |
| npm install -g "@mitre/saf@${{ env.MITRE_SAF_VERSION }}" | |
| mkdir -p "${{ env.SSG_DIR}}" | |
| curl "https://github.com/ComplianceAsCode/content/releases/download/v${SCAP_SECURITY_GUIDE_VERSION}/scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}.zip" -Lso "${SSG_DIR}/ssg.zip" | |
| curl "https://github.com/chainguard-dev/stigs/archive/refs/tags/v${WOLFI_STIG_VERSION}.zip" -Lso "${SSG_DIR}/wolfi.zip" | |
| unzip "${SSG_DIR}/ssg.zip" -d "${SSG_DIR}" | |
| unzip "${SSG_DIR}/wolfi.zip" -d "${SSG_DIR}" | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| # oscap-docker requires the image to have been pulled | |
| # docker pull "${IMAGE_NAME}" | |
| - | |
| name: Pull the docker image to scan | |
| run: | | |
| set -eu | |
| docker pull "${IMAGE_NAME}" | |
| - | |
| name: Run openscap | |
| run: | | |
| set -eu | |
| container_id=$(docker create "${IMAGE_NAME}") | |
| if ! docker export "${container_id}" | tar -tvf - | grep -E '\setc/os-release( ->.*)?$' > /dev/null 2>&1 ; then | |
| >&2 echo "The operating system used by ${IMAGE_NAME} could not be detected." | |
| >&2 echo "Images that are not based on an operating system (such as distroless images) cannot be scanned by SCAP." | |
| exit 1 | |
| fi | |
| docker cp -L "$container_id:/etc/os-release" . | |
| docker rm "$container_id" | |
| unset container_id | |
| set +e | |
| oscap-docker image "${IMAGE_NAME}" xccdf eval --verbose ERROR --fetch-remote-resources --profile "xccdf_basic_profile_.check" --results "${{ env.OUTPUT_NAME }}.xml" --report "${{ env.OUTPUT_NAME }}.html" "${SSG_DIR}/stigs-${WOLFI_STIG_VERSION}/gpos/xml/scap/ssg/content/ssg-chainguard-gpos-ds.xml" | |
| OSCAP_EXIT_CODE=$? | |
| set -e | |
| case "${OSCAP_EXIT_CODE}" in | |
| 0) | |
| echo "All rules passed" | |
| ;; | |
| 1) | |
| >&2 echo "An error occurred during evaluation" | |
| exit 2 | |
| ;; | |
| 2) | |
| echo "There is at least one rule with either fail or unknown result" | |
| ;; | |
| *) | |
| >&2 echo "openscap returned an unexpected exit status of $OSCAP_EXIT_CODE" | |
| exit "$OSCAP_EXIT_CODE" | |
| ;; | |
| esac | |
| - | |
| name: Make the XCCDF into an HDF file | |
| run: | | |
| set -eu | |
| saf convert xccdf_results2hdf -i ${{ env.OUTPUT_NAME }}.xml -o ${{ env.OUTPUT_NAME }}.hdf.json | |
| - | |
| name: Make the HDF file into a CSV | |
| run: | | |
| set -eu | |
| saf convert hdf2csv -i ${{ env.OUTPUT_NAME }}.hdf.json -o ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: openscap-results | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.xml | |
| ${{ env.OUTPUT_NAME }}.hdf.json | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push | |
| trufflehog: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| EXPORT_NAME: "build.tar" | |
| DIR_NAME: "build" | |
| TOOL: "trufflehog" | |
| OUTPUT_NAME: "trufflehog-results" | |
| steps: | |
| - | |
| name: Install prerequisites | |
| run: | | |
| set -eu | |
| sudo apt-get install -y npm | |
| npm install -g "@mitre/saf@${{ env.MITRE_SAF_VERSION }}" | |
| sudo curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sudo sh -s -- -b /usr/local/bin | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| #CONT_ID=$(docker create ${{ env.IMAGE_NAME }}) | |
