From 1c00cc44165dc13834c28a5c167a95edfadaa99d Mon Sep 17 00:00:00 2001
From: Vasco Ramos <vasco.ramos@ydata.ai>
Date: Tue, 17 Jan 2023 16:53:05 +0000
Subject: [PATCH] fix(actions): add static analysis (#66)

---
 .github/workflows/merge-master.yaml | 22 ++-------
 .github/workflows/prereleased.yaml  | 77 ++++++++++++++++++++++++++---
 .github/workflows/pull-request.yaml | 65 ++++++++++++++++++++++++
 .github/workflows/released.yaml     |  4 +-
 4 files changed, 140 insertions(+), 28 deletions(-)

diff --git a/.github/workflows/merge-master.yaml b/.github/workflows/merge-master.yaml
index f8eff5d..32c3cf3 100644
--- a/.github/workflows/merge-master.yaml
+++ b/.github/workflows/merge-master.yaml
@@ -37,11 +37,11 @@ jobs:
 
     - name: Git Short sha
       id: short_sha
-      run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
+      run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
     - name: Remove prefix 'v' from version
       id: version
-      run: echo "::set-output name=value::`echo ${{ steps.semantic.outputs.new_release_version }} | sed -r 's|v()|\1|'`"
+      run: echo "value=`echo ${{ steps.semantic.outputs.new_release_version }} | sed -r 's|v()|\1|'`" >> $GITHUB_OUTPUT
 
 
   build:
@@ -77,10 +77,10 @@ jobs:
       run: make build
 
 
-  dev-release:
+  releases:
     if: needs.prepare.outputs.new_release == 'true'
 
-    name: Dev Release
+    name: Dev and Draft Releases
     runs-on:
     - self-hosted
     - micro
@@ -102,20 +102,6 @@ jobs:
         body: ${{ github.event.head_commit.message }}
         prerelease: true
 
-
-  draft-release:
-    if: needs.prepare.outputs.new_release == 'true'
-
-    name: Draft Release
-    runs-on:
-    - self-hosted
-    - micro
-
-    needs:
-    - prepare
-    - build
-
-    steps:
     - name: Delete Previous drafts
       uses: hugo19941994/delete-draft-releases@v1.0.0
       env:
diff --git a/.github/workflows/prereleased.yaml b/.github/workflows/prereleased.yaml
index 984f80e..304cba8 100644
--- a/.github/workflows/prereleased.yaml
+++ b/.github/workflows/prereleased.yaml
@@ -20,6 +20,17 @@ env:
   DOCKER_REPOSITORY: azure-adapter
   CONTAINER: azure-adapter-container-image
 
+  AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+  SBOM_FILENAME: docker-sbom
+  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
+
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
 
 
 jobs:
@@ -52,7 +63,7 @@ jobs:
     steps:
     - name: Version
       id: version
-      run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+      run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
 
   build:
@@ -67,6 +78,59 @@ jobs:
     steps:
     - uses: actions/checkout@v3
 
+    - name: Build Docker Image
+      id: docker_build
+      uses: docker/build-push-action@v3
+      env:
+        DOCKER_IMAGE_TAG: ${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
+      with:
+        context: .
+        push: false
+        load: true
+        tags: ${{ env.DOCKER_IMAGE_TAG }}
+
+    - name: Create Docker SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ steps.docker_build.outputs.imageId }}
+        format: spdx-json
+        upload-release-assets: false
+        output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+    - name: Scan SBOM
+      id: scan_sbom
+      uses: anchore/scan-action@v3
+      with:
+        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+        output-format: sarif
+        fail-build: false
+
+    - name: Determine number of noticiable vulnerabilities
+      id: count_vulnerabilities
+      run: echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
+        aws-region: ${{ env.AWS_S3_REGION }}
+
+    - name: Copy SBOM to S3
+      run: |
+        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
+        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
+
+    - name: Update Notion Page
+      uses: ydataai/update-notion-page@v1
+      env:
+        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
+      with:
+        notion_secret: ${{ secrets.NOTION_SECRET }}
+        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
+        notion_page_update_properties: '{  "Docker Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'
+
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v1
       with:
@@ -78,15 +142,12 @@ jobs:
       id: ecr_password
       uses: aws-actions/amazon-ecr-login@v1
 
