-
Notifications
You must be signed in to change notification settings - Fork 15
157 lines (134 loc) · 5.8 KB
/
snyk-zap-opendata.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# Define the name of the workflow
name: snyk-zap
# Define variables
env:
DOCKER_REGISTRY: registry.ncats.nih.gov:5000
IMAGE_NAME: opendata
# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch)
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
workflow_dispatch:
# Define the jobs that will be executed as part of the workflow
jobs:
# Job to build and push the ZAP Docker image to Docker Hub
Snyk-Docker-Image:
runs-on:
group: ncats-onprem-internal-runners
permissions:
actions: read
contents: read
security-events: write
issues: write
outputs:
build_version: ${{ steps.get_build_version.outputs.build_version }}
RUNNER: ${{ runner.name }}
steps:
# Step 1: Checkout repository
- name: Checkout code
uses: actions/checkout@v4
# Step 2: Generate Build Version Number
- name: Generate Build Version Number
id: GET_BUILD_VERSION
run: |
# Get the last recorded date from the environment variable
LAST_DATE=$(date -d "$LAST_BUILD_DATE" +'%Y-%m-%d' 2>/dev/null || echo "")
# Get the current date
CURRENT_DATE=$(date +'%Y-%m-%d')
echo "Last recorded date: $LAST_DATE"
echo "Current date: $CURRENT_DATE"
# Check if it's a new day
if [ "$LAST_DATE" != "$CURRENT_DATE" ]; then
# Reset BUILDS_TODAY to 0 for the new day
BUILDS_TODAY=0
echo "Resetting BUILDS_TODAY to 0 for the new day"
else
# Calculate the number of builds today
BUILDS_TODAY=$(seq -f v$GITHUB_RUN_NUMBER.%g $(($GITHUB_RUN_NUMBER - 1)) | wc -l)
echo "Incrementing BUILDS_TODAY"
fi
# Store the current date for the next run
echo "LAST_BUILD_DATE=$CURRENT_DATE" >> $GITHUB_ENV
# Generate the build version with the number of builds today
BUILD_VERSION_GENERATED=$(date +v%Y.%m%d.$BUILDS_TODAY)
echo "Generated Build Version: $BUILD_VERSION_GENERATED"
echo "BUILD_VERSION=$BUILD_VERSION_GENERATED" >> $GITHUB_ENV
echo "BUILD=true" >> $GITHUB_ENV
echo "::set-output name=build_version::$BUILD_VERSION_GENERATED"
# Step 4: Build a Docker image
- name: Build a Docker image
run: docker build --no-cache -f ./Dockerfile-opendata --build-arg BUILD_VERSION=$BUILD_VERSION -t $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION .
# Step 5: Run Snyk to check Docker image for vulnerabilities
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
id: docker-image-scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_CLI }}
with:
image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION
args: --sarif-file-output=snyk.sarif --file=Dockerfile
- name: Replace security-severity undefined for license-related findings
run: |
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
# Step 6: Upload result to GitHub Code Scanning
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
# Step 7: Generate Security Report
- name: Generate Security Report
continue-on-error: true
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
sarifReportDir: .
# Step 8: Uploads artifacts (PDF reports) generated during the workflow to download.
- name: Upload Artifacts
continue-on-error: true
uses: actions/upload-artifact@v4
with:
name: reports
path: ./*.pdf
ZAP-Docker-Scan:
needs: Snyk-Docker-Image
runs-on: ${{needs.Snyk-Docker-Image.outputs.RUNNER}}
permissions:
actions: read
contents: read
security-events: write
issues: write
steps:
# Step 1: Get BUILD_VERSION from Snyk-Docker-Image job
- name: Get BUILD_VERSION from Snyk-Docker-Image job
id: get_runner_ip
run: |
echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV
echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)"
# Step 2: Add the command to start Docker image on port 8000
- name: Start Docker image on port 8000
continue-on-error: true
run: docker run -d -p 8000:8000 $DOCKER_REGISTRY/$IMAGE_NAME:${{ needs.Snyk-Docker-Image.outputs.build_version }}
# Step 3: ZAP BASELINE SCAN
- name: ZAP base Scan
continue-on-error: true
uses: zaproxy/[email protected]
with:
target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
token: ${{ secrets.GITHUB_TOKEN }}
fail_action: false
# Step 4: Stop and remove the Docker container
- name: Stop and remove Docker container
run: docker stop $(docker ps -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=$DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION) || true
# Step 5: Create SARIF file from ZAP results
- name: Create SARIF file from ZAP results
uses: SvanBoxel/zaproxy-to-ghas@main
# Step 6: Upload SARIF file to GitHub Code Scanning
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif