From bf9dc8c2d0c40c66b89a315ef24cd0b17e954920 Mon Sep 17 00:00:00 2001 From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com> Date: Fri, 21 Apr 2023 10:57:38 +1200 Subject: [PATCH] feat(ci/security): remove deprecated github action command alert [EE-3059] (#8795) --- .github/workflows/nightly-security-scan.yml | 122 ++++++++------------ .github/workflows/pr-security.yml | 115 +++++++++--------- 2 files changed, 106 insertions(+), 131 deletions(-) diff --git a/.github/workflows/nightly-security-scan.yml b/.github/workflows/nightly-security-scan.yml index 917d5e495..a80de4370 100644 --- a/.github/workflows/nightly-security-scan.yml +++ b/.github/workflows/nightly-security-scan.yml @@ -2,21 +2,22 @@ name: Nightly Code Security Scan on: schedule: - - cron: '0 8 * * *' + - cron: '0 20 * * *' workflow_dispatch: jobs: client-dependencies: - name: Client dependency check + name: Client Dependency Check runs-on: ubuntu-latest if: >- # only run for develop branch github.ref == 'refs/heads/develop' outputs: js: ${{ steps.set-matrix.outputs.js_result }} steps: - - uses: actions/checkout@master + - name: checkout repository + uses: actions/checkout@master - - name: Run Snyk to check for vulnerabilities + - name: scan vulnerabilities by Snyk uses: snyk/actions/node@master continue-on-error: true # To make sure that artifact upload gets called env: @@ -24,46 +25,48 @@ jobs: with: json: true - - name: Upload js security scan result as artifact + - name: upload scan result as develop artifact uses: actions/upload-artifact@v3 with: name: js-security-scan-develop-result path: snyk.json - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/js-result") + - name: develop scan report export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result") - - name: Upload js result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-js-result-${{github.run_id}} path: js-result.html - - name: Analyse the js result + - name: analyse vulnerabilities id: set-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix) - echo "::set-output name=js_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) + echo "js_result=${result}" >> $GITHUB_OUTPUT server-dependencies: - name: Server dependency check + name: Server Dependency Check runs-on: ubuntu-latest if: >- # only run for develop branch github.ref == 'refs/heads/develop' outputs: go: ${{ steps.set-matrix.outputs.go_result }} steps: - - uses: actions/checkout@master + - name: checkout repository + uses: actions/checkout@master - - uses: actions/setup-go@v3 + - name: install Go + uses: actions/setup-go@v3 with: - go-version: '1.19.4' + go-version: '1.19.5' - - name: Download go modules + - name: download Go modules run: cd ./api && go get -t -v -d ./... - - name: Run Snyk to check for vulnerabilities + - name: scan vulnerabilities by Snyk continue-on-error: true # To make sure that artifact upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -71,97 +74,66 @@ jobs: yarn global add snyk snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || : - - name: Upload go security scan result as artifact + - name: upload scan result as develop artifact uses: actions/upload-artifact@v3 with: name: go-security-scan-develop-result path: snyk.json - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/go-result") + - name: develop scan report export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result") - - name: Upload go result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-go-result-${{github.run_id}} path: go-result.html - - name: Analyse the go result + - name: analyse vulnerabilities id: set-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix) - echo "::set-output name=go_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix) + echo "go_result=${result}" >> $GITHUB_OUTPUT image-vulnerability: - name: Build docker image and Image vulnerability check + name: Image Vulnerability Check runs-on: ubuntu-latest if: >- github.ref == 'refs/heads/develop' outputs: image: ${{ steps.set-matrix.outputs.image_result }} steps: - - name: Checkout code - uses: actions/checkout@master - - - name: Use golang 1.19.4 - uses: actions/setup-go@v3 - with: - go-version: '1.19.4' - - - name: Use Node.js 18.x - uses: actions/setup-node@v1 - with: - node-version: 18.x - - - name: Install packages and build - run: yarn install && yarn build - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 - - - name: Build and push - uses: docker/build-push-action@v2 - with: - context: . - file: build/linux/Dockerfile - tags: trivy-portainer:${{ github.sha }} - outputs: type=docker,dest=/tmp/trivy-portainer-image.tar - - - name: Load docker image - run: | - docker load --input /tmp/trivy-portainer-image.tar - - - name: Run Trivy vulnerability scanner + - name: scan vulnerabilities by Trivy uses: docker://docker.io/aquasec/trivy:latest continue-on-error: true with: - args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }} + args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop - - name: Upload image security scan result as artifact + - name: upload image security scan result as artifact uses: actions/upload-artifact@v3 with: name: image-security-scan-develop-result path: image-trivy.json - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=table -export -export-filename="/data/image-result") + - name: develop scan report export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result") - - name: Upload go result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-image-result-${{github.run_id}} path: image-result.html - - name: Analyse the trivy result + - name: analyse vulnerabilities id: set-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=matrix) - echo "::set-output name=image_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix) + echo "image_result=${result}" >> $GITHUB_OUTPUT result-analysis: - name: Analyse scan result + name: Analyse Scan Results needs: [client-dependencies, server-dependencies, image-vulnerability] runs-on: ubuntu-latest if: >- @@ -172,7 +144,7 @@ jobs: go: ${{fromJson(needs.server-dependencies.outputs.go)}} image: ${{fromJson(needs.image-vulnerability.outputs.image)}} steps: - - name: Display the results of js, go and image + - name: display the results of js, Go, and image scan run: | echo ${{ matrix.js.status }} echo ${{ matrix.go.status }} @@ -181,12 +153,12 @@ jobs: echo ${{ matrix.go.summary }} echo ${{ matrix.image.summary }} - - name: Send Slack message + - name: send message to Slack if: >- matrix.js.status == 'failure' || matrix.go.status == 'failure' || matrix.image.status == 'failure' - uses: slackapi/slack-github-action@v1.18.0 + uses: slackapi/slack-github-action@v1.23.0 with: payload: | { diff --git a/.github/workflows/pr-security.yml b/.github/workflows/pr-security.yml index 6ab372387..51e41737e 100644 --- a/.github/workflows/pr-security.yml +++ b/.github/workflows/pr-security.yml @@ -12,10 +12,11 @@ on: - 'build/linux/Dockerfile' - 'build/linux/alpine.Dockerfile' - 'build/windows/Dockerfile' + - '.github/workflows/pr-security.yml' jobs: client-dependencies: - name: Client dependency check + name: Client Dependency Check runs-on: ubuntu-latest if: >- github.event.pull_request && @@ -23,9 +24,10 @@ jobs: outputs: jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }} steps: - - uses: actions/checkout@master + - name: checkout repository + uses: actions/checkout@master - - name: Run Snyk to check for vulnerabilities + - name: scan vulnerabilities by Snyk uses: snyk/actions/node@master continue-on-error: true # To make sure that artifact upload gets called env: @@ -33,13 +35,13 @@ jobs: with: json: true - - name: Upload js security scan result as artifact + - name: upload scan result as pull-request artifact uses: actions/upload-artifact@v3 with: name: js-security-scan-feat-result path: snyk.json - - name: Download artifacts from develop branch + - name: download artifacts from develop branch built by nightly scan env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -51,24 +53,24 @@ jobs: echo "null" > ./js-snyk-develop.json fi - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/js-snyk-feature.json" -compare-to="/data/js-snyk-develop.json" -output-type=table -export -export-filename="/data/js-result") + - name: pr vs develop scan report comparison export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result") - - name: Upload js result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-js-result-compare-to-develop-${{github.run_id}} path: js-result.html - - name: Analyse the js diff result + - name: analyse different vulnerabilities against develop branch id: set-diff-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/js-snyk-feature.json" -compare-to="./data/js-snyk-develop.json" -output-type=matrix) - echo "::set-output name=js_diff_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix) + echo "js_diff_result=${result}" >> $GITHUB_OUTPUT server-dependencies: - name: Server dependency check + name: Server Dependency Check runs-on: ubuntu-latest if: >- github.event.pull_request && @@ -76,16 +78,18 @@ jobs: outputs: godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }} steps: - - uses: actions/checkout@master + - name: checkout repository + uses: actions/checkout@master - - uses: actions/setup-go@v3 + - name: install Go + uses: actions/setup-go@v3 with: - go-version: '1.19.4' + go-version: '1.19.5' - - name: Download go modules + - name: download Go modules run: cd ./api && go get -t -v -d ./... - - name: Run Snyk to check for vulnerabilities + - name: scan vulnerabilities by Snyk continue-on-error: true # To make sure that artifact upload gets called env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} @@ -93,13 +97,13 @@ jobs: yarn global add snyk snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || : - - name: Upload