From 0c76928ae3612899e26fbc6b32ad56eae0c54243 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Tue, 24 Sep 2024 14:32:39 +0300 Subject: [PATCH 01/17] REKDAT-164: Add scan workflow --- .github/workflows/scan.yml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/scan.yml diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 00000000..1275ea34 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,29 @@ +name: Run security scans + +on: + workflow_dispatch: + +jobs: + sast-scanner: + runs-on: ubuntu-latest + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_SCAN_ROLE }} + role-session-name: github-actions + aws-region: eu-north-1 + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Pull sast scanner + run: | + docker pull ${REGISTRY}/${REPOSITORY}/sast-scanner-meta:latest + env: + REGISTRY: ${{ secrets.TOOLS_REGISTRY }} + REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} From 01cb8697f3c122d0ac86411f89d4a4dc0e6cf105 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Tue, 24 Sep 2024 14:35:53 +0300 Subject: [PATCH 02/17] run workflow on push --- .github/workflows/scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 1275ea34..556e18d0 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,6 +2,7 @@ name: Run security scans on: workflow_dispatch: + push: jobs: sast-scanner: From dd336e439a905f66904bd5325914303bf0f3c82c Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Tue, 24 Sep 2024 14:39:22 +0300 Subject: [PATCH 03/17] add permissions --- .github/workflows/scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 556e18d0..486307e2 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -7,6 +7,9 @@ on: jobs: sast-scanner: runs-on: ubuntu-latest + permissions: + id-token: write + contents: read steps: - name: checkout uses: actions/checkout@v4 From adf9b86c12e8452a9b7967a68d1515b6f0f7b501 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Tue, 24 Sep 2024 15:16:09 +0300 Subject: [PATCH 04/17] login to specific registry --- .github/workflows/scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 486307e2..e1c9ce72 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -24,6 +24,9 @@ jobs: - name: Login to Amazon ECR id: login-ecr uses: aws-actions/amazon-ecr-login@v2 + with: + registries: ${{ secrets.TOOLS_REGISTRY }} + - name: Pull sast scanner run: | From 8be8634713f06a910063a2efe7e1b7775f7b3029 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Tue, 24 Sep 2024 15:23:44 +0300 Subject: [PATCH 05/17] use output from login --- .github/workflows/scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e1c9ce72..268170bf 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -19,7 +19,7 @@ jobs: with: role-to-assume: ${{ secrets.AWS_SCAN_ROLE }} role-session-name: github-actions - aws-region: eu-north-1 + aws-region: eu-west-1 - name: Login to Amazon ECR id: login-ecr @@ -30,7 +30,7 @@ jobs: - name: Pull sast scanner run: | - docker pull ${REGISTRY}/${REPOSITORY}/sast-scanner-meta:latest + docker pull $REGISTRY/$REPOSITORY/sast-scanner-meta:latest env: - REGISTRY: ${{ secrets.TOOLS_REGISTRY }} + REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} From f9128c71f78949be206b75476f4b370794b29e07 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 13:01:09 +0300 Subject: [PATCH 06/17] REKDAT-164: add scan role for github actions --- cloudformation/github-actions-stack.yml | 47 +++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/cloudformation/github-actions-stack.yml b/cloudformation/github-actions-stack.yml index d3ffd004..804c2e20 100644 --- a/cloudformation/github-actions-stack.yml +++ b/cloudformation/github-actions-stack.yml @@ -29,12 +29,23 @@ Parameters: Type: String Default: false AllowedValues: [true, false] + CreateScanRole: + Description: Is the scan role required for this aws account + Type: String + Default: false + AllowedValues: [ true, false ] + ToolsRepositoryArn: + Description: Arn for tools repository (Optional) + Type: String + Conditions: CreateOIDCProvider: !Equals - !Ref OIDCProviderArn - "" ShouldCreateBuildRole: !Equals ['true', !Ref CreateBuildRole] + ShouldCreateScanRole: !Equals [ 'true', !Ref CreateScanRole ] + Resources: Role: @@ -126,6 +137,42 @@ Resources: - "ecr:UploadLayerPart" Resource: !Ref ECRRepositoryArn + ScanRole: + Type: AWS::IAM::Role + Condition: ShouldCreateScanRole + Properties: + AssumeRolePolicyDocument: + Statement: + - Effect: Allow + Action: sts:AssumeRoleWithWebIdentity + Principal: + Federated: !If + - CreateOIDCProvider + - !Ref GithubOidc + - !Ref OIDCProviderArn + Condition: + StringEquals: + token.actions.githubusercontent.com:aud: !Ref OIDCAudience + StringLike: + token.actions.githubusercontent.com:sub: !Sub repo:${GitHubOrg}/${RepositoryName}:* + Policies: + - PolicyName: ecr-tools-login + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: "ecr:GetAuthorizationToken" + Resource: "*" + - PolicyName: ecr-tools-pull + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - "ecr:BatchGetImage" + - "ecr:GetDownloadUrlForLayer" + Resource: !Ref ToolsRepositoryArn + GithubOidc: Type: AWS::IAM::OIDCProvider From 8ef7201b65870f305bb1d00417662b261921d9ee Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 13:43:11 +0300 Subject: [PATCH 07/17] REKDAT-164: Run scanner --- .github/workflows/scan.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 268170bf..66e9d2ee 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -34,3 +34,10 @@ jobs: env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} + + - name: Run sast scanner + run: | + docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=html $REGISTRY/$REPOSITORY/sast-scanner-meta:latest + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} From 09f684208f1b48209e88f5000c6699ceb990894b Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 14:16:04 +0300 Subject: [PATCH 08/17] REKDAT-164: Upload scan results --- .github/workflows/scan.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 66e9d2ee..e497aef3 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -37,7 +37,14 @@ jobs: - name: Run sast scanner run: | - docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=html $REGISTRY/$REPOSITORY/sast-scanner-meta:latest + docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=html -e OUTDIR='/src/scan-results' $REGISTRY/$REPOSITORY/sast-scanner-meta:latest env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} + + + - name: upload results + uses: actions/upload-artifact@v4 + with: + name: sast-scanner-results + path: scan-results/* From 3ec0444d918b11a6e9cd18084049ae6cf5824dec Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 14:29:05 +0300 Subject: [PATCH 09/17] Use v1.0.0 tag and upload sarif file to security --- .github/workflows/scan.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index e497aef3..ff56c940 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -37,14 +37,13 @@ jobs: - name: Run sast scanner run: | - docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=html -e OUTDIR='/src/scan-results' $REGISTRY/$REPOSITORY/sast-scanner-meta:latest + docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=sarif $REGISTRY/$REPOSITORY/sast-scanner-meta:v1.0.0 env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} - - name: upload results - uses: actions/upload-artifact@v4 + - name: upload results to advanced security + uses: github/codeql-action/upload-sarif@v2 with: - name: sast-scanner-results - path: scan-results/* + sarif-file: semgrep-app-report.sarif From 0a6d0906cea0c91a763a7fcda7d5b3307dc7ef6c Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 14:31:37 +0300 Subject: [PATCH 10/17] fix syntax and use v3 version --- .github/workflows/scan.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index ff56c940..70a2ca3d 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -27,14 +27,6 @@ jobs: with: registries: ${{ secrets.TOOLS_REGISTRY }} - - - name: Pull sast scanner - run: | - docker pull $REGISTRY/$REPOSITORY/sast-scanner-meta:latest - env: - REGISTRY: ${{ steps.login-ecr.outputs.registry }} - REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} - - name: Run sast scanner run: | docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=sarif $REGISTRY/$REPOSITORY/sast-scanner-meta:v1.0.0 @@ -44,6 +36,6 @@ jobs: - name: upload results to advanced security - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: - sarif-file: semgrep-app-report.sarif + sarif_file: semgrep-app-report.sarif From c1c4988e069fb34fc0bf091fd9b6342f55571a55 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 14:34:15 +0300 Subject: [PATCH 11/17] add permissions to write security events --- .github/workflows/scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 70a2ca3d..4c46e5b7 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,6 +10,7 @@ jobs: permissions: id-token: write contents: read + security-events: write steps: - name: checkout uses: actions/checkout@v4 From c748c781fe81d44d02ac647525c85b6522e971a6 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 25 Sep 2024 14:53:09 +0300 Subject: [PATCH 12/17] Tell sarif upload that the files has relative path in it --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 4c46e5b7..6daae0e1 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -30,7 +30,7 @@ jobs: - name: Run sast scanner run: | - docker run --rm -v ".:/src" -e LEVEL=HIGH -e TARGET=app -e FORMAT=sarif $REGISTRY/$REPOSITORY/sast-scanner-meta:v1.0.0 + docker run --rm -v "${{ github.workspace }}:${{ github.workspace }}" -e LEVEL=HIGH -e TARGET=app -e FORMAT=sarif -e SRCDIR=${{ github.workspace }} $REGISTRY/$REPOSITORY/sast-scanner-meta:v1.0.0 env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} From ea646003bc60e214e1a6cbc5046d6ac48bcfccb4 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Mon, 30 Sep 2024 12:25:58 +0300 Subject: [PATCH 13/17] Modify entrypoint and build sast scanner container Remove path from semgrep command to output relative paths --- .github/workflows/scan.yml | 21 +++- docker/sast-scanner-meta/Dockerfile | 8 ++ docker/sast-scanner-meta/entrypoint.sh | 138 +++++++++++++++++++++++++ 3 files changed, 165 insertions(+), 2 deletions(-) create mode 100644 docker/sast-scanner-meta/Dockerfile create mode 100644 docker/sast-scanner-meta/entrypoint.sh diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 6daae0e1..898f7721 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -28,11 +28,28 @@ jobs: with: registries: ${{ secrets.TOOLS_REGISTRY }} + - name: setup docker buildx + uses: docker/setup-buildx-action@v3 + + - name: Build sast scanner + uses: docker/build-push-action@v6 + with: + context: ./docker/sast-scanner-meta + file: ./docker/sast-scanner-meta/Dockerfile + push: false + cache-from: type=gha + cache-to: type=gha,mode=max + tags: ${{ env.REPOSITORY }}/sast-scanner-meta:latest + load: true + env: + DOCKER_BUILD_RECORD_UPLOAD: false + REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} + + - name: Run sast scanner run: | - docker run --rm -v "${{ github.workspace }}:${{ github.workspace }}" -e LEVEL=HIGH -e TARGET=app -e FORMAT=sarif -e SRCDIR=${{ github.workspace }} $REGISTRY/$REPOSITORY/sast-scanner-meta:v1.0.0 + docker run --rm -v "${{ github.workspace }}:/src" -e LEVEL=HIGH -e TARGET=APP -e FORMAT=sarif $REPOSITORY/sast-scanner-meta:latest env: - REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} diff --git a/docker/sast-scanner-meta/Dockerfile b/docker/sast-scanner-meta/Dockerfile new file mode 100644 index 00000000..964f52aa --- /dev/null +++ b/docker/sast-scanner-meta/Dockerfile @@ -0,0 +1,8 @@ +FROM 373155601093.dkr.ecr.eu-west-1.amazonaws.com/dvv/sast-scanner-meta:v1.0.0 + +COPY ./entrypoint.sh /app/ +RUN ["chmod", "+x", "/app/entrypoint.sh"] + +WORKDIR /src + +ENTRYPOINT ["sh", "-c", "/app/entrypoint.sh ${LEVEL} ${TARGET} ${SRCDIR} ${IACDIR} ${OUTDIR} ${FORMAT} ${EXCLUDE_RULES}"] diff --git a/docker/sast-scanner-meta/entrypoint.sh b/docker/sast-scanner-meta/entrypoint.sh new file mode 100644 index 00000000..41de5491 --- /dev/null +++ b/docker/sast-scanner-meta/entrypoint.sh @@ -0,0 +1,138 @@ +#!/bin/bash + +EXCLUSIONS="*.md,web/coverage,web/node,web/node_properties,application.properties" +EXCLUDES="" +IFS=',' read -ra ADDR <<< "$EXCLUSIONS" +for i in "${ADDR[@]}"; do + EXCLUDES+="--exclude $i " +done + +echo "[*] using exclude for files ${EXCLUSIONS}" + +RULE_EXCLUSIONS="--exclude-rule python.lang.compatibility.python37.python37-compatibility-importlib2 " +IFS=',' read -ra ADDR <<< "$EXCLUDE_RULES" +for i in "${ADDR[@]}"; do + RULE_EXCLUSIONS+="--exclude-rule $i " +done + +echo "[*] using exclude for rules ${RULE_EXCLUSIONS}" + +APP_RULES="--config /app/custom-rules --config "p/default" --config "p/ci" --config "p/java" --config "p/python" --config "p/docker" --config "p/typescript" --config "p/javascript" --config "p/kotlin" --config "p/r2c-security-audit" --config "p/eslint" --config "p/csharp"" + +IAC_RULES="--config /app/custom-rules --config "p/terraform" --config "p/kubernetes"" + +function summary { + function join_by { local IFS="$1"; shift; echo "$*"; } + sarif summary $2 | grep -v '^\s' | grep . + SUMMARIES=($(sarif summary $2 | grep -v '^\s' | grep . | tr -d " ")) + SEVERITIES=() + SEVERITY_COUNTS=() + for summary in "${SUMMARIES[@]}" + do + SEVERITIES+=("$(echo $summary | cut -d':' -f1)") + SEVERITY_COUNTS+=("$(echo $summary | cut -d':' -f2)") + done + summary_file=$1 + join_by , "${SEVERITIES[@]}" > $summary_file + join_by , "${SEVERITY_COUNTS[@]}" >> $summary_file + + echo "[*] Summary report written to $1" +} + +handle_output() { + if [ -f $OUTDIR/semgrep-app-report.sarif ]; then + sarif html $OUTDIR/semgrep-app-report.sarif --output $OUTDIR/semgrep-app-report-from-sarif.html + summary "$OUTDIR/semgrep-app-summary.csv" "$OUTDIR/semgrep-app-report.sarif" + echo "[*] HTML scan app results written" + fi + + if [ -f $OUTDIR/semgrep-iac-report.sarif ]; then + sarif html $OUTDIR/semgrep-iac-report.sarif --output $OUTDIR/semgrep-app-report-from-sarif.html + summary "$OUTDIR/semgrep-iac-summary.csv" "$OUTDIR/semgrep-iac-report.sarif" + + echo "[*] HTML scan iac results written" + fi + + if [ -f $OUTDIR/semgrep-app-report.xml ]; then + mv $OUTDIR/semgrep-app-report.xml $OUTDIR/semgrep-app-junit-report.xml + echo "[*] XML scan app results written" + + junit2html $OUTDIR/semgrep-app-junit-report.xml $OUTDIR/semgrep-app-report.html + echo "[*] HTML scan app results written" + fi + + if [ -f $OUTDIR/semgrep-iac-report.xml ]; then + mv $OUTDIR/semgrep-iac-report.xml $OUTDIR/semgrep-iac-junit-report.xml + echo "[*] XML scan iac results written" + + junit2html $OUTDIR/semgrep-iac-junit-report.xml $OUTDIR/semgrep-iac-report.html + echo "[*] HTML scan iac results written" + fi +} + +# Handling severity levels +if [ $# -eq 0 ] + then + echo "[*] Default severity levels will be used." + SEMGREP_SEVERITY="--severity ERROR" +elif [ $1 = "LOW" ] + then + echo "[*] Custom LOW severity levels will be used." + SEMGREP_SEVERITY="--severity INFO" +elif [ $1 = "MEDIUM" ] + then + echo "[*] Custom MEDIUM severity levels will be used." + SEMGREP_SEVERITY="--severity WARNING" +elif [ $1 = "HIGH" ] + then + echo "[*] Custom HIGH severity levels will be used." + SEMGREP_SEVERITY="--severity ERROR" +elif [ $1 = "CRITICAL" ] + then + echo "[*] Custom CRITICAL severity levels will be used." + SEMGREP_SEVERITY="--severity ERROR" +elif [ $1 = "ALL" ] + then + echo "[*] Custom ALL severity levels will be used." + SEMGREP_SEVERITY="" +else + echo "[x] Invalid severity level. Default severity levels will be used." + SEMGREP_SEVERITY="--severity ERROR" +fi + + +run_semgrep() { + echo "[*] Running semgrep on $1 source in $2" + if [ $FORMAT = "sarif" ] + then + echo "[*] SARIF format will be used." + OUTPUT_ARGS="--sarif --sarif-output $OUTDIR/semgrep-$1-report.sarif" + else + echo "[*] JUNIT-XML format will be used." + OUTPUT_ARGS="--junit-xml --output $OUTDIR/semgrep-$1-report.xml" + fi + semgrep scan $3 --metrics=off $EXCLUDES $RULE_EXCLUSIONS $OUTPUT_ARGS $SEMGREP_SEVERITY --no-error $ARGS +} + +if [ $2 = "APP" ] + then + run_semgrep "app" $SRCDIR "$APP_RULES" + + handle_output +elif [ $2 = "IAC" ] + then + run_semgrep "iac" $IACDIR "$IAC_RULES" + handle_output +else + run_semgrep "app" $SRCDIR "$APP_RULES" + run_semgrep "iac" $IACDIR "$IAC_RULES" + + handle_output +fi + +if [[ "${BUCKET}" ]]; then + /copy_to_s3.sh +fi + +echo "[*] All done!" +exit 0 From ee2e7c0a35643a096e327f3ca1e4f2acd39f0a10 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 2 Oct 2024 10:21:00 +0300 Subject: [PATCH 14/17] REKDAT-164: Add dependency check to scan workflow --- .github/workflows/scan.yml | 55 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 898f7721..85b9dead 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -57,3 +57,58 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep-app-report.sarif + + dependency-check: + runs-on: ubuntu-latest + permissions: + id-token: write + contents: read + security-events: write + steps: + - name: checkout + uses: actions/checkout@v4 + + - name: configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.AWS_SCAN_ROLE }} + role-session-name: github-actions + aws-region: eu-west-1 + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + with: + registries: ${{ secrets.TOOLS_REGISTRY }} + + #- name: setup docker buildx + # uses: docker/setup-buildx-action@v3 + + #- name: Build sast scanner + # uses: docker/build-push-action@v6 + # with: + # context: ./docker/sast-scanner-meta + # file: ./docker/sast-scanner-meta/Dockerfile + # push: false + # cache-from: type=gha + # cache-to: type=gha,mode=max + # tags: ${{ env.REPOSITORY }}/sast-scanner-meta:latest + # load: true + # env: + # DOCKER_BUILD_RECORD_UPLOAD: false + # REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} + + - name: Run dependency check + run: | + docker run --rm -v "${{ github.workspace }}:${{ github.workspace }}" -e SCAN_DIR=${{ github.workspace }} -e FORMAT=SARIF -e OUTDIR=${{ github.workspace }} $REGISTRY/$REPOSITORY/dependency-check:v1.0.0 + env: + REGISTRY: ${{ steps.login-ecr.outputs.registry }} + REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} + + + - name: upload results to advanced security + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: dependency-check-report.sarif + + From ee4c5f46c73fb7a541de84c1d38c69b0ae7105b5 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 2 Oct 2024 12:59:05 +0300 Subject: [PATCH 15/17] REKDAT-164: Run scan workflow only on pull request --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 85b9dead..6a606415 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,7 +2,7 @@ name: Run security scans on: workflow_dispatch: - push: + pull_request: jobs: sast-scanner: From 56e50108bae18dd584175f59e9c1e999745b8628 Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 2 Oct 2024 13:09:22 +0300 Subject: [PATCH 16/17] clean up comments --- .github/workflows/scan.yml | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 6a606415..175ed790 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -2,7 +2,7 @@ name: Run security scans on: workflow_dispatch: - pull_request: + pull_request: jobs: sast-scanner: @@ -81,22 +81,6 @@ jobs: with: registries: ${{ secrets.TOOLS_REGISTRY }} - #- name: setup docker buildx - # uses: docker/setup-buildx-action@v3 - - #- name: Build sast scanner - # uses: docker/build-push-action@v6 - # with: - # context: ./docker/sast-scanner-meta - # file: ./docker/sast-scanner-meta/Dockerfile - # push: false - # cache-from: type=gha - # cache-to: type=gha,mode=max - # tags: ${{ env.REPOSITORY }}/sast-scanner-meta:latest - # load: true - # env: - # DOCKER_BUILD_RECORD_UPLOAD: false - # REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }} - name: Run dependency check run: | From 05cccbcb8d266df4209ce34a1071592d29a8238a Mon Sep 17 00:00:00 2001 From: Jari Voutilainen Date: Wed, 2 Oct 2024 13:09:57 +0300 Subject: [PATCH 17/17] add categories for sarif uploads --- .github/workflows/scan.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 175ed790..aa7c336f 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -57,6 +57,7 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: semgrep-app-report.sarif + category: semgrep dependency-check: runs-on: ubuntu-latest @@ -94,5 +95,6 @@ jobs: uses: github/codeql-action/upload-sarif@v3 with: sarif_file: dependency-check-report.sarif + category: dependency-check