From c25cb79846da23d41e00d2aed8e3d1aeec10b104 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Mon, 17 Jun 2024 10:39:15 -0700 Subject: [PATCH 1/8] [CI] Add supply chain security job for each service --- .github/workflows/algorithm.yml | 22 ++++++++++++++++++++-- .github/workflows/backend.yml | 22 ++++++++++++++++++++-- .github/workflows/frontend.yml | 18 ++++++++++++++++-- 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 4f3adbf6..4310e304 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -58,8 +58,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service }} pytest - security: - name: Security + sast: + name: Static Code Anaylysis Security runs-on: ubuntu-latest strategy: matrix: @@ -78,3 +78,21 @@ jobs: - name: Test run: bandit -c .bandit -ll -ii -n 3 -a file -r src/ + + guarddog: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [search, recommend] + fail-fast: false + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - run: pip install guarddog + + - run: guarddog verify "apps/algorithm/${{ matrix.service }}/requirements.txt" --exclude-rules repository_integrity_mismatch diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index fb9e043b..0ade38f0 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -78,8 +78,8 @@ jobs: - name: Test run: docker compose exec ${{ matrix.service == 'lib' && 'user' || matrix.service }} npm run ${{ matrix.service == 'lib' && '--prefix ../lib' || '' }} test:ci - security: - name: Security + sast: + name: Static Code Anaylysis Security runs-on: ubuntu-latest strategy: matrix: @@ -92,3 +92,21 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/backend/${{ matrix.service }}' + + guarddog: + name: Supply Chain Security + runs-on: ubuntu-latest + strategy: + matrix: + service: [user, listing, review, message, lib] + fail-fast: false + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - run: pip install guarddog + + - run: guarddog verify "apps/backend/${{ matrix.service }}/package.json" --exclude-rules repository_integrity_mismatch diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 5020c987..b1ddc350 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -77,8 +77,8 @@ jobs: - name: Test run: npm run build - security: - name: Security + sast: + name: Static Code Anaylysis Security runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -87,3 +87,17 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/frontend' + + guarddog: + name: Supply Chain Security + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-python@v5 + with: + python-version: "3.10" + + - run: pip install guarddog + + - run: guarddog verify "apps/backend/frontend/package.json" --exclude-rules repository_integrity_mismatch From 3aea46dd0e0a1391a398a5314fe840ce55d44059 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Mon, 17 Jun 2024 10:45:06 -0700 Subject: [PATCH 2/8] Add repository details --- .github/workflows/algorithm.yml | 2 +- .github/workflows/backend.yml | 2 +- .github/workflows/frontend.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 4310e304..3d6006c8 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -95,4 +95,4 @@ jobs: - run: pip install guarddog - - run: guarddog verify "apps/algorithm/${{ matrix.service }}/requirements.txt" --exclude-rules repository_integrity_mismatch + - run: guarddog pypi verify "apps/algorithm/${{ matrix.service }}/requirements.txt" --exclude-rules repository_integrity_mismatch diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 0ade38f0..8c439e4f 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -109,4 +109,4 @@ jobs: - run: pip install guarddog - - run: guarddog verify "apps/backend/${{ matrix.service }}/package.json" --exclude-rules repository_integrity_mismatch + - run: guarddog npm verify "apps/backend/${{ matrix.service }}/package.json" --exclude-rules repository_integrity_mismatch diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index b1ddc350..4ca7d76e 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -100,4 +100,4 @@ jobs: - run: pip install guarddog - - run: guarddog verify "apps/backend/frontend/package.json" --exclude-rules repository_integrity_mismatch + - run: guarddog npm verify "apps/frontend/package.json" --exclude-rules repository_integrity_mismatch From 3f4223caba582282b2e7da5016dabb12a97ac5b4 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Mon, 17 Jun 2024 10:47:00 -0700 Subject: [PATCH 3/8] Remove old ruleset ignore --- .github/workflows/algorithm.yml | 2 +- .github/workflows/backend.yml | 2 +- .github/workflows/frontend.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 3d6006c8..64692e2a 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -95,4 +95,4 @@ jobs: - run: pip install guarddog - - run: guarddog pypi verify "apps/algorithm/${{ matrix.service }}/requirements.txt" --exclude-rules repository_integrity_mismatch + - run: guarddog pypi verify "apps/algorithm/${{ matrix.service }}/requirements.txt" diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 8c439e4f..4014bc8b 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -109,4 +109,4 @@ jobs: - run: pip install guarddog - - run: guarddog npm verify "apps/backend/${{ matrix.service }}/package.json" --exclude-rules repository_integrity_mismatch + - run: guarddog npm verify "apps/backend/${{ matrix.service }}/package.json" diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 4ca7d76e..2270883d 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -100,4 +100,4 @@ jobs: - run: pip install guarddog - - run: guarddog npm verify "apps/frontend/package.json" --exclude-rules repository_integrity_mismatch + - run: guarddog npm verify "apps/frontend/package.json" From 3d91224b076e91a902aeee6027476285e1d5c80d Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Tue, 18 Jun 2024 15:57:39 -0700 Subject: [PATCH 4/8] Update .github/workflows/frontend.yml --- .github/workflows/frontend.