From 5a51b2706f8283752a0cc0bc57547a9d5847bd26 Mon Sep 17 00:00:00 2001 From: Bonface Shisakha Asunga Date: Fri, 4 Nov 2022 09:48:07 +0300 Subject: [PATCH] Integration to Trivy, Dependabot and CodeQL Signed-off-by: Bonface Shisakha Asunga --- .github/{workflows => }/dependabot.yml | 0 .github/workflows/codeql-analysis.yml | 79 +++++++++++++++ .github/workflows/trivy-repo-scan.yml | 129 +++++++++++++++++++++++++ 3 files changed, 208 insertions(+) rename .github/{workflows => }/dependabot.yml (100%) create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/trivy-repo-scan.yml diff --git a/.github/workflows/dependabot.yml b/.github/dependabot.yml similarity index 100% rename from .github/workflows/dependabot.yml rename to .github/dependabot.yml diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 000000000..2b95cd04c --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,79 @@ + +name: "CodeQL Repository scan" + +on: + push: + branches: + - master + - v2* + pull_request: + schedule: + - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # wokflow_dispatch option enables for manual scanning + workflow_dispatch: + + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + + + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + - name: Autobuild Java Code + run: | + mvn clean install -DskipTests + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml new file mode 100644 index 000000000..08042c916 --- /dev/null +++ b/.github/workflows/trivy-repo-scan.yml @@ -0,0 +1,129 @@ +name: Trivy Security Scan on repository +on: + push: + branches: + - master + pull_request: + schedule: + - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # Below is for manual scanning + workflow_dispatch: + +env: + FULL_SUMMARY: "" + PATCH_SUMMARY: "" + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode - SARIF + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-repo-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-repo-results.sarif' + + - name: Run Trivy vulnerability scanner in repo mode - JSON (Full) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'json' + output: 'trivy-repo-full-results.json' + + - name: Create summary of trivy issues on Repository Full scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No vulnerabilities found" + fi + echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'json' + output: 'trivy-repo-fixable-results.json' + + - name: Create summary of trivy issues on Repository scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No issues or vulnerability fixes available" + fi + echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Generate trivy HTML report on Repository for download + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'template' + template: '@/contrib/html.tpl' + output: 'trivy-repo-report.html' + + - name: Upload Trivy results as an artifact + uses: actions/upload-artifact@v3 + with: + name: "trivy-repo-report.html" + path: './trivy-repo-report.html' + retention-days: 30 + + - name: Send Slack Notification + uses: slackapi/slack-github-action@v1.23.0 + with: + payload: | + { + "text": "Trivy scan results for ${{ github.repository }} repository", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days." + } + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK