feat(ci/security): remove deprecated github action command alert [EE-3059] (#8795)

2023-04-21 10:57:38 +12:00 · 2023-04-21 10:57:38 +12:00 · bf9dc8c2d0
parent 67f8e8f3c2
commit bf9dc8c2d0
2 changed files with 106 additions and 131 deletions
--- a/.github/workflows/nightly-security-scan.yml
+++ b/.github/workflows/nightly-security-scan.yml
@ -2,21 +2,22 @@ name: Nightly Code Security Scan
 on: 
  schedule:
-    - cron: '0 8 * * *'
+    - cron: '0 20 * * *'
  workflow_dispatch:
 jobs:
  client-dependencies:
-    name: Client dependency check
+    name: Client Dependency Check
    runs-on: ubuntu-latest
    if: >- # only run for develop branch
      github.ref == 'refs/heads/develop' 
    outputs:
      js: ${{ steps.set-matrix.outputs.js_result }}
    steps:
-      - uses: actions/checkout@master
+      - name: checkout repository
        uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
+      - name: scan vulnerabilities by Snyk
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that artifact upload gets called
        env:
@ -24,46 +25,48 @@ jobs:
        with:
          json: true
-      - name: Upload js security scan result as artifact 
+      - name: upload scan result as develop artifact 
        uses: actions/upload-artifact@v3
        with:
          name: js-security-scan-develop-result
          path: snyk.json
-      - name: Export scan result to html file 
+      - name: develop scan report export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/js-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/js-result")
-      - name: Upload js result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-js-result-${{github.run_id}}
          path: js-result.html
-      - name: Analyse the js result
+      - name: analyse vulnerabilities 
        id: set-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "::set-output name=js_result::${result}"
+          echo "js_result=${result}" >> $GITHUB_OUTPUT
  server-dependencies:
-    name: Server dependency check
+    name: Server Dependency Check
    runs-on: ubuntu-latest
    if: >- # only run for develop branch
      github.ref == 'refs/heads/develop' 
    outputs:
      go: ${{ steps.set-matrix.outputs.go_result }}
    steps:
-      - uses: actions/checkout@master
+      - name: checkout repository
        uses: actions/checkout@master
-      - uses: actions/setup-go@v3
+      - name: install Go 
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.4'
+          go-version: '1.19.5'
-      - name: Download go modules
+      - name: download Go modules
        run: cd ./api && go get -t -v -d ./...
-      - name: Run Snyk to check for vulnerabilities
+      - name: scan vulnerabilities by Snyk
        continue-on-error: true # To make sure that artifact upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@ -71,97 +74,66 @@ jobs:
          yarn global add snyk
          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
-      - name: Upload go security scan result as artifact
+      - name: upload scan result as develop artifact 
        uses: actions/upload-artifact@v3
        with:
          name: go-security-scan-develop-result
          path: snyk.json
-      - name: Export scan result to html file 
+      - name: develop scan report export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=table -export -export-filename="/data/go-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=table --export --export-filename="/data/go-result")
-      - name: Upload go result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-go-result-${{github.run_id}}
          path: go-result.html
-      - name: Analyse the go result
+      - name: analyse vulnerabilities
        id: set-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=snyk -path="/data/snyk.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=snyk --path="/data/snyk.json" --output-type=matrix)
-          echo "::set-output name=go_result::${result}"
+          echo "go_result=${result}" >> $GITHUB_OUTPUT
  image-vulnerability:
-    name: Build docker image and Image vulnerability check
+    name: Image Vulnerability Check
    runs-on: ubuntu-latest
    if: >-
      github.ref == 'refs/heads/develop'
    outputs:
      image: ${{ steps.set-matrix.outputs.image_result }}
    steps:
-      - name: Checkout code
+      - name: scan vulnerabilities by Trivy 
        uses: actions/checkout@master
      - name: Use golang 1.19.4
        uses: actions/setup-go@v3
        with:
          go-version: '1.19.4'
      - name: Use Node.js 18.x
        uses: actions/setup-node@v1
        with:
          node-version: 18.x
      - name: Install packages and build
        run: yarn install && yarn build
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Build and push
        uses: docker/build-push-action@v2
        with:
          context: .
          file: build/linux/Dockerfile
          tags: trivy-portainer:${{ github.sha }}
          outputs: type=docker,dest=/tmp/trivy-portainer-image.tar
      - name: Load docker image
        run: |
          docker load --input /tmp/trivy-portainer-image.tar
      - name: Run Trivy vulnerability scanner
        uses: docker://docker.io/aquasec/trivy:latest
        continue-on-error: true 
        with:
-          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }}  
+          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainerci/portainer:develop
-      - name: Upload image security scan result as artifact
+      - name: upload image security scan result as artifact
        uses: actions/upload-artifact@v3
        with:
          name: image-security-scan-develop-result
          path: image-trivy.json
-      - name: Export scan result to html file 
+      - name: develop scan report export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=table -export -export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=table --export --export-filename="/data/image-result")
-      - name: Upload go result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-image-result-${{github.run_id}}
          path: image-result.html
-      - name: Analyse the trivy result
+      - name: analyse vulnerabilities
        id: set-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 summary -report-type=trivy -path="/data/image-trivy.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest summary --report-type=trivy --path="/data/image-trivy.json" --output-type=matrix)
-          echo "::set-output name=image_result::${result}"
+          echo "image_result=${result}" >> $GITHUB_OUTPUT
  result-analysis:
-    name: Analyse scan result
+    name: Analyse Scan Results
    needs: [client-dependencies, server-dependencies, image-vulnerability]
    runs-on: ubuntu-latest
    if: >-
@ -172,7 +144,7 @@ jobs:
        go: ${{fromJson(needs.server-dependencies.outputs.go)}}
        image: ${{fromJson(needs.image-vulnerability.outputs.image)}}
    steps:
-      - name: Display the results of js, go and image
+      - name: display the results of js, Go, and image scan
        run: |
          echo ${{ matrix.js.status }}
          echo ${{ matrix.go.status }}
@ -181,12 +153,12 @@ jobs:
          echo ${{ matrix.go.summary }}
          echo ${{ matrix.image.summary }}
-      - name: Send Slack message
+      - name: send message to Slack 
        if: >- 
          matrix.js.status == 'failure' ||
          matrix.go.status == 'failure' || 
          matrix.image.status == 'failure'
-        uses: slackapi/slack-github-action@v1.18.0
+        uses: slackapi/slack-github-action@v1.23.0
        with:
          payload: |
            {
--- a/.github/workflows/pr-security.yml
+++ b/.github/workflows/pr-security.yml
@ -12,10 +12,11 @@ on:
      - 'build/linux/Dockerfile'
      - 'build/linux/alpine.Dockerfile'
      - 'build/windows/Dockerfile'
      - '.github/workflows/pr-security.yml'
 jobs:
  client-dependencies:
-    name: Client dependency check
+    name: Client Dependency Check
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
@ -23,9 +24,10 @@ jobs:
    outputs:
      jsdiff: ${{ steps.set-diff-matrix.outputs.js_diff_result }}
    steps:
-      - uses: actions/checkout@master
+      - name: checkout repository 
        uses: actions/checkout@master
-      - name: Run Snyk to check for vulnerabilities
+      - name: scan vulnerabilities by Snyk
        uses: snyk/actions/node@master
        continue-on-error: true # To make sure that artifact upload gets called
        env:
@ -33,13 +35,13 @@ jobs:
        with:
          json: true
-      - name: Upload js security scan result as artifact
+      - name: upload scan result as pull-request artifact
        uses: actions/upload-artifact@v3
        with:
          name: js-security-scan-feat-result
          path: snyk.json
-      - name: Download artifacts from develop branch
+      - name: download artifacts from develop branch built by nightly scan
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@ -51,24 +53,24 @@ jobs:
            echo "null" > ./js-snyk-develop.json
          fi
-      - name: Export scan result to html file 
+      - name: pr vs develop scan report comparison export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/js-snyk-feature.json" -compare-to="/data/js-snyk-develop.json" -output-type=table -export -export-filename="/data/js-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=table --export --export-filename="/data/js-result")
-      - name: Upload js result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-js-result-compare-to-develop-${{github.run_id}}
          path: js-result.html
-      - name: Analyse the js diff result
+      - name: analyse different vulnerabilities against develop branch
        id: set-diff-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/js-snyk-feature.json" -compare-to="./data/js-snyk-develop.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/js-snyk-feature.json" --compare-to="/data/js-snyk-develop.json" --output-type=matrix)
-          echo "::set-output name=js_diff_result::${result}"
+          echo "js_diff_result=${result}" >> $GITHUB_OUTPUT
  server-dependencies:
-    name: Server dependency check
+    name: Server Dependency Check
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
@ -76,16 +78,18 @@ jobs:
    outputs:
      godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
    steps:
-      - uses: actions/checkout@master
+      - name: checkout repository
        uses: actions/checkout@master
-      - uses: actions/setup-go@v3
+      - name: install Go
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.4'
+          go-version: '1.19.5'
-      - name: Download go modules
+      - name: download Go modules
        run: cd ./api && go get -t -v -d ./...
