PR Code Security Scan #331
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR Code Security Scan | |
on: | |
pull_request_review: | |
types: | |
- submitted | |
- edited | |
paths: | |
- 'go.mod' | |
- 'build/linux/Dockerfile' | |
- 'build/linux/alpine.Dockerfile' | |
- 'build/windows/Dockerfile' | |
- '.github/workflows/pr-security.yml' | |
jobs: | |
server-dependencies: | |
name: Server Dependency Check | |
runs-on: ubuntu-latest | |
if: >- | |
github.event.pull_request && | |
github.event.review.body == '/scan' | |
outputs: | |
godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }} | |
steps: | |
- name: checkout repository | |
uses: actions/checkout@master | |
- name: install Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.21.0' | |
- name: download Go modules | |
run: go get -t -v -d ./... | |
- name: scan vulnerabilities by Snyk | |
continue-on-error: true # To make sure that artifact upload gets called | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
run: | | |
yarn global add snyk | |
snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null || : | |
- name: upload scan result as pull-request artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: go-security-scan-feature-result | |
path: snyk.json | |
- name: download artifacts from develop branch built by nightly scan | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
mv ./snyk.json ./go-snyk-feature.json | |
(gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : | |
if [[ -e ./snyk.json ]]; then | |
mv ./snyk.json ./go-snyk-develop.json | |
else | |
echo "null" > ./go-snyk-develop.json | |
fi | |
- name: pr vs develop scan report comparison export to html | |
run: | | |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result") | |
- name: upload html file as artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: html-go-result-compare-to-develop-${{github.run_id}} | |
path: go-result.html | |
- name: analyse different vulnerabilities against develop branch | |
id: set-diff-matrix | |
run: | | |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix) | |
echo "go_diff_result=${result}" >> $GITHUB_OUTPUT | |
image-vulnerability: | |
name: Image Vulnerability Check | |
runs-on: ubuntu-latest | |
if: >- | |
github.event.pull_request && | |
github.event.review.body == '/scan' | |
outputs: | |
imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }} | |
steps: | |
- name: checkout code | |
uses: actions/checkout@master | |
- name: install Go 1.21.0 | |
uses: actions/setup-go@v3 | |
with: | |
go-version: '1.21.0' | |
- name: download 3rd-party binaries | |
run: ./setup.sh | |
- name: compile the codebase | |
run: ./dev.sh compile | |
- name: set up docker buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: build and compress image | |
uses: docker/build-push-action@v4 | |
with: | |
context: . | |
file: build/linux/Dockerfile | |
tags: portainer-agent:${{ github.sha }} | |
outputs: type=docker,dest=/tmp/portainer-agent-image.tar | |
- name: load docker image | |
run: | | |
docker load --input /tmp/portainer-agent-image.tar | |
- name: scan vulnerabilities by Trivy | |
uses: docker://docker.io/aquasec/trivy:latest | |
continue-on-error: true | |
with: | |
args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainer-agent:${{ github.sha }} | |
- name: upload image security scan result as artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: image-security-scan-feature-result | |
path: image-trivy.json | |
- name: download artifacts from develop branch built by nightly scan | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
mv ./image-trivy.json ./image-trivy-feature.json | |
(gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) || : | |
if [[ -e ./image-trivy.json ]]; then | |
mv ./image-trivy.json ./image-trivy-develop.json | |
else | |
echo "null" > ./image-trivy-develop.json | |
fi | |
- name: pr vs develop scan report comparison export to html | |
run: | | |
$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result") | |
- name: upload html file as artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: html-image-result-compare-to-develop-${{github.run_id}} | |
path: image-result.html | |
- name: analyse different vulnerabilities against develop branch | |
id: set-diff-matrix | |
run: | | |
result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix) | |
echo "image_diff_result=${result}" >> $GITHUB_OUTPUT | |
result-analysis: | |
name: Analyse Scan Result Against develop Branch | |
needs: [server-dependencies, image-vulnerability] | |
runs-on: ubuntu-latest | |
if: >- | |
github.event.pull_request && | |
github.event.review.body == '/scan' | |
strategy: | |
matrix: | |
godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}} | |
imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}} | |
steps: | |
- name: check job status of diff result | |
if: >- | |
matrix.godiff.status == 'failure' || | |
matrix.imagediff.status == 'failure' | |
run: | | |
echo "${{ matrix.godiff.status }}" | |
echo "${{ matrix.imagediff.status }}" | |
echo "${{ matrix.godiff.summary }}" | |
echo "${{ matrix.imagediff.summary }}" | |
exit 1 |