| #CONT_ID=$(docker create node:8.11) | |
| - | |
| name: Create, export, then extract to the filesystem | |
| run: | | |
| set -eu | |
| mkdir -p ${{ env.DIR_NAME }} | |
| CONT_ID=$(docker create ${{ env.IMAGE_NAME }}) | |
| docker export ${CONT_ID} -o ${{ env.EXPORT_NAME }} | |
| tar --exclude='dev/null' --exclude='dev/random' --exclude='dev/urandom' --exclude='dev/zero' -xvf ${{ env.EXPORT_NAME }} -C ${{ github.workspace }}/${{ env.DIR_NAME }} | |
| - | |
| name: Trufflehog scan | |
| run: | | |
| trufflehog filesystem ${{ github.workspace }}/${{ env.DIR_NAME }} --no-update --only-verified --json --force-skip-archives | grep -wE "\{\"SourceMetadata\":" | jq --slurp . > ${{ env.OUTPUT_NAME }}.json | |
| - | |
| name: Make the Trufflehog JSON into an HDF file OR make a stub file | |
| run: | | |
| set -eu | |
| if grep -zoP '\[\]' trufflehog-results.json; then | |
| echo "NO RESULTS FOUND, CREATING STUB" | |
| echo 'Results Set,Status,ID,Title,Description,Descriptions,Impact,Severity,Code,Check,Fix,800-53 Controls,CCI IDs,Results,Waived,Waiver Data' > ${{ env.OUTPUT_NAME }}.csv | |
| echo "trufflehog-results.hdf.json,Passed,Trufflehog/0000-0000,No findings at this time,This is a stub file generated due to a lack of results from trufflehog because zero issues were found.,,0,N/A,,,\"No fixes needed, good work.\",,,,FALSE," >> ${{ env.OUTPUT_NAME }}.csv | |
| else | |
| echo "Converting found results to CSV" | |
| saf convert trufflehog2hdf -i ${{ env.OUTPUT_NAME }}.json -o ${{ env.OUTPUT_NAME }}.hdf.json | |
| saf convert hdf2csv -i ${{ env.OUTPUT_NAME }}.hdf.json -o ${{ env.OUTPUT_NAME }}.csv | |
| fi | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: trufflehog-results | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.json | |
| ${{ env.OUTPUT_NAME }}.hdf.json | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push | |
| grype: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| TOOL: "grype" | |
| OUTPUT_NAME: "grype-results" | |
| steps: | |
| - | |
| name: Install prerequisites | |
| run: | | |
| set -eu | |
| sudo curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin | |
| sudo apt-get install -y npm | |
| npm install -g "@mitre/saf@${{ env.MITRE_SAF_VERSION }}" | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| # grype chainguard/wolfi-base -o json --file grype-results.json | |
| # grype ${{ env.IMAGE_NAME }} -o json --file "${{ env.OUTPUT_NAME }}.json" | |
| # grype redhat/ubi9:9.4 -o json --file "${{ env.OUTPUT_NAME }}.json" | |
| #grype ${{ env.IMAGE_NAME }} -o json --file "${{ env.OUTPUT_NAME }}.json" | |
| - | |
| name: Grype scan | |
| run: | | |
| set -eu | |
| grype modusmundi/testingscap:latest -o json --file "${{ env.OUTPUT_NAME }}.json" | |
| grype modusmundi/testingscap:latest | |
| - | |
| name: Check for results and make a stub if no vulnerabilities, otherwise process and make CSV. | |
| run: | | |
| set -eu | |
| ls -latr | |
| if grep -zoP '"matches": \[\],' ${{ env.OUTPUT_NAME }}.json; then | |
| echo "NO FINDINGS, CREATING STUB" | |
| echo 'Results Set,Status,ID,Title,Description,Descriptions,Impact,Severity,Code,Check,Fix,800-53 Controls,CCI IDs,Results,Waived,Waiver Data' > ${{ env.OUTPUT_NAME }}.csv | |
| echo "grype-results.hdf.json,Passed,Grype/CVE-0000-0000,No findings at this time,This is a stub file generated due to a lack of results from grype because zero CVEs were found.,,0,N/A,,,\"No fixes needed, good work.\",,,,FALSE," >> ${{ env.OUTPUT_NAME }}.csv | |
| else | |
| echo "THERE ARE FINDINGS, GENERATING HDF AND CSV" | |
| saf convert anchoregrype2hdf -i ${{ env.OUTPUT_NAME }}.json -o ${{ env.OUTPUT_NAME }}.hdf.json | |
| saf convert hdf2csv -i ${{ env.OUTPUT_NAME }}.hdf.json -o ${{ env.OUTPUT_NAME }}.csv | |
| fi | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: ${{ env.OUTPUT_NAME }} | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.json | |
| ${{ env.OUTPUT_NAME }}.hdf.json | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push | |
| trivy: | |
| needs: build | |
| permissions: | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| runs-on: ubuntu-latest | |
| env: | |
| TOOL: "trivy" | |
| OUTPUT_NAME: "trivy-results" | |
| steps: | |
| - | |
| name: Set up apt repo for prerequisites | |
| run: | | |
| set -eu | |
| sudo apt-get install -y wget apt-transport-https gnupg lsb-release | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| - | |
| name: Install prerequisites | |
| run: | | |
| set -eu | |
| sudo apt-get update | |
| sudo apt-get install -y npm trivy | |
| npm install -g "@mitre/saf@${{ env.MITRE_SAF_VERSION }}" | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| #image-ref: ${{ env.IMAGE_NAME }} | |
| # image-ref: 'redhat/ubi9:9.4' | |
| #image-ref: radiantone/fid:7.4.9 | |
| - | |
| name: Scan image | |
| run: | | |
| n=0 | |
| until [ "$n" -ge 10 ] | |
| do | |
| trivy image ${{ env.IMAGE_NAME }} --format template --template '@/usr/local/share/trivy/templates/asff.tpl' -o '${{ env.OUTPUT_NAME }}.json' && break | |
| n=$((n+1)) | |
| sleep 15 | |
| done | |
| if [ "$n" -eq 10 ]; then | |
| echo "TRIVY FAILED" | |
| fi | |
| # OKAY SO WE NEED TO TEST FOR WHEN WE HAVE ZERO RESULTS IN THE TRIVY FILE BECAUSE THAT IS A THING THAT HAPPENS. | |
| # Because the response for zero results is extremely well defined, this means we can use if/else logic to determine our path forward. | |
| # We will first test for the case of zero vulnerabilities; if the file doesn't come back with zero vulns, we move forward with conversion. | |
| - name: Test results and either create a stub file or convert them. | |
| run: | | |
| set -eu | |
| cat ${{ env.OUTPUT_NAME }}.json | |
| if grep -zoP '...."Findings": \[\n*....\]\n' ${{ env.OUTPUT_NAME }}.json; then | |
| echo "NO FINDINGS, CREATING STUB" | |
| echo 'Results Set,Status,ID,Title,Description,Descriptions,Impact,Severity,Code,Check,Fix,800-53 Controls,CCI IDs,Results,Waived,Waiver Data' > ${{ env.OUTPUT_NAME }}.csv | |
| echo "trivy-results.hdf.json,Passed,Trivy/CVE-0000-0000,No findings at this time,This is a stub file generated due to a lack of results from trivy because zero CVEs were found.,,0,N/A,,,\"No fixes needed, good work.\",,,,FALSE," >> ${{ env.OUTPUT_NAME }}.csv | |
| else | |
| echo "THERE ARE FINDINGS, GENERATING HDF AND CSV" | |
| saf convert trivy2hdf -i ${{ env.OUTPUT_NAME }}.json -o ${{ env.OUTPUT_NAME }} | |
| ls -latr | |
| echo "OKAY WHAT" | |
| ls ${{ github.workspace }}/${{ env.OUTPUT_NAME }} -latr | |
| cp '${{ github.workspace }}/${{ env.OUTPUT_NAME }}/aquasecurity - aquasecurity.json' ${{ github.workspace }}/${{ env.OUTPUT_NAME }}.hdf.json | |
| saf convert hdf2csv -i ${{ env.OUTPUT_NAME }}.hdf.json -o ${{ env.OUTPUT_NAME }}.csv | |
| fi | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: trivy-results | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.json | |
| ${{ env.OUTPUT_NAME }}.hdf.json | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push | |
| snyk: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| TOOL: "snyk" | |
| OUTPUT_NAME: "snyk-results" | |
| steps: | |
| - | |
| name: Install prerequisites | |
| run: | | |
| set -eu | |
| curl --compressed https://downloads.snyk.io/cli/stable/snyk-linux -o snyk | |
| sudo chmod +x ./snyk | |
| sudo mv ./snyk /usr/local/bin/ | |
| sudo apt-get install -y npm | |
| npm install -g "@mitre/saf@${{ env.MITRE_SAF_VERSION }}" | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| - | |
| name: Scan using Snyk | |
| continue-on-error: true | |
| # 'redhat/ubi9:9.4' | |
| # ${{ env.IMAGE_NAME }} | |
| run: | | |
| snyk container test ${{ env.IMAGE_NAME }} --app-vulns --nested-jars-depth=5 --json --json-file-output=${{ env.OUTPUT_NAME }}.json || true | |
| - | |
| name: Check for results and make a stub if no vulnerabilities, otherwise process and make CSV. | |
| run: | | |
| set -eu | |
| ls -latr | |
| if grep -zoP '"vulnerabilities": \[\],' ${{ env.OUTPUT_NAME }}.json; then | |
| echo "NO FINDINGS, CREATING STUB" | |
| echo 'Results Set,Status,ID,Title,Description,Descriptions,Impact,Severity,Code,Check,Fix,800-53 Controls,CCI IDs,Results,Waived,Waiver Data' > ${{ env.OUTPUT_NAME }}.csv | |
| echo "snyk-results.hdf.json,Passed,Snyk/CVE-0000-0000,No findings at this time,This is a stub file generated due to a lack of results from snyk because zero CVEs were found.,,0,N/A,,,\"No fixes needed, good work.\",,,,FALSE," >> ${{ env.OUTPUT_NAME }}.csv | |
| else | |
| echo "THERE ARE FINDINGS, GENERATING HDF AND CSV" | |
| saf convert snyk2hdf -i ${{ env.OUTPUT_NAME }}.json -o ${{ env.OUTPUT_NAME }}.hdf.json | |
| saf convert hdf2csv -i ${{ env.OUTPUT_NAME }}.hdf.json -o ${{ env.OUTPUT_NAME }}.csv | |
| fi | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: snyk-results | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.json | |
| ${{ env.OUTPUT_NAME }}.hdf.json | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push | |
| clam: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| env: | |
| EXPORT_NAME: "build.tar" | |
| DIR_NAME: "build" | |
| TOOL: "clamav" | |
| OUTPUT_NAME: "clamav-results" | |
| steps: | |
| - | |
| name: Start ClamAV daemon | |
| uses: toblux/[email protected] | |
| with: | |
| db_main: 'true' | |
| db_daily: 'true' | |
| - | |
| name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ vars.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - | |
| # name: Login to Docker Hub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ${{ secrets.REPO_FQDN }} | |
| # username: ${{ secrets.REPO_USERNAME }} | |
| # password: ${{ secrets.REPO_TOKEN }} | |
| # CONT_ID=$(docker create ${{ env.IMAGE_NAME }}) | |
| # CONT_ID=$(docker create modusmundi/eicartest:1.0.0) | |
| - | |
| name: Create, export, then extract to the filesystem | |
| run: | | |
| set -eu | |
| mkdir -p ${{ env.DIR_NAME }} | |
| CONT_ID=$(docker create ${{ env.IMAGE_NAME }}) | |
| docker export ${CONT_ID} -o ${{ env.EXPORT_NAME }} | |
| tar --exclude='dev/null' --exclude='dev/random' --exclude='dev/urandom' --exclude='dev/zero' -xvf ${{ env.EXPORT_NAME }} -C ${{ github.workspace }}/${{ env.DIR_NAME }} | |
| - | |
| name: Scan using ClamAV to ensure no malware in static images | |
| run: | | |
| clamscan -ir ${{ github.workspace }}/${{ env.DIR_NAME }} | tail -n 11 > ${{ env.OUTPUT_NAME }}.txt | |
| - | |
| name: Create CSV from results | |
| run: | | |
| echo "Engine Version,Known Viruses,Scanned Directories,Scanned Files,Infected Files" > ${{ env.OUTPUT_NAME }}.csv | |
| { | |
| cat ${{ env.OUTPUT_NAME }}.txt | grep "Engine version:" | sed "s/[[:blank:]]//g" | cut -d: -f2 | tr -d "\n\r"; echo -n "," | |
| cat ${{ env.OUTPUT_NAME }}.txt | grep "Known viruses:" | sed "s/[[:blank:]]//g" | cut -d: -f2 | tr -d "\n\r"; echo -n ","; | |
| cat ${{ env.OUTPUT_NAME }}.txt | grep "Scanned directories:" | sed "s/[[:blank:]]//g" | cut -d: -f2 | tr -d "\n\r"; echo -n ","; | |
| cat ${{ env.OUTPUT_NAME }}.txt | grep "Scanned files:" | sed "s/[[:blank:]]//g" | cut -d: -f2 | tr -d "\n\r"; echo -n ","; | |
| cat ${{ env.OUTPUT_NAME }}.txt | grep "Infected files:" | sed "s/[[:blank:]]//g" | cut -d: -f2 | tr -d "\n\r" | |
| } >> ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Upload reports | |
| if: success() || failure() # always run even if the previous step fails | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
| with: | |
| name: clamd-results | |
| path: | | |
| ${{ env.OUTPUT_NAME }}.txt | |
| ${{ env.OUTPUT_NAME }}.csv | |
| - | |
| name: Clone Reporting Repo | |
| uses: GuillaumeFalourd/[email protected] | |
| with: | |
| depth: 1 | |
| branch: 'main' | |
| owner: ${{ secrets.GH_ACCT }} | |
| repository: ${{ secrets.GH_REPO }} | |
| access-token: ${{ secrets.INTERNAL_PAT }} | |
| - | |
| name: Access cloned repository content | |
| run: | | |
| cp "./${{ env.OUTPUT_NAME }}.csv" "./${{ secrets.GH_REPO }}/${{ github.event.repository.name }}/${{ env.OUTPUT_NAME }}.csv" | |
| cd ./${{ secrets.GH_REPO }}/${{ github.event.repository.name }} | |
| git config --global user.email ${{ secrets.GH_EMAIL }} | |
| git config --global user.name ${{ secrets.GH_NAME }} | |
| git add "${{ env.OUTPUT_NAME }}.csv" | |
| git commit -m "Update ${{ env.TOOL }} results in ${{ github.event.repository.name }}" | |
| - | |
| name: Push to Reporting Repo | |
| run: | | |
| cd ${{ secrets.GH_REPO }} | |
| git remote set-url origin https://x-access-token:${{ secrets.INTERNAL_PAT }}@github.com/${{ secrets.GH_ACCT }}/${{ secrets.GH_REPO }}.git | |
| git push |