From 15f520add2c999dd39ac7552edc4a8af7e331474 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Mon, 16 Oct 2023 18:03:31 +0530 Subject: [PATCH 1/6] PCP-2008 : CICD changes w.r.t. PCP-1844 --- .../bulwark-gitleaks-pr-validation.yaml | 38 +++++++++++++++++ .github/workflows/bulwark-gosec-pr-scan.yaml | 41 +++++++++++++++++++ .../workflows/golicense-pr-validation.yaml | 32 +++++++++++++++ .../workflows/govulncheck-pr-validation.yaml | 33 +++++++++++++++ 4 files changed, 144 insertions(+) create mode 100644 .github/workflows/bulwark-gitleaks-pr-validation.yaml create mode 100644 .github/workflows/bulwark-gosec-pr-scan.yaml create mode 100644 .github/workflows/golicense-pr-validation.yaml create mode 100644 .github/workflows/govulncheck-pr-validation.yaml diff --git a/.github/workflows/bulwark-gitleaks-pr-validation.yaml b/.github/workflows/bulwark-gitleaks-pr-validation.yaml new file mode 100644 index 0000000000..fae8a5ca1d --- /dev/null +++ b/.github/workflows/bulwark-gitleaks-pr-validation.yaml @@ -0,0 +1,38 @@ +name: BulwarkGitLeaks +on: [pull_request] + +concurrency: + group: gitleaks-${{ github.ref }} + cancel-in-progress: true + +jobs: + gitleaks-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest + env: + REPO: ${{ github.event.repository.name }} + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_CONFIG: /workspace/config.toml + steps: + + - name: run-bulwark-gitleaks-scan + shell: sh + env: + BRANCH: ${{ github.head_ref || github.ref_name }} + run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD" + + - name: check-result + shell: sh + run: | + resultPath=./$REPO/gitleaks.json + cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\: + total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l` + if [ "$total_failed_tests" -gt 0 ]; then + echo "GitLeaks validation check failed with above findings..." + exit 1 + else + echo "GitLeaks validation check passed" + fi \ No newline at end of file diff --git a/.github/workflows/bulwark-gosec-pr-scan.yaml b/.github/workflows/bulwark-gosec-pr-scan.yaml new file mode 100644 index 0000000000..b7a0aaedc2 --- /dev/null +++ b/.github/workflows/bulwark-gosec-pr-scan.yaml @@ -0,0 +1,41 @@ +name: BulwarkGoSec +on: [pull_request] + +concurrency: + group: gosec-${{ github.ref }} + cancel-in-progress: true + +jobs: + gosec-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-dev-public/bulwark/gosec:latest + env: + REPO: ${{ github.event.repository.name }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + credentials: + username: _json_key + password: ${{ secrets.GCR_SPCD_JSON_KEY }} + steps: + + - name: run-gosec-scan + shell: sh + env: + BRANCH: ${{ github.head_ref || github.ref_name }} + GO111MODULE: on + run: | + /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:all" + + - name: check-result + shell: sh + run: | + resultPath=$REPO-result.json + issues=$(cat $resultPath | jq -r '.Stats.found') + echo "Found ${issues} issues" + if [ "$issues" -gt 0 ]; then + echo "GoSec SAST scan failed with below findings..." + cat $resultPath + exit 1 + else + echo "GoSec SAST scan passed" + fi diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml new file mode 100644 index 0000000000..8a83e58ab2 --- /dev/null +++ b/.github/workflows/golicense-pr-validation.yaml @@ -0,0 +1,32 @@ +name: GoLicenses +on: [pull_request] + +concurrency: + group: golicenses-${{ github.ref }} + cancel-in-progress: true + +jobs: + golicense-pr-scan: + runs-on: ubuntu-latest + steps: + - name: install-git + run: sudo apt-get install -y git + + - name: install-golicenses + run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest + + - name: checkout + uses: actions/checkout@v3 + + - name: set-github-access + run: | + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github + + - name: golicense-scan + run: | + go-licenses check --ignore github.com/spectrocloud ./bulwark + go-licenses check --ignore github.com/spectrocloud ./dynamo + go-licenses check --ignore github.com/spectrocloud ./spate/genco +# go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml new file mode 100644 index 0000000000..24eef805ff --- /dev/null +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -0,0 +1,33 @@ +name: GoVulnCheck +on: [pull_request] + +concurrency: + group: govulncheck-${{ github.ref }} + cancel-in-progress: true + +jobs: + govulncheck-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-images-public/golang:alpine + steps: + - name: install-govulncheck + run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: checkout + uses: actions/checkout@v3 + + - name: set-github-access + run: | + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github + + - name: govulncheck-scan + run: | + go version + govulncheck -mode source ./bulwark + govulncheck -mode source ./dynamo + govulncheck -mode source ./spate/genco + govulncheck -mode source ./spate/xk6-spate + From c90852e1dcea6d548fe1af5bccd11188cc893363 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Mon, 16 Oct 2023 19:20:05 +0530 Subject: [PATCH 2/6] PCP-2008 : folder paths updated considering main.go location --- .github/workflows/bulwark-gosec-pr-scan.yaml | 6 ------ .github/workflows/golicense-pr-validation.yaml | 6 +++--- .github/workflows/govulncheck-pr-validation.yaml | 8 ++++---- 3 files changed, 7 insertions(+), 13 deletions(-) diff --git a/.github/workflows/bulwark-gosec-pr-scan.yaml b/.github/workflows/bulwark-gosec-pr-scan.yaml index b7a0aaedc2..bbc50ca193 100644 --- a/.github/workflows/bulwark-gosec-pr-scan.yaml +++ b/.github/workflows/bulwark-gosec-pr-scan.yaml @@ -10,12 +10,6 @@ jobs: runs-on: ubuntu-latest container: image: gcr.io/spectro-dev-public/bulwark/gosec:latest - env: - REPO: ${{ github.event.repository.name }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - credentials: - username: _json_key - password: ${{ secrets.GCR_SPCD_JSON_KEY }} steps: - name: run-gosec-scan diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml index 8a83e58ab2..aec90ce03b 100644 --- a/.github/workflows/golicense-pr-validation.yaml +++ b/.github/workflows/golicense-pr-validation.yaml @@ -26,7 +26,7 @@ jobs: - name: golicense-scan run: | - go-licenses check --ignore github.com/spectrocloud ./bulwark - go-licenses check --ignore github.com/spectrocloud ./dynamo - go-licenses check --ignore github.com/spectrocloud ./spate/genco + go-licenses check --ignore github.com/spectrocloud ./../bulwark + go-licenses check --ignore github.com/spectrocloud ./../dynamo + go-licenses check --ignore github.com/spectrocloud ./../spate/genco # go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml index 24eef805ff..6fcc4b822e 100644 --- a/.github/workflows/govulncheck-pr-validation.yaml +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -26,8 +26,8 @@ jobs: - name: govulncheck-scan run: | go version - govulncheck -mode source ./bulwark - govulncheck -mode source ./dynamo - govulncheck -mode source ./spate/genco - govulncheck -mode source ./spate/xk6-spate + govulncheck -mode source ./../bulwark + govulncheck -mode source ./../dynamo + govulncheck -mode source ./../spate/genco + govulncheck -mode source ./../spate/xk6-spate From 1da6901e2e1865e1d7c3583becebb9fd23d747b4 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Tue, 17 Oct 2023 11:52:51 +0530 Subject: [PATCH 3/6] some changes related to path --- .github/workflows/bulwark-gitleaks-pr-validation.yaml | 2 -- .github/workflows/golicense-pr-validation.yaml | 4 +--- .github/workflows/govulncheck-pr-validation.yaml | 6 ++---- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/bulwark-gitleaks-pr-validation.yaml b/.github/workflows/bulwark-gitleaks-pr-validation.yaml index fae8a5ca1d..6e50bc2a1e 100644 --- a/.github/workflows/bulwark-gitleaks-pr-validation.yaml +++ b/.github/workflows/bulwark-gitleaks-pr-validation.yaml @@ -12,8 +12,6 @@ jobs: image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest env: REPO: ${{ github.event.repository.name }} - ref: ${{ github.event.pull_request.head.ref }} - repository: ${{ github.event.pull_request.head.repo.full_name }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITLEAKS_CONFIG: /workspace/config.toml steps: diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml index aec90ce03b..a4bc25e94d 100644 --- a/.github/workflows/golicense-pr-validation.yaml +++ b/.github/workflows/golicense-pr-validation.yaml @@ -26,7 +26,5 @@ jobs: - name: golicense-scan run: | - go-licenses check --ignore github.com/spectrocloud ./../bulwark - go-licenses check --ignore github.com/spectrocloud ./../dynamo - go-licenses check --ignore github.com/spectrocloud ./../spate/genco + go-licenses check --ignore github.com/spectrocloud ./../ # go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml index 6fcc4b822e..b94e47ae74 100644 --- a/.github/workflows/govulncheck-pr-validation.yaml +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -26,8 +26,6 @@ jobs: - name: govulncheck-scan run: | go version - govulncheck -mode source ./../bulwark - govulncheck -mode source ./../dynamo - govulncheck -mode source ./../spate/genco - govulncheck -mode source ./../spate/xk6-spate + govulncheck -mode source ./../ + From d250d1d248c3247a5a9baf2645a16411b7c52bd3 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Tue, 17 Oct 2023 14:28:28 +0530 Subject: [PATCH 4/6] some path changes for golicense and govulncheck yaml --- .github/workflows/golicense-pr-validation.yaml | 2 +- .github/workflows/govulncheck-pr-validation.