Add GitHub Monitor action to all jobs #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: sast | ||
| permissions: {} | ||
| on: | ||
| workflow_call: | ||
| inputs: | ||
| skip: | ||
| description: "Want to skip running certain jobs 'none', 'non-required', 'all'?" | ||
| type: string | ||
| default: "none" | ||
| output: | ||
| description: 'Output either "sarif" (GITHUB_TOKEN with security-events:write) or print results as "table" and fail on error' | ||
| type: string | ||
| required: false | ||
| default: 'sarif' | ||
| jobs: | ||
| bandit: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Install python | ||
| uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | ||
| with: | ||
| python-version-file: '.python-version' | ||
| - name: Install poetry | ||
| uses: snok/install-poetry@93ada01c735cc8a383ce0ce2ae205a21c415379b # v1.3.4 | ||
| with: | ||
| version: 1.8.3 | ||
| virtualenvs-create: false | ||
| virtualenvs-in-project: false | ||
| installer-parallel: true | ||
| - name: Install dependencies | ||
| run: | | ||
| poetry install --only main,dev | ||
| - name: Run Bandit | ||
| if: inputs.output == 'table' | ||
| run: bandit -r -f screen semgr8s/ | ||
| - name: Run Bandit | ||
| if: inputs.output == 'sarif' | ||
| run: bandit -r -f sarif -o bandit-results.sarif semgr8s/ --exit-zero | ||
| - name: Upload | ||
| if: inputs.output == 'sarif' | ||
| uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| with: | ||
| sarif_file: 'bandit-results.sarif' | ||
| black: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Install python | ||
| uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | ||
| with: | ||
| python-version-file: '.python-version' | ||
| - name: Install poetry | ||
| uses: snok/install-poetry@93ada01c735cc8a383ce0ce2ae205a21c415379b # v1.3.4 | ||
| with: | ||
| version: 1.8.3 | ||
| virtualenvs-create: false | ||
| virtualenvs-in-project: false | ||
| installer-parallel: true | ||
| - name: Install dependencies | ||
| run: | | ||
| poetry install --only main,dev | ||
| - name: Test formatting | ||
| run: | | ||
| python3 -m black . 2>&1 | grep -q "reformatted" && { echo 'Not properly formatted.'; exit 1; } || true | ||
| checkov: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Render Helm charts | ||
| run: | | ||
| rm -rf tests # remove 'tests' folder from scan | ||
| rm -rf rules/tests # remove 'rules/tests' folder from scan | ||
| mkdir deployment | ||
| helm template charts/semgr8s > deployment/deployment.yaml | ||
| shell: bash | ||
| - name: Scan | ||
| if: inputs.output == 'table' | ||
| uses: bridgecrewio/checkov-action@f34d0f0acd8974b1655797c684ecd907aa3ef929 # v12.2837.0 | ||
| with: | ||
| skip_check: CKV_DOCKER_2 | ||
| output_format: cli | ||
| soft_fail: false | ||
| - name: Scan | ||
| if: inputs.output == 'sarif' | ||
| uses: bridgecrewio/checkov-action@f34d0f0acd8974b1655797c684ecd907aa3ef929 # v12.2837.0 | ||
| with: | ||
| skip_check: CKV_DOCKER_2 | ||
| output_file_path: console,checkov-results.sarif | ||
| output_format: cli,sarif | ||
| soft_fail: true | ||
| - name: Upload | ||
| if: inputs.output == 'sarif' | ||
| uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| with: | ||
| sarif_file: checkov-results.sarif | ||
| codeql: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| pull-requests: read | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout repository | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| with: | ||
| languages: 'python' | ||
| - name: Analyze | ||
| uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| hadolint: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Scan | ||
| uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | ||
| if: inputs.output == 'table' | ||
| with: | ||
| dockerfile: build/Dockerfile | ||
| format: tty | ||
| no-fail: false | ||
| - name: Scan | ||
| uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | ||
| if: inputs.output == 'sarif' | ||
| with: | ||
| dockerfile: build/Dockerfile | ||
| format: sarif | ||
| no-fail: true | ||
| output-file: hadolint-results.sarif | ||
| - name: Upload | ||
| uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| if: inputs.output == 'sarif' | ||
| with: | ||
| sarif_file: 'hadolint-results.sarif' | ||
| kubelinter: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Scan | ||
| uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5 | ||
| if: inputs.output == 'table' | ||
| with: | ||
| config: .kube-linter/config.yaml | ||
| directory: charts/semgr8s | ||
| format: plain | ||
| - name: Scan | ||
| uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5 | ||
| if: inputs.output == 'sarif' | ||
| continue-on-error: true | ||
| with: | ||
| config: .kube-linter/config.yaml | ||
| directory: charts/semgr8s | ||
| format: sarif | ||
| output-file: kubelinter-results.sarif | ||
| - name: Upload | ||
| uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| if: inputs.output == 'sarif' | ||
| with: | ||
| sarif_file: 'kubelinter-results.sarif' | ||
| pylint: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'all' | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Install python | ||
| uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1 | ||
| with: | ||
| python-version-file: '.python-version' | ||
| - name: Install poetry | ||
| uses: snok/install-poetry@93ada01c735cc8a383ce0ce2ae205a21c415379b # v1.3.4 | ||
| with: | ||
| version: 1.8.3 | ||
| virtualenvs-create: false | ||
| virtualenvs-in-project: false | ||
| installer-parallel: true | ||
| - name: Install dependencies | ||
| run: | | ||
| poetry install --only main,dev | ||
| - name: Lint | ||
| run: pylint --ignore-patterns=tests,coverage semgr8s | ||
| semgrep: | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| container: | ||
| image: semgrep/semgrep | ||
| env: | ||
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Scan | ||
| if: inputs.output == 'table' | ||
| run: semgrep ci --config=auto --suppress-errors --text | ||
| - name: Scan | ||
| if: inputs.output == 'sarif' | ||
| run: semgrep ci --config=auto --suppress-errors --sarif --output=semgrep-results.sarif || exit 0 | ||
| - name: Upload | ||
| uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 | ||
| if: inputs.output == 'sarif' | ||
| with: | ||
| sarif_file: semgrep-results.sarif | ||
| trivy-config-scan: | ||
| name: trivy config | ||
| runs-on: ubuntu-latest | ||
| if: | | ||
| (github.actor != 'dependabot[bot]') && | ||
| inputs.skip != 'non-required' && | ||
| inputs.skip != 'all' | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - uses: GitHubSecurityLab/actions-permissions/monitor@v1 | ||
| with: | ||
| config: ${{ vars.PERMISSIONS_CONFIG }} | ||
| - name: Checkout code | ||
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
| - name: Run Trivy | ||
| uses: ./.github/actions/trivy-config | ||
| with: | ||
| output: ${{ inputs.output }} | ||
