Skip to content

SAST try again 7

SAST try again 7 #20

Workflow file for this run

name: Security Scanning
on:
push:
branches:
- "feature/modify-helm-charts"
workflow_dispatch:
permissions:
contents: write
security-events: write
jobs:
codeql_sast:
name: Run CodeQL SAST Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
# Java Analysis
- name: Initialize CodeQL for Java
uses: github/codeql-action/init@v3
with:
languages: 'java'
build-mode: none
# Debug current directory and verify paths
- name: Debug Paths
run: |
echo "Current directory: $(pwd)"
echo "Contents of ./shipping:"
ls -la ./shipping
# Step 3: Install Full CodeQL CLI
- name: Install Full CodeQL CLI
run: |
wget https://github.com/github/codeql-cli-binaries/releases/download/v2.20.1/codeql-linux64.zip
unzip codeql-linux64.zip -d codeql-cli
export PATH=$PATH:$(pwd)/codeql-cli/codeql
# Step 4: Run CodeQL Analysis with Tracer
- name: Run CodeQL Analysis for Java
env:
CODEQL_EXTRACTOR_JAVA_LOG_LEVEL: DEBUG
run: |
mkdir -p results/java
./codeql-cli/codeql/codeql database create java-db \
--language=java \
--source-root=$(pwd)/shipping
echo "Checking contents of CodeQL database..."
if [ -d "$(pwd)/java-db/src" ]; then
ls -R $(pwd)/java-db/src
else
echo "No source files found in the database. Please verify the source root path!"
exit 1
fi
echo "Running Maven build with preload_tracer..."
echo "Setting up CodeQL environment variables for tracer..."
export CODEQL_DIST=$(pwd)/codeql-cli/codeql
export CODEQL_TRACER_HOME=$(pwd)/codeql-cli/codeql/tools
export LD_PRELOAD=$CODEQL_TRACER_HOME/linux64/preload_tracer
export CODEQL_TRACER_LOG=$(pwd)/codeql-tracer.log
./codeql-cli/codeql/tools/linux64/preload_tracer mvn clean package -f ./shipping/pom.xml -B -DskipTests -Dspring-boot.repackage.skip=true
./codeql-cli/codeql/codeql database finalize java-db
./codeql-cli/codeql/codeql database analyze java-db \
--format=sarif-latest \
--output=results/java/java-results.sarif
- name: Upload SARIF Results for Java
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'results/java/java-results.sarif'
category: 'sast-java'
# Python Analysis
- name: Initialize CodeQL for Python
uses: github/codeql-action/init@v3
with:
languages: 'python'
- name: Run CodeQL Analysis for Python
run: |
mkdir -p results/python
"${CODEQL_DIST}/codeql" database create python-db --language=python --source-root=.
"${CODEQL_DIST}/codeql" database analyze python-db --format=sarif-latest --output=results/python/python-results.sarif
- name: Upload SARIF Results for Python
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'results/python/python-results.sarif'
category: 'sast-python'
# Go Analysis
- name: Initialize CodeQL for Go
uses: github/codeql-action/init@v3
with:
languages: 'go'
- name: Autobuild Go
run: |
# Custom build steps for Go if needed
go build ./...
- name: Run CodeQL Analysis for Go
run: |
mkdir -p results/go
"${CODEQL_DIST}/codeql" database create go-db --language=go --source-root=.
"${CODEQL_DIST}/codeql" database analyze go-db --format=sarif-latest --output=results/go/go-results.sarif
- name: Upload SARIF Results for Go
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'results/go/go-results.sarif'
category: 'sast-go'
# JavaScript/TypeScript Analysis
- name: Initialize CodeQL for JavaScript
uses: github/codeql-action/init@v3
with:
languages: 'javascript'
- name: Autobuild JavaScript
run: |
# JavaScript projects do not usually need a build step, but this can vary
echo "No build needed for JavaScript."
- name: Run CodeQL Analysis for JavaScript
run: |
mkdir -p results/javascript
"${CODEQL_DIST}/codeql" database create javascript-db --language=javascript --source-root=.
"${CODEQL_DIST}/codeql" database analyze javascript-db --format=sarif-latest --output=results/javascript/javascript-results.sarif
- name: Upload SARIF Results for JavaScript
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'results/javascript/javascript-results.sarif'
category: 'sast-javascript'
trivy_scan:
name: Run Trivy Security Scans
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
# File System scan and generate SBOM
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'github'
output: 'dependency-results.sbom.json'
image-ref: '.'
github-pat: ${{ secrets.GITHUB_TOKEN }}
# Container image scan
- name: Build Docker Images
run: |
services=(cart catalogue dispatch payment ratings shipping user web)
for service in "${services[@]}"; do
docker build -t robot-shop/$service:latest ./$service
done
# Run Trivy Image Scans for Each Service
- name: Run Trivy Image Scans
run: |
mkdir -p sarif-output
services=(cart catalogue dispatch payment ratings shipping user web)
for service in "${services[@]}"; do
echo "Scanning image robot-shop/$service:latest"
trivy image --severity CRITICAL,HIGH --ignore-unfixed --format sarif \
-o sarif-output/trivy-image-results-$service.sarif robot-shop/$service:latest
done
# Debug: List SARIF Files
- name: Debug SARIF Files
run: |
echo "Listing SARIF files in the sarif-output directory:"
ls -lah sarif-output || echo "No SARIF files found."
# Upload All SARIF Files in the Folder
- name: Upload Image Scan Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif-output/
category: "image-scan-results"
# List All Installed Packages with Trivy
- name: List All Installed Packages
run: |
services=(cart catalogue dispatch payment ratings shipping user web)
mkdir -p trivy-package-reports
for service in "${services[@]}"; do
echo "Listing all installed packages for robot-shop/$service:latest"
trivy image --list-all-pkgs --format table -o trivy-package-reports/$service-packages.txt robot-shop/$service:latest
done
# Upload Installed Package Reports
- name: Upload Trivy Package Reports
uses: actions/upload-artifact@v3
with:
name: trivy-package-reports
path: trivy-package-reports/
- name: Run Trivy vulnerability scanner in IaC mode
uses: aquasecurity/[email protected]
with:
scan-type: 'config'
hide-progress: true
format: 'sarif'
output: 'trivy-config-results.sarif'
severity: 'CRITICAL,HIGH'
# Upload Config Scan Results
- name: Upload Config Scan Results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-config-results.sarif'
category: "config-scan-results"