This repository has been archived by the owner on Nov 29, 2024. It is now read-only.
chore: Run Full CI/CD on release tag and release branch creation #60
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy & Prisma Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - 'main' | |
| - 'release/[0-9]+.[0-9]+' | |
| push: | |
| branches: | |
| - 'main' | |
| - 'release/[0-9]+.[0-9]+' | |
| schedule: | |
| - cron: '30 2 * * 1-5' | |
| env: | |
| CODE_OWNERS: '<@U047W9ULVQ9>' | |
| jobs: | |
| setup_env: | |
| uses: ./.github/workflows/setup-environment.yml | |
| build: | |
| name: Build | |
| needs: setup_env | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| - name: Setup Gradle | |
| uses: gradle/actions/setup-gradle@v4 | |
| - name: Build images with Gradle Wrapper | |
| run: | | |
| ./gradlew -Pversion=${{ needs.setup_env.outputs.component_version }} --init-script init.gradle jibBuildTar -Djib.to.image=image:latest -Djib.outputPaths.tar=/tmp/image.tar | |
| - name: Save artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: image | |
| path: /tmp/image.tar | |
| compression-level: 0 | |
| trivy_scan: | |
| name: Trivy Scan | |
| needs: build | |
| runs-on: ubuntu-latest | |
| outputs: | |
| job: ${{ steps.publish.outputs.job }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: image | |
| path: /tmp | |
| - name: Load image | |
| run: docker load -i /tmp/image.tar | |
| - name: Scan all the vulnerabilities and generate JSON report | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: image:latest | |
| format: 'json' | |
| vuln-type: 'os,library' | |
| output: 'trivy-results.json' | |
| - name: Save vulnerabilities report in tabular format | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: trivy-results.json | |
| scan-type: convert | |
| vuln-type: '' | |
| format: 'table' | |
| output: 'trivy-results.txt' | |
| - name: Display vulnerabilities report | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: trivy-results.json | |
| scan-type: convert | |
| vuln-type: '' | |
| - name: Fail on high and critical vulnerabilities | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: trivy-results.json | |
| scan-type: convert | |
| exit-code: '1' | |
| vuln-type: '' | |
| severity: 'HIGH,CRITICAL' | |
| - name: Publish scan report | |
| if: always() | |
| id: publish | |
| run: | | |
| api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs" | |
| job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Trivy Scan") | .id') | |
| job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:7:17" | |
| echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT | |
| - name: Upload report for notifications | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-results | |
| path: trivy-results.txt | |
| prisma_scan: | |
| name: Prisma Scan | |
| needs: build | |
| runs-on: ubuntu-latest | |
| outputs: | |
| job: ${{ steps.publish.outputs.job }} | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: image | |
| path: /tmp | |
| - name: Load image | |
| run: docker load -i /tmp/image.tar | |
| - name: VPN Connection | |
| uses: Twingate/[email protected] | |
| with: | |
| service-key: ${{ secrets.TWINGATE_SERVICE_KEY }} | |
| - name: Prisma Cloud image scan | |
| uses: PaloAltoNetworks/[email protected] | |
| with: | |
| pcc_console_url: http://mr-0xz1.h2o.local:8081/ | |
| pcc_user: ${{ secrets.PCC_USER }} | |
| pcc_pass: ${{ secrets.PCC_PASS }} | |
| image_name: image:latest | |
| results_file: pcc_scan_results.json | |
| - name: Upload report for notifications | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: prisma-results | |
| path: pcc_scan_results.json | |
| - name: Verify report results | |
| run: | | |
| high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json) | |
| critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json) | |
| if [[ $high -gt 0 || $critical -gt 0 ]]; then | |
| exit 1 | |
| fi | |
| echo "No high or critical vulnerabilities found." | |
| - name: Publish scan report | |
| if: always() | |
| id: publish | |
| run: | | |
| api_url="https://api.github.com/repos/h2oai/${{ github.event.repository.name }}/actions/runs/${{ github.run_id }}/jobs" | |
| job_id=$(curl -s -H "Authorization: token ${{ github.token }}" "$api_url" | jq -r '.jobs[] | select(.name == "Prisma Scan") | .id') | |
| job_url_suffix="/actions/runs/${{ github.run_id }}/job/$job_id#step:5:18" | |
| echo "job=${job_url_suffix}" >> $GITHUB_OUTPUT | |
| notify: | |
| name: Notify | |
| needs: | |
| - trivy_scan | |
| - prisma_scan | |
| if: failure() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: '*-results' | |
| merge-multiple: true | |
| - name: Summarize the criticality count | |
| run: | | |
| trivy_total=0 | |
| trivy_low=0 | |
| trivy_medium=0 | |
| trivy_high=0 | |
| trivy_critical=0 | |
| while IFS= read -r line; do | |
| if [[ $line =~ Total:\ ([0-9]+)\ \(UNKNOWN:\ [0-9]+,\ LOW:\ ([0-9]+),\ MEDIUM:\ ([0-9]+),\ HIGH:\ ([0-9]+),\ CRITICAL:\ ([0-9]+)\) ]]; then | |
| trivy_total=$((trivy_total + ${BASH_REMATCH[1]})) | |
| trivy_low=$((trivy_low + ${BASH_REMATCH[2]})) | |
| trivy_medium=$((trivy_medium + ${BASH_REMATCH[3]})) | |
| trivy_high=$((trivy_high + ${BASH_REMATCH[4]})) | |
| trivy_critical=$((trivy_critical + ${BASH_REMATCH[5]})) | |
| fi | |
| done < "trivy-results.txt" | |
| echo "TRIVY_SUMMARY='Total: $trivy_total (LOW: $trivy_low, MEDIUM: $trivy_medium, HIGH: $trivy_high, CRITICAL: $trivy_critical)'" >> $GITHUB_ENV | |
| prisma_total=$(jq '.results[0].vulnerabilityDistribution.total' pcc_scan_results.json) | |
| prisma_low=$(jq '.results[0].vulnerabilityDistribution.low' pcc_scan_results.json) | |
| prisma_medium=$(jq '.results[0].vulnerabilityDistribution.medium' pcc_scan_results.json) | |
| prisma_high=$(jq '.results[0].vulnerabilityDistribution.high' pcc_scan_results.json) | |
| prisma_critical=$(jq '.results[0].vulnerabilityDistribution.critical' pcc_scan_results.json) | |
| echo "PRISMA_SUMMARY='Total: $prisma_total (LOW: $prisma_low, MEDIUM: $prisma_medium, HIGH: $prisma_high, CRITICAL: $prisma_critical)'" >> $GITHUB_ENV | |
| - name: Comment the results to the PR | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ github.token }} | |
| script: | | |
| const { data: comments } = await github.rest.issues.listComments({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: context.issue.number, | |
| }) | |
| const botComment = comments.find(comment => { | |
| return comment.user.type === 'Bot' && comment.body.includes('#### Vulnerabilities have been detected') | |
| }) | |
| const output = `#### Vulnerabilities have been detected. | |
| \`\`\` | |
| Trivy: ${process.env.TRIVY_SUMMARY} | |
| Prisma: ${process.env.PRISMA_SUMMARY} | |
| \`\`\` | |
| @${{ github.actor }}, please review the following reports: [**Trivy**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}), [**Prisma**](https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }})`; | |
| if (botComment) { | |
| github.rest.issues.updateComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| comment_id: botComment.id, | |
| body: output | |
| }) | |
| } else { | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| } | |
| - name: Send Notification to Slack | |
| if: ${{ startsWith(github.ref, 'refs/heads/main') || startsWith(github.ref, 'refs/heads/release/') }} | |
| uses: slackapi/[email protected] | |
| with: | |
| channel-id: ${{ secrets.SLACK_CHANNEL_ID }} | |
| payload: | | |
| { | |
| "text": "Trivy Vulnerability Report", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*DAI Runtimes* \n_Vulnerabilities have been detected on the `${{ github.ref_name }}` branch_" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "> *Trivy :: `${{ env.TRIVY_SUMMARY }}`*\n> *Prisma :: `${{ env.PRISMA_SUMMARY }}`*" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "${{ env.CODE_OWNERS }}, please review the following reports: <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.trivy_scan.outputs.job }}|_Trivy_>, <https://github.com/h2oai/${{ github.event.repository.name }}${{ needs.prisma_scan.outputs.job }}|_Prisma_>" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.H2O_OPS_SLACK_BOT_TOKEN }} |