-      - name: Run Snyk to check for vulnerabilities
+      - name: scan vulnerabilities by Snyk
        continue-on-error: true # To make sure that artifact upload gets called
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@ -93,13 +97,13 @@ jobs:
          yarn global add snyk
          snyk test --file=./api/go.mod --json-file-output=snyk.json 2>/dev/null || :
-      - name: Upload go security scan result as artifact
+      - name: upload scan result as pull-request artifact
        uses: actions/upload-artifact@v3
        with:
          name: go-security-scan-feature-result
          path: snyk.json
-      - name: Download artifacts from develop branch
+      - name: download artifacts from develop branch built by nightly scan
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@ -111,24 +115,24 @@ jobs:
            echo "null" > ./go-snyk-develop.json
          fi
-      - name: Export scan result to html file 
+      - name: pr vs develop scan report comparison export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/go-snyk-feature.json" -compare-to="/data/go-snyk-develop.json" -output-type=table -export -export-filename="/data/go-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")
-      - name: Upload go result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-go-result-compare-to-develop-${{github.run_id}}
          path: go-result.html
-      - name: Analyse the go diff result
+      - name: analyse different vulnerabilities against develop branch
        id: set-diff-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=snyk -path="/data/go-snyk-feature.json" -compare-to="/data/go-snyk-develop.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix)
-          echo "::set-output name=go_diff_result::${result}"
+          echo "go_diff_result=${result}" >> $GITHUB_OUTPUT
  image-vulnerability:
-    name: Build docker image and Image vulnerability check
+    name: Image Vulnerability Check
    runs-on: ubuntu-latest
    if: >-
      github.event.pull_request &&
@ -136,50 +140,50 @@ jobs:
    outputs:
      imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }}
    steps:
-      - name: Checkout code
+      - name: checkout code
        uses: actions/checkout@master
-      - name: Use golang 1.19.4
+      - name: install Go 1.19.5
        uses: actions/setup-go@v3
        with:
-          go-version: '1.19.4'
+          go-version: '1.19.5'
-      - name: Use Node.js 18.x
+      - name: install Node.js 18.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v3
        with:
          node-version: 18.x
-      - name: Install packages and build
+      - name: install packages and build binary
        run: yarn install && yarn build
-      - name: Set up Docker Buildx
+      - name: set up docker buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
-      - name: Build and push
+      - name: build and compress image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v4
        with:
          context: .
          file: build/linux/Dockerfile
          tags: trivy-portainer:${{ github.sha }}
          outputs: type=docker,dest=/tmp/trivy-portainer-image.tar
-      - name: Load docker image
+      - name: load docker image
        run: |
          docker load --input /tmp/trivy-portainer-image.tar
-      - name: Run Trivy vulnerability scanner
+      - name: scan vulnerabilities by Trivy
        uses: docker://docker.io/aquasec/trivy:latest
        continue-on-error: true 
        with:
          args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress trivy-portainer:${{ github.sha }}
-      - name: Upload image security scan result as artifact
+      - name: upload image security scan result as artifact
        uses: actions/upload-artifact@v3
        with:
          name: image-security-scan-feature-result
          path: image-trivy.json
-      - name: Download artifacts from develop branch
+      - name: download artifacts from develop branch built by nightly scan
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
@ -191,24 +195,24 @@ jobs:
            echo "null" > ./image-trivy-develop.json
          fi
-      - name: Export scan result to html file 
+      - name: pr vs develop scan report comparison export to html
        run: |
-          $(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=trivy -path="/data/image-trivy-feature.json" -compare-to="/data/image-trivy-develop.json" -output-type=table -export -export-filename="/data/image-result")
+          $(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result")
-      - name: Upload image result html file
+      - name: upload html file as artifact
        uses: actions/upload-artifact@v3
        with:
          name: html-image-result-compare-to-develop-${{github.run_id}}
          path: image-result.html
-      - name: Analyse the image diff result
+      - name: analyse different vulnerabilities against develop branch
        id: set-diff-matrix
        run: |
-          result=$(docker run --rm -v ${{ github.workspace }}:/data oscarzhou/scan-report:0.1.8 diff -report-type=trivy -path="/data/image-trivy-feature.json" -compare-to="./data/image-trivy-develop.json" -output-type=matrix)
+          result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
-          echo "::set-output name=image_diff_result::${result}"
+          echo "image_diff_result=${result}" >> $GITHUB_OUTPUT
  result-analysis:
-    name: Analyse scan result compared to develop
+    name: Analyse Scan Result Against develop Branch
    needs: [client-dependencies, server-dependencies, image-vulnerability]
    runs-on: ubuntu-latest
    if: >-
@ -220,8 +224,7 @@ jobs:
        godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
        imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}}
    steps:
-
+      - name: check job status of diff result
      - name: Check job status of diff result
        if: >-
          matrix.jsdiff.status == 'failure' ||
          matrix.godiff.status == 'failure' ||