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml index a4bc25e94d..31ead2dac1 100644 --- a/.github/workflows/golicense-pr-validation.yaml +++ b/.github/workflows/golicense-pr-validation.yaml @@ -26,5 +26,5 @@ jobs: - name: golicense-scan run: | - go-licenses check --ignore github.com/spectrocloud ./../ + go-licenses check --ignore github.com/spectrocloud ./../../ # go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml index b94e47ae74..5680f875bd 100644 --- a/.github/workflows/govulncheck-pr-validation.yaml +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -26,6 +26,6 @@ jobs: - name: govulncheck-scan run: | go version - govulncheck -mode source ./../ + govulncheck -mode source ./../../ From b12fbf786c1e0f628e26af4c21311616f4a5cba7 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:31:45 +0530 Subject: [PATCH 5/6] PCP-2008 : some changes related to path and security scan yaml removed --- .github/workflows/bulwark-gosec-pr-scan.yaml | 35 ------------------- .../workflows/golicense-pr-validation.yaml | 4 ++- .../workflows/govulncheck-pr-validation.yaml | 5 ++- 3 files changed, 7 insertions(+), 37 deletions(-) delete mode 100644 .github/workflows/bulwark-gosec-pr-scan.yaml diff --git a/.github/workflows/bulwark-gosec-pr-scan.yaml b/.github/workflows/bulwark-gosec-pr-scan.yaml deleted file mode 100644 index bbc50ca193..0000000000 --- a/.github/workflows/bulwark-gosec-pr-scan.yaml +++ /dev/null @@ -1,35 +0,0 @@ -name: BulwarkGoSec -on: [pull_request] - -concurrency: - group: gosec-${{ github.ref }} - cancel-in-progress: true - -jobs: - gosec-pr-scan: - runs-on: ubuntu-latest - container: - image: gcr.io/spectro-dev-public/bulwark/gosec:latest - steps: - - - name: run-gosec-scan - shell: sh - env: - BRANCH: ${{ github.head_ref || github.ref_name }} - GO111MODULE: on - run: | - /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:all" - - - name: check-result - shell: sh - run: | - resultPath=$REPO-result.json - issues=$(cat $resultPath | jq -r '.Stats.found') - echo "Found ${issues} issues" - if [ "$issues" -gt 0 ]; then - echo "GoSec SAST scan failed with below findings..." - cat $resultPath - exit 1 - else - echo "GoSec SAST scan passed" - fi diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml index 31ead2dac1..16a95d4dae 100644 --- a/.github/workflows/golicense-pr-validation.yaml +++ b/.github/workflows/golicense-pr-validation.yaml @@ -26,5 +26,7 @@ jobs: - name: golicense-scan run: | - go-licenses check --ignore github.com/spectrocloud ./../../ + go-licenses check --ignore github.com/spectrocloud go.mod + go-licenses check --ignore github.com/spectrocloud ./docs/triage-party + go-licenses check --ignore github.com/spectrocloud ./hack/tools # go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml index 5680f875bd..f49b3b9b01 100644 --- a/.github/workflows/govulncheck-pr-validation.yaml +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -26,6 +26,9 @@ jobs: - name: govulncheck-scan run: | go version - govulncheck -mode source ./../../ + govulncheck -mode source go.mod + govulncheck -mode source ./docs/triage-party + govulncheck -mode source ./hack/tools + From 06ed32adf08d14b0ddc5a5cfa9bed1af59196d68 Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Wed, 18 Oct 2023 12:43:01 +0530 Subject: [PATCH 6/6] some path changes --- .github/workflows/golicense-pr-validation.yaml | 2 +- .github/workflows/govulncheck-pr-validation.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml index 16a95d4dae..decd9f8aef 100644 --- a/.github/workflows/golicense-pr-validation.yaml +++ b/.github/workflows/golicense-pr-validation.yaml @@ -26,7 +26,7 @@ jobs: - name: golicense-scan run: | - go-licenses check --ignore github.com/spectrocloud go.mod + go-licenses check --ignore github.com/spectrocloud ./ go-licenses check --ignore github.com/spectrocloud ./docs/triage-party go-licenses check --ignore github.com/spectrocloud ./hack/tools # go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml index f49b3b9b01..e35c07b16f 100644 --- a/.github/workflows/govulncheck-pr-validation.yaml +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -26,7 +26,7 @@ jobs: - name: govulncheck-scan run: | go version - govulncheck -mode source go.mod + govulncheck -mode source ./ govulncheck -mode source ./docs/triage-party govulncheck -mode source ./hack/tools