From feaadb0a9a69afb5c2ef49e9dd224c9d9c7f5ccf Mon Sep 17 00:00:00 2001 From: carmith Date: Tue, 21 May 2024 12:34:03 +0300 Subject: [PATCH] Adding workflows --- .github/workflows/build-publish.yml | 126 ++++++++++++++++++++ .github/workflows/frogbot-scan-repo.yml | 142 ++++++++++++++++++++++ .github/workflows/scan-pull-request.yml | 149 ++++++++++++++++++++++++ .idea/.gitignore | 8 ++ 4 files changed, 425 insertions(+) create mode 100644 .github/workflows/build-publish.yml create mode 100644 .github/workflows/frogbot-scan-repo.yml create mode 100644 .github/workflows/scan-pull-request.yml create mode 100644 .idea/.gitignore diff --git a/.github/workflows/build-publish.yml b/.github/workflows/build-publish.yml new file mode 100644 index 0000000..7f05ca4 --- /dev/null +++ b/.github/workflows/build-publish.yml @@ -0,0 +1,126 @@ +name: Build-publish-scan +on: + push: + branches: + +permissions: + actions: read # for detecting the Github Actions environment. + id-token: write # for creating OIDC tokens for signing. + packages: write # for uploading attestations. + contents: read +jobs: + build-publish-python: + runs-on: ubuntu-latest + env: + DOCKER_REPO: 'testing-docker-local' + IMAGE_NAME: 'carmit-testing:6' + JF_PROJECT: carmit-prj-1 + JF_URL: https://${{ vars.JF_URL }}/ + outputs: + image: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} + digest: ${{ steps.build.outputs.digest }} + steps: + # Setup Go + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version: 1.22.x + cache: false + + # Build the specific CLI branch + - name: Checkout code + uses: actions/checkout@v4 + with: + repository: "eyaldelarea/jfrog-cli" + ref: "job_summaries" + + - name: Build current CLI + run: go build . + + # Use the specific setup-cli branch + - uses: eyaldelarea/setup-jfrog-cli@cleanUpSummaries + name: Setup JFrog CLI + id: setup-cli + env: + JF_URL: https://${{ vars.JF_URL }}/ + with: + oidc-provider-name: github-carmit-project-1 + + - name: check filesystem 1 + run: | + mv ./jfrog-cli /tmp/ + + - name: Checkout the repository + uses: actions/checkout@v4 + + + - name: configure jfrog environment + run: | + /tmp/jfrog-cli pip-config --repo-resolve=python-virtual + + - name: configure environment + run: | + python3 -m pip install --upgrade pip setuptools wheel sigstore + wheel -h + pip show setuptools + echo $VIRTUAL_ENV + + - name: build project + run: | + /tmp/jfrog-cli pip install -r requirements.txt --module=jfrog-python-example + python setup.py sdist bdist_wheel + cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT + + - name: publish python package + run: | + /tmp/jfrog-cli rt u dist/ python-virtual/example-projects/ --module=jfrog-python-example + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Authenticate Docker + uses: docker/login-action@v3 + with: + registry: ${{ vars.JF_URL }} + username: ${{ steps.setup-cli.outputs.oidc-user }} + password: ${{ steps.setup-cli.outputs.oidc-token }} + + + - name: Build Docker image + uses: docker/build-push-action@v5 + id: build + with: + push: true + platforms: linux/amd64 #, linux/arm64 + tags: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} + + + - name: docker scan + run: | + /tmp/jfrog-cli docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} + /tmp/jfrog-cli docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} + + - name: add docker package to build + run: | + echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}" > metadata.json + /tmp/jfrog-cli rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json + + - name: publish build info + run: | + /tmp/jfrog-cli rt bce + /tmp/jfrog-cli rt bp + + - name: build scan + run: | + /tmp/jfrog-cli build-scan --fail=false + + provenance: + needs: [build-publish-python] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 + with: + image: ${{ needs.build-publish-python.outputs.image }} + digest: ${{ needs.build-publish-python.outputs.digest }} + private-repository: true + secrets: + registry-username: ${{ vars.JF_DOCKER_USER }} + registry-password: ${{ secrets.JF_DOCKER_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/frogbot-scan-repo.yml b/.github/workflows/frogbot-scan-repo.yml new file mode 100644 index 0000000..b2da953 --- /dev/null +++ b/.github/workflows/frogbot-scan-repo.yml @@ -0,0 +1,142 @@ +name: "Frogbot Scan Repository" +on: + workflow_dispatch: + schedule: + # The repository will be scanned once a day at 00:00 GMT. + - cron: "0 0 * * *" +permissions: + contents: write + pull-requests: write + security-events: write +jobs: + scan-repository: + runs-on: ubuntu-latest + strategy: + matrix: + # The repository scanning will be triggered periodically on the following branches. + branch: ["main"] + steps: + - uses: jfrog/frogbot@v2 + env: + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ vars.JF_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Mandatory] + # The name of the branch on which Frogbot will perform the scan + JF_GIT_BASE_BRANCH: ${{ matrix.branch }} + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Optional] + # By default, the Frogbot workflows download the Frogbot executable as well as other tools + # needed from https://releases.jfrog.io + # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the + # executable to be downloaded from an Artifactory instance, which the machine has access to: + # + # 1. Login to the Artifactory UI, with a user who has admin credentials. + # 2. Create a Remote Repository with the following properties set. + # Under the 'Basic' tab: + # Package Type: Generic + # URL: https://releases.jfrog.io + # Under the 'Advanced' tab: + # Uncheck the 'Store Artifacts Locally' option + # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. + # JF_RELEASES_REPO: "" + + ########################################################################## + ## If your project uses a 'frogbot-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository. If left empty (without providing "." yourself as default), a recursive scan is triggered from the root directory of the project. + # JF_WORKING_DIR: path/to/project/dir + + # [Default: "*git*;*node_modules*;*target*;*venv*;*test*"] + # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. + # JF_PATH_EXCLUSIONS: "*git*;*node_modules*;*target*;*venv*;*test*" + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + JF_PROJECT: carmit-prj-1 + + # [Optional, default: "TRUE"] + # Fails the Frogbot task if any security issue is found. + JF_FAIL: "FALSE" + + # [Optional] + # Frogbot will download the project dependencies, if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + # JF_DEPS_REPO: "" + + # [Optional] + # Template for the branch name generated by Frogbot when creating pull requests with fixes. + # The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_BRANCH_NAME_TEMPLATE: "frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}" + + # [Optional] + # Template for the commit message generated by Frogbot when creating pull requests with fixes + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" + + # [Optional] + # Template for the pull request title generated by Frogbot when creating pull requests with fixes. + # The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables. + # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" + + # [Optional, Default: "FALSE"] + # If TRUE, Frogbot creates a single pull request with all the fixes. + # If FALSE, Frogbot creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + # JF_MIN_SEVERITY: "" + + # [Optional, Default: eco-system+frogbot@jfrog.com] + # Set the email of the commit author + # JF_GIT_EMAIL_AUTHOR: "" + + # [Optional] + # Set the list of allowed licenses + # The full list of licenses can be found in: + # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md + # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" + + # [Optional] + # Avoid adding extra info to pull request comments. that isn't related to the scan findings. + # JF_AVOID_EXTRA_MESSAGES: "TRUE" + + # [Optional] + # Add a title to pull request comments generated by Frogbot. + # JF_PR_COMMENT_TITLE: "" diff --git a/.github/workflows/scan-pull-request.yml b/.github/workflows/scan-pull-request.yml new file mode 100644 index 0000000..9caceaf --- /dev/null +++ b/.github/workflows/scan-pull-request.yml @@ -0,0 +1,149 @@ +name: "Frogbot Scan Pull Request" +on: + pull_request_target: + types: [opened, synchronize] +permissions: + pull-requests: write + contents: read +jobs: + scan-pull-request: + runs-on: ubuntu-latest + # A pull request needs to be approved before Frogbot scans it. Any GitHub user who is associated with the + # "frogbot" GitHub environment can approve the pull request to be scanned. + environment: frogbot + steps: + - uses: jfrog/frogbot@v2 + env: + JFROG_CLI_LOG_LEVEL: DEBUG + # [Mandatory] + # JFrog platform URL + JF_URL: ${{ vars.JF_URL }} + + # [Mandatory if JF_USER and JF_PASSWORD are not provided] + # JFrog access token with 'read' permissions on Xray service + JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD + # JF_USER: ${{ secrets.JF_USER }} + + # [Mandatory if JF_ACCESS_TOKEN is not provided] + # JFrog password. Must be provided with JF_USER + # JF_PASSWORD: ${{ secrets.JF_PASSWORD }} + + # [Mandatory] + # The GitHub token is automatically generated for the job + JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + # [Optional, default: https://api.github.com] + # API endpoint to GitHub + # JF_GIT_API_ENDPOINT: https://github.example.com + + # [Optional] + # By default, the Frogbot workflows download the Frogbot executable as well as other tools + # needed from https://releases.jfrog.io + # If the machine that runs Frogbot has no access to the internet, follow these steps to allow the + # executable to be downloaded from an Artifactory instance, which the machine has access to: + # + # 1. Login to the Artifactory UI, with a user who has admin credentials. + # 2. Create a Remote Repository with the following properties set. + # Under the 'Basic' tab: + # Package Type: Generic + # URL: https://releases.jfrog.io + # Under the 'Advanced' tab: + # Uncheck the 'Store Artifacts Locally' option + # 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created. + # JF_RELEASES_REPO: "" + + # [Optional] + # Configure the SMTP server to enable Frogbot to send emails with detected secrets in pull request scans. + # SMTP server URL including should the relevant port: (Example: smtp.server.com:8080) + # JF_SMTP_SERVER: "" + + # [Mandatory if JF_SMTP_SERVER is set] + # The username required for authenticating with the SMTP server. + # JF_SMTP_USER: "" + + # [Mandatory if JF_SMTP_SERVER is set] + # The password associated with the username required for authentication with the SMTP server. + # JF_SMTP_PASSWORD: "" + + ########################################################################## + ## If your project uses a 'frogbot-config.yml' file, you can define ## + ## the following variables inside the file, instead of here. ## + ########################################################################## + + # [Mandatory if the two conditions below are met] + # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies + # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. + # + # The command that installs the project dependencies (e.g "nuget restore") + # JF_INSTALL_DEPS_CMD: "" + + # [Optional, default: "."] + # Relative path to the root of the project in the Git repository. If left empty (without providing "." yourself as default), a recursive scan is triggered from the root directory of the project. + # JF_WORKING_DIR: path/to/project/dir + + # [Default: "*git*;*node_modules*;*target*;*venv*;*test*"] + # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. + # JF_PATH_EXCLUSIONS: "*git*;*node_modules*;*target*;*venv*;*test*" + + # [Optional] + # Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches + # JF_WATCHES: ,... + + # [Optional] + # JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects + JF_PROJECT: carmit-prj-1 + + # [Optional, default: "FALSE"] + # Displays all existing vulnerabilities, including the ones that were added by the pull request. + JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" # to remove to see ALL XXX + + # [Optional, default: "FALSE"] + # When adding new comments on pull requests, keep old comments that were added by previous scans. + # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" + + # [Optional, default: "TRUE"] + # Fails the Frogbot task if any security issue is found. + JF_FAIL: "FALSE" + + # [Optional] + # Frogbot will download the project dependencies if they're not cached locally. To download the + # dependencies from a virtual repository in Artifactory, set the name of the repository. There's no + # need to set this value, if it is set in the frogbot-config.yml file. + JF_DEPS_REPO: "python-virtual" + + # [Optional, Default: "FALSE"] + # If TRUE, Frogbot creates a single pull request with all the fixes. + # If false, Frogbot creates a separate pull request for each fix. + # JF_GIT_AGGREGATE_FIXES: "FALSE" + + # [Optional, Default: "FALSE"] + # Handle vulnerabilities with fix versions only + # JF_FIXABLE_ONLY: "TRUE" + + # [Optional] + # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests + # The following values are accepted: Low, Medium, High or Critical + # JF_MIN_SEVERITY: "" + + # [Optional] + # List of comma-separated(,) email addresses to receive email notifications about secrets + # detected during pull request scanning. The notification is also sent to the email set + # in the committer git profile regardless of whether this variable is set or not. + # JF_EMAIL_RECEIVERS: "" + + # [Optional] + # Set the list of allowed licenses + # The full list of licenses can be found in: + # https://github.com/jfrog/frogbot/blob/master/docs/licenses.md + # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" + + # [Optional] + # Avoid adding extra info to pull request comments. that isn't related to the scan findings. + # JF_AVOID_EXTRA_MESSAGES: "TRUE" + + # [Optional] + # Add a title to pull request comments generated by Frogbot. + # JF_PR_COMMENT_TITLE: "" diff --git a/.idea/.gitignore b/.idea/.gitignore new file mode 100644 index 0000000..13566b8 --- /dev/null +++ b/.idea/.gitignore @@ -0,0 +1,8 @@ +# Default ignored files +/shelf/ +/workspace.xml +# Editor-based HTTP Client requests +/httpRequests/ +# Datasource local storage ignored files +/dataSources/ +/dataSources.local.xml