go security scan result as artifact + - name: upload scan result as pull-request artifact uses: actions/upload-artifact@v3 with: name: go-security-scan-feature-result path: snyk.json - - name: Download artifacts from develop branch + - name: download artifacts from develop branch built by nightly scan env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -111,24 +115,24 @@ jobs: echo "null" > ./go-snyk-develop.json fi - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/go-snyk-feature.json" -compare-to="/data/go-snyk-develop.json" -output-type=table -export -export-filename="/data/go-result") + - name: pr vs develop scan report comparison export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result") - - name: Upload go result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-go-result-compare-to-develop-${{github.run_id}} path: go-result.html - - name: Analyse the go diff result + - name: analyse different vulnerabilities against develop branch id: set-diff-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/go-snyk-feature.json" -compare-to="/data/go-snyk-develop.json" -output-type=matrix) - echo "::set-output name=go_diff_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix) + echo "go_diff_result=${result}" >> $GITHUB_OUTPUT image-vulnerability: - name: Build docker image and Image vulnerability check + name: Image Vulnerability Check runs-on: ubuntu-latest if: >- github.event.pull_request && @@ -136,50 +140,50 @@ jobs: outputs: imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }} steps: - - name: Checkout code + - name: checkout code uses: actions/checkout@master - - name: Use golang 1.19.4 + - name: install Go 1.19.5 uses: actions/setup-go@v3 with: - go-version: '1.19.4' + go-version: '1.19.5' - - name: Use Node.js 18.x - uses: actions/setup-node@v1 + - name: install Node.js 18.x + uses: actions/setup-node@v3 with: node-version: 18.x - - name: Install packages and build + - name: install packages and build binary run: yarn install && yarn build - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + - name: set up docker buildx + uses: docker/setup-buildx-action@v2 - - name: Build and push - uses: docker/build-push-action@v2 + - name: build and compress image + uses: docker/build-push-action@v4 with: context: . file: build/linux/Dockerfile tags: trivy-portainer:${{ github.sha }} outputs: type=docker,dest=/tmp/trivy-portainer-image.tar - - name: Load docker image + - name: load docker image run: | docker load --input /tmp/trivy-portainer-image.tar - - name: Run Trivy vulnerability scanner + - name: scan vulnerabilities by Trivy uses: docker://docker.io/aquasec/trivy:latest continue-on-error: true with: - args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }} + args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }} - - name: Upload image security scan result as artifact + - name: upload image security scan result as artifact uses: actions/upload-artifact@v3 with: name: image-security-scan-feature-result path: image-trivy.json - - name: Download artifacts from develop branch + - name: download artifacts from develop branch built by nightly scan env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | @@ -191,24 +195,24 @@ jobs: echo "null" > ./image-trivy-develop.json fi - - name: Export scan result to html file - run: | - $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=trivy -path="/data/image-trivy-feature.json" -compare-to="/data/image-trivy-develop.json" -output-type=table -export -export-filename="/data/image-result") + - name: pr vs develop scan report comparison export to html + run: | + $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result") - - name: Upload image result html file + - name: upload html file as artifact uses: actions/upload-artifact@v3 with: name: html-image-result-compare-to-develop-${{github.run_id}} path: image-result.html - - name: Analyse the image diff result + - name: analyse different vulnerabilities against develop branch id: set-diff-matrix - run: | - result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=trivy -path="/data/image-trivy-feature.json" -compare-to="./data/image-trivy-develop.json" -output-type=matrix) - echo "::set-output name=image_diff_result::${result}" + run: | + result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix) + echo "image_diff_result=${result}" >> $GITHUB_OUTPUT result-analysis: - name: Analyse scan result compared to develop + name: Analyse Scan Result Against develop Branch needs: [client-dependencies, server-dependencies, image-vulnerability] runs-on: ubuntu-latest if: >- @@ -220,8 +224,7 @@ jobs: godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}} imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}} steps: - - - name: Check job status of diff result + - name: check job status of diff result if: >- matrix.jsdiff.status == 'failure' || matrix.godiff.status == 'failure' ||