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 2270883d..4dbc0510 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -100,4 +100,4 @@ jobs: - run: pip install guarddog - - run: guarddog npm verify "apps/frontend/package.json" + - run: guarddog npm verify "package.json" From 890ebfdeb2d171276cd9d502c795b361a83a0037 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Thu, 20 Jun 2024 22:04:18 -0400 Subject: [PATCH 5/8] Remove frontend due to taking ~1hr --- .github/workflows/algorithm.yml | 2 +- .github/workflows/backend.yml | 2 +- .github/workflows/frontend.yml | 16 +--------------- 3 files changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 64692e2a..ccf0179c 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -59,7 +59,7 @@ jobs: run: docker compose exec ${{ matrix.service }} pytest sast: - name: Static Code Anaylysis Security + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 4014bc8b..906fa4b5 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -79,7 +79,7 @@ jobs: run: docker compose exec ${{ matrix.service == 'lib' && 'user' || matrix.service }} npm run ${{ matrix.service == 'lib' && '--prefix ../lib' || '' }} test:ci sast: - name: Static Code Anaylysis Security + name: Static Application Security Testing runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 4dbc0510..272c0330 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -78,7 +78,7 @@ jobs: run: npm run build sast: - name: Static Code Anaylysis Security + name: Static Application Security Testing runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -87,17 +87,3 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/frontend' - - guarddog: - name: Supply Chain Security - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - - uses: actions/setup-python@v5 - with: - python-version: "3.10" - - - run: pip install guarddog - - - run: guarddog npm verify "package.json" From d2ea00fdaad1f37bf88a397d342f10b456e4f150 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Thu, 20 Jun 2024 22:19:37 -0400 Subject: [PATCH 6/8] Replace guarddog with `npm|pip audit` --- .github/workflows/algorithm.yml | 10 +++------- .github/workflows/backend.yml | 13 +++++++------ .github/workflows/frontend.yml | 15 +++++++++++++++ 3 files changed, 25 insertions(+), 13 deletions(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index ccf0179c..999f06a2 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -79,7 +79,7 @@ jobs: - name: Test run: bandit -c .bandit -ll -ii -n 3 -a file -r src/ - guarddog: + supply: name: Supply Chain Security runs-on: ubuntu-latest strategy: @@ -89,10 +89,6 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: pypa/gh-action-pip-audit@v1 with: - python-version: "3.10" - - - run: pip install guarddog - - - run: guarddog pypi verify "apps/algorithm/${{ matrix.service }}/requirements.txt" + inputs: apps/algorithm/${{ matrix.service }}/requirements.txt diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml index 906fa4b5..9b2ad3b3 100644 --- a/.github/workflows/backend.yml +++ b/.github/workflows/backend.yml @@ -93,20 +93,21 @@ jobs: with: args: './apps/backend/${{ matrix.service }}' - guarddog: + supply: name: Supply Chain Security runs-on: ubuntu-latest strategy: matrix: service: [user, listing, review, message, lib] fail-fast: false + defaults: + run: + working-directory: apps/backend/${{ matrix.service }} steps: - uses: actions/checkout@v4 - - uses: actions/setup-python@v5 + - uses: actions/setup-node@v4 with: - python-version: "3.10" - - - run: pip install guarddog + node-version: ${{ env.NODE_VERSION }} - - run: guarddog npm verify "apps/backend/${{ matrix.service }}/package.json" + - run: npm audit --audit-level high diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml index 272c0330..db008765 100644 --- a/.github/workflows/frontend.yml +++ b/.github/workflows/frontend.yml @@ -87,3 +87,18 @@ jobs: uses: ajinabraham/njsscan-action@master with: args: './apps/frontend' + + supply: + name: Supply Chain Security + runs-on: ubuntu-latest + defaults: + run: + working-directory: apps/frontend + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: ${{ env.NODE_VERSION }} + + - run: npm audit --audit-level high From ca8834f79f15fcb02674a4605f9e0446092b9558 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Thu, 20 Jun 2024 22:20:52 -0400 Subject: [PATCH 7/8] Fix version for pypa audit --- .github/workflows/algorithm.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/algorithm.yml b/.github/workflows/algorithm.yml index 999f06a2..d1dd337e 100644 --- a/.github/workflows/algorithm.yml +++ b/.github/workflows/algorithm.yml @@ -89,6 +89,6 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: pypa/gh-action-pip-audit@v1 + - uses: pypa/gh-action-pip-audit@v1.0.8 with: inputs: apps/algorithm/${{ matrix.service }}/requirements.txt From 8ce245e5c54fb6cd8bd575423eb2a2e5e3a641b9 Mon Sep 17 00:00:00 2001 From: Max Thomson Date: Thu, 20 Jun 2024 22:22:27 -0400 Subject: [PATCH 8/8] Change job name of datalayer also --- .github/workflows/datalayer.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/datalayer.yml b/.github/workflows/datalayer.yml index e50f5dc3..613e83a5 100644 --- a/.github/workflows/datalayer.yml +++ b/.github/workflows/datalayer.yml @@ -58,8 +58,8 @@ jobs: - name: Build run: cargo build - security: - name: Security + supply: + name: Supply Chain Security runs-on: ubuntu-latest steps: - uses: actions/checkout@v4