-    - name: Build and push
-      id: docker_build
-      uses: docker/build-push-action@v3
+    - name: Push Docker Image
       env:
         DOCKER_IMAGE_TAG: ${{ steps.ecr_password.outputs.registry }}/${{ env.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.version }}
-      with:
-        context: .
-        push: true
-        tags: ${{ env.DOCKER_IMAGE_TAG }}
+      run: |
+        docker tag ${{ steps.docker_build.outputs.imageId }} ${{ env.DOCKER_IMAGE_TAG }}
+        docker push ${{ env.DOCKER_IMAGE_TAG }}
 
 
   update-manifests:
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
index 4df6d90..b40623b 100644
--- a/.github/workflows/pull-request.yaml
+++ b/.github/workflows/pull-request.yaml
@@ -9,6 +9,20 @@ on:
 
 
 
+env:
+  AWS_S3_REGION: ${{ secrets.AWS_S3_REGION }}
+  SBOM_FILENAME: package-sbom
+  NOTION_DATABASE_ID: ${{ secrets.NOTION_REPOS_DATABASE_ID }}
+
+
+
+permissions:
+  id-token: write
+  contents: read
+  packages: read
+
+
+
 jobs:
   validate:
     name: Validate
@@ -42,3 +56,54 @@ jobs:
 
     - name: Run tests
       run: make test
+
+
+  static-analysis:
+    name: Static Analysis
+    runs-on:
+    - self-hosted
+    - large
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Create SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        format: spdx-json
+        output-file: ${{ env.SBOM_FILENAME }}.spdx.json
+
+    - name: Scan SBOM
+      id: scan_sbom
+      uses: anchore/scan-action@v3
+      with:
+        sbom: ${{ env.SBOM_FILENAME }}.spdx.json
+        output-format: sarif
+        fail-build: false
+
+    - name: Determine number of noticiable vulnerabilities
+      id: count_vulnerabilities
+      run: |
+        echo "value=$(grep -cE "(medium|high|critical) vulnerability" ${{ steps.scan_sbom.outputs.sarif }})" >> $GITHUB_OUTPUT
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ secrets.AWS_S3_SBOMS_ROLE_ARN }}
+        aws-region: ${{ env.AWS_S3_REGION }}
+
+    - name: Copy SBOM to S3
+      run: |
+        aws s3 cp ${{ env.SBOM_FILENAME }}.spdx.json s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}.spdx.json
+        aws s3 cp ${{ steps.scan_sbom.outputs.sarif }} s3://repos-sboms/${{ github.event.repository.name }}/${{ env.SBOM_FILENAME }}-scan.sarif
+
+    - name: Update Notion Page
+      uses: ydataai/update-notion-page@v1
+      env:
+        STATUS_ICON: ${{ steps.count_vulnerabilities.outputs.value == '0' && '"✅"' || '"⚠️"' }}
+        STATUS_URL: ${{ steps.count_vulnerabilities.outputs.value == '0' && 'null' || format('{{"url":"https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region={0}&prefix={1}/{2}-scan.sarif"}}', env.AWS_S3_REGION, github.event.repository.name, env.SBOM_FILENAME) }}
+      with:
+        notion_secret: ${{ secrets.NOTION_SECRET }}
+        notion_database_id: ${{ env.NOTION_DATABASE_ID }}
+        notion_database_query_filter: '{  "property": "Repo",  "title": { "equals": "${{ github.event.repository.name }}" }  }'
+        notion_page_update_properties: '{  "Scan": { "rich_text": [ { "text": { "content": ${{ env.STATUS_ICON }}, "link": ${{ env.STATUS_URL }} } } ] }, "SBOMS": { "url": "https://s3.console.aws.amazon.com/s3/buckets/repos-sboms?region=${{ env.AWS_S3_REGION }}&prefix=${{ github.event.repository.name }}/" }  }'
diff --git a/.github/workflows/released.yaml b/.github/workflows/released.yaml
index 649104f..dcf61ea 100644
--- a/.github/workflows/released.yaml
+++ b/.github/workflows/released.yaml
@@ -53,13 +53,13 @@ jobs:
     steps:
     - name: Version
       id: version
-      run: echo ::set-output name=value::${GITHUB_REF#refs/*/}
+      run: echo "value=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
 
     - uses: actions/checkout@v3
 
     - name: Git Short sha
       id: short_sha
-      run: echo "::set-output name=value::$(git rev-parse --short HEAD)"
+      run: echo "value=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
 
 
   docker: