diff --git a/.github/workflows/jira.yml b/.github/workflows/jira.yml index c4f9d9f575..caa4bbdfea 100644 --- a/.github/workflows/jira.yml +++ b/.github/workflows/jira.yml @@ -3,11 +3,11 @@ on: pull_request: types: [opened] jobs: - security: + security-jira: if: ${{ github.actor == 'dependabot[bot]' || github.actor == 'snyk-bot' || contains(github.event.pull_request.head.ref, 'snyk-fix-') || contains(github.event.pull_request.head.ref, 'snyk-upgrade-')}} runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3.5.3 + - uses: actions/checkout@v2 - name: Login into JIRA uses: atlassian/gajira-login@master env: @@ -26,3 +26,8 @@ jobs: PR: ${{ github.event.pull_request.html_url }} fields: "${{ secrets.JIRA_FIELDS }}" + - name: Transition issue + uses: atlassian/gajira-transition@v3 + with: + issue: ${{ steps.create.outputs.issue }} + transition: ${{ secrets.JIRA_TRANSITION }} diff --git a/.github/workflows/sast-scan.yml b/.github/workflows/sast-scan.yml new file mode 100644 index 0000000000..3b9521a551 --- /dev/null +++ b/.github/workflows/sast-scan.yml @@ -0,0 +1,11 @@ +name: SAST Scan +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-sast: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Semgrep Scan + run: docker run -v /var/run/docker.sock:/var/run/docker.sock -v "${PWD}:/src" returntocorp/semgrep semgrep scan --config auto \ No newline at end of file diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml index 21ac795a5b..f09161f538 100644 --- a/.github/workflows/sca-scan.yml +++ b/.github/workflows/sca-scan.yml @@ -3,20 +3,10 @@ on: pull_request: types: [opened, synchronize, reopened] jobs: - security: + security-sca: runs-on: ubuntu-latest steps: - uses: actions/checkout@master - - uses: pnpm/action-setup@v2 - with: - version: 7 - - name: Use Node.js 18.x - uses: actions/setup-node@v3.7.0 - with: - node-version: '18.x' - cache: 'pnpm' - - name: Install dependencies - run: pnpm install --no-frozen-lockfile - name: Run Snyk to check for vulnerabilities uses: snyk/actions/node@master env: diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 0000000000..c0d8140ce5 --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,54 @@ +name: Secrets Scan +on: + pull_request: + types: [opened, synchronize, reopened] +jobs: + security-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Install Expect, jq and Python + run: sudo apt-get update --fix-missing && sudo apt-get install -y expect jq python3 python3-pip wkhtmltopdf + + - name: Install Python packages + run: pip install pandas json2html tabulate + + - name: Install Talisman + run: | + curl --silent https://raw.githubusercontent.com/thoughtworks/talisman/v1.32.0/install.sh > install.bash + chmod +x install.bash + ./install.bash + + - name: Run Talisman + id: run_talisman + run: /usr/local/bin/talisman --scan + continue-on-error: true + + - name: Convert JSON to HTML + run: | + python3 -c " + import json + import os + from json2html import * + with open('talisman_report/talisman_reports/data/report.json') as f: + data = json.load(f) + html = json2html.convert(json = data) + os.makedirs('talisman_html_report', exist_ok=True) + with open('talisman_html_report/report.html', 'w') as f: + f.write(html) + " && wkhtmltopdf talisman_html_report/report.html talisman_report.pdf + + - name: Upload Report + id: upload_report + uses: actions/upload-artifact@v4 + with: + name: talisman-report-pdf + path: talisman_report.pdf + + - name: Check the status of talisman scan + run: | + # if [[ ${{ steps.run_talisman.outcome }} == "success" ]]; then exit 0; else echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}" && exit 1; fi + echo "Download the Talisman scan report from Artifact: ${{ steps.upload_report.outputs.artifact-url }}"; \ No newline at end of file