SAST try again 7 #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Scanning | |
on: | |
push: | |
branches: | |
- "feature/modify-helm-charts" | |
workflow_dispatch: | |
permissions: | |
contents: write | |
security-events: write | |
jobs: | |
codeql_sast: | |
name: Run CodeQL SAST Analysis | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
# Java Analysis | |
- name: Initialize CodeQL for Java | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: 'java' | |
build-mode: none | |
# Debug current directory and verify paths | |
- name: Debug Paths | |
run: | | |
echo "Current directory: $(pwd)" | |
echo "Contents of ./shipping:" | |
ls -la ./shipping | |
# Step 3: Install Full CodeQL CLI | |
- name: Install Full CodeQL CLI | |
run: | | |
wget https://github.com/github/codeql-cli-binaries/releases/download/v2.20.1/codeql-linux64.zip | |
unzip codeql-linux64.zip -d codeql-cli | |
export PATH=$PATH:$(pwd)/codeql-cli/codeql | |
# Step 4: Run CodeQL Analysis with Tracer | |
- name: Run CodeQL Analysis for Java | |
env: | |
CODEQL_EXTRACTOR_JAVA_LOG_LEVEL: DEBUG | |
run: | | |
mkdir -p results/java | |
./codeql-cli/codeql/codeql database create java-db \ | |
--language=java \ | |
--source-root=$(pwd)/shipping | |
echo "Checking contents of CodeQL database..." | |
if [ -d "$(pwd)/java-db/src" ]; then | |
ls -R $(pwd)/java-db/src | |
else | |
echo "No source files found in the database. Please verify the source root path!" | |
exit 1 | |
fi | |
echo "Running Maven build with preload_tracer..." | |
echo "Setting up CodeQL environment variables for tracer..." | |
export CODEQL_DIST=$(pwd)/codeql-cli/codeql | |
export CODEQL_TRACER_HOME=$(pwd)/codeql-cli/codeql/tools | |
export LD_PRELOAD=$CODEQL_TRACER_HOME/linux64/preload_tracer | |
export CODEQL_TRACER_LOG=$(pwd)/codeql-tracer.log | |
./codeql-cli/codeql/tools/linux64/preload_tracer mvn clean package -f ./shipping/pom.xml -B -DskipTests -Dspring-boot.repackage.skip=true | |
./codeql-cli/codeql/codeql database finalize java-db | |
./codeql-cli/codeql/codeql database analyze java-db \ | |
--format=sarif-latest \ | |
--output=results/java/java-results.sarif | |
- name: Upload SARIF Results for Java | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'results/java/java-results.sarif' | |
category: 'sast-java' | |
# Python Analysis | |
- name: Initialize CodeQL for Python | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: 'python' | |
- name: Run CodeQL Analysis for Python | |
run: | | |
mkdir -p results/python | |
"${CODEQL_DIST}/codeql" database create python-db --language=python --source-root=. | |
"${CODEQL_DIST}/codeql" database analyze python-db --format=sarif-latest --output=results/python/python-results.sarif | |
- name: Upload SARIF Results for Python | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'results/python/python-results.sarif' | |
category: 'sast-python' | |
# Go Analysis | |
- name: Initialize CodeQL for Go | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: 'go' | |
- name: Autobuild Go | |
run: | | |
# Custom build steps for Go if needed | |
go build ./... | |
- name: Run CodeQL Analysis for Go | |
run: | | |
mkdir -p results/go | |
"${CODEQL_DIST}/codeql" database create go-db --language=go --source-root=. | |
"${CODEQL_DIST}/codeql" database analyze go-db --format=sarif-latest --output=results/go/go-results.sarif | |
- name: Upload SARIF Results for Go | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'results/go/go-results.sarif' | |
category: 'sast-go' | |
# JavaScript/TypeScript Analysis | |
- name: Initialize CodeQL for JavaScript | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: 'javascript' | |
- name: Autobuild JavaScript | |
run: | | |
# JavaScript projects do not usually need a build step, but this can vary | |
echo "No build needed for JavaScript." | |
- name: Run CodeQL Analysis for JavaScript | |
run: | | |
mkdir -p results/javascript | |
"${CODEQL_DIST}/codeql" database create javascript-db --language=javascript --source-root=. | |
"${CODEQL_DIST}/codeql" database analyze javascript-db --format=sarif-latest --output=results/javascript/javascript-results.sarif | |
- name: Upload SARIF Results for JavaScript | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'results/javascript/javascript-results.sarif' | |
category: 'sast-javascript' | |
trivy_scan: | |
name: Run Trivy Security Scans | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repository | |
uses: actions/checkout@v4 | |
# File System scan and generate SBOM | |
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'fs' | |
format: 'github' | |
output: 'dependency-results.sbom.json' | |
image-ref: '.' | |
github-pat: ${{ secrets.GITHUB_TOKEN }} | |
# Container image scan | |
- name: Build Docker Images | |
run: | | |
services=(cart catalogue dispatch payment ratings shipping user web) | |
for service in "${services[@]}"; do | |
docker build -t robot-shop/$service:latest ./$service | |
done | |
# Run Trivy Image Scans for Each Service | |
- name: Run Trivy Image Scans | |
run: | | |
mkdir -p sarif-output | |
services=(cart catalogue dispatch payment ratings shipping user web) | |
for service in "${services[@]}"; do | |
echo "Scanning image robot-shop/$service:latest" | |
trivy image --severity CRITICAL,HIGH --ignore-unfixed --format sarif \ | |
-o sarif-output/trivy-image-results-$service.sarif robot-shop/$service:latest | |
done | |
# Debug: List SARIF Files | |
- name: Debug SARIF Files | |
run: | | |
echo "Listing SARIF files in the sarif-output directory:" | |
ls -lah sarif-output || echo "No SARIF files found." | |
# Upload All SARIF Files in the Folder | |
- name: Upload Image Scan Results | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: sarif-output/ | |
category: "image-scan-results" | |
# List All Installed Packages with Trivy | |
- name: List All Installed Packages | |
run: | | |
services=(cart catalogue dispatch payment ratings shipping user web) | |
mkdir -p trivy-package-reports | |
for service in "${services[@]}"; do | |
echo "Listing all installed packages for robot-shop/$service:latest" | |
trivy image --list-all-pkgs --format table -o trivy-package-reports/$service-packages.txt robot-shop/$service:latest | |
done | |
# Upload Installed Package Reports | |
- name: Upload Trivy Package Reports | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy-package-reports | |
path: trivy-package-reports/ | |
- name: Run Trivy vulnerability scanner in IaC mode | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: 'config' | |
hide-progress: true | |
format: 'sarif' | |
output: 'trivy-config-results.sarif' | |
severity: 'CRITICAL,HIGH' | |
# Upload Config Scan Results | |
- name: Upload Config Scan Results | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-config-results.sarif' | |
category: "config-scan-results" |