Nightly Code Security Scan #77
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Nightly Code Security Scan | |
| on: | |
| schedule: | |
| - cron: '0 20 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| client-dependencies: | |
| name: Client Dependency Check | |
| runs-on: ubuntu-latest | |
| if: >- # only run for develop branch | |
| github.ref == 'refs/heads/develop' | |
| outputs: | |
| js: ${{ steps.set-matrix.outputs.js_result }} | |
| steps: | |
| - name: checkout repository | |
| uses: actions/checkout@master | |
| - name: scan vulnerabilities by Snyk | |
| uses: snyk/actions/node@master | |
| continue-on-error: true # To make sure that artifact upload gets called | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| json: true | |
| - name: upload scan result as develop artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: js-security-scan-develop-result | |
| path: snyk.json | |
| - name: develop scan report export to html | |
| run: | | |
| $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result") | |
| - name: upload html file as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: html-js-result-${{github.run_id}} | |
| path: js-result.html | |
| - name: analyse vulnerabilities | |
| id: set-matrix | |
| run: | | |
| result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) | |
| echo "js_result=${result}" >> $GITHUB_OUTPUT | |
| server-dependencies: | |
| name: Server Dependency Check | |
| runs-on: ubuntu-latest | |
| if: >- # only run for develop branch | |
| github.ref == 'refs/heads/develop' | |
| outputs: | |
| go: ${{ steps.set-matrix.outputs.go_result }} | |
| steps: | |
| - name: checkout repository | |
| uses: actions/checkout@master | |
| - name: install Go | |
| uses: actions/setup-go@v3 | |
| with: | |
| go-version: '1.19.5' | |
| - name: download Go modules | |
| run: cd ./api && go get -t -v -d ./... | |
| - name: scan vulnerabilities by Snyk | |
| continue-on-error: true # To make sure that artifact upload gets called | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| run: | | |
| yarn global add snyk | |
| snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || : | |
| - name: upload scan result as develop artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: go-security-scan-develop-result | |
| path: snyk.json | |
| - name: develop scan report export to html | |
| run: | | |
| $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result") | |
| - name: upload html file as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: html-go-result-${{github.run_id}} | |
| path: go-result.html | |
| - name: analyse vulnerabilities | |
| id: set-matrix | |
| run: | | |
| result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) | |
| echo "go_result=${result}" >> $GITHUB_OUTPUT | |
| image-vulnerability: | |
| name: Image Vulnerability Check | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.ref == 'refs/heads/develop' | |
| outputs: | |
| image: ${{ steps.set-matrix.outputs.image_result }} | |
| steps: | |
| - name: scan vulnerabilities by Trivy | |
| uses: docker://docker.io/aquasec/trivy:latest | |
| continue-on-error: true | |
| with: | |
| args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop | |
| - name: upload image security scan result as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: image-security-scan-develop-result | |
| path: image-trivy.json | |
| - name: develop scan report export to html | |
| run: | | |
| $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result") | |
| - name: upload html file as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: html-image-result-${{github.run_id}} | |
| path: image-result.html | |
| - name: analyse vulnerabilities | |
| id: set-matrix | |
| run: | | |
| result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix) | |
| echo "image_result=${result}" >> $GITHUB_OUTPUT | |
| result-analysis: | |
| name: Analyse Scan Results | |
| needs: [client-dependencies, server-dependencies, image-vulnerability] | |
| runs-on: ubuntu-latest | |
| if: >- | |
| github.ref == 'refs/heads/develop' | |
| strategy: | |
| matrix: | |
| js: ${{fromJson(needs.client-dependencies.outputs.js)}} | |
| go: ${{fromJson(needs.server-dependencies.outputs.go)}} | |
| image: ${{fromJson(needs.image-vulnerability.outputs.image)}} | |
| steps: | |
| - name: display the results of js, Go, and image scan | |
| run: | | |
| echo "${{ matrix.js.status }}" | |
| echo "${{ matrix.go.status }}" | |
| echo "${{ matrix.image.status }}" | |
| echo "${{ matrix.js.summary }}" | |
| echo "${{ matrix.go.summary }}" | |
| echo "${{ matrix.image.summary }}" | |
| - name: send message to Slack | |
| if: >- | |
| matrix.js.status == 'failure' || | |
| matrix.go.status == 'failure' || | |
| matrix.image.status == 'failure' | |
| uses: slackapi/slack-github-action@v1.23.0 | |
| with: | |
| payload: | | |
| { | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Code Scanning Result (*${{ github.repository }}*)\n*<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub Actions Workflow URL>*" | |
| } | |
| } | |
| ], | |
| "attachments": [ | |
| { | |
| "color": "#FF0000", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*JS dependency check*: *${{ matrix.js.status }}*\n${{ matrix.js.summary }}" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Go dependency check*: *${{ matrix.go.status }}*\n${{ matrix.go.summary }}" | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*Image vulnerability check*: *${{ matrix.image.status }}*\n${{ matrix.image.summary }}\n" | |
| } | |
| } | |
| ] | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |