From bf4d658d09075370f9aa20e873233453809d62ea Mon Sep 17 00:00:00 2001 From: marcusaleman Date: Thu, 7 Nov 2024 15:17:48 +0000 Subject: [PATCH] MAP-1798 Move security jobs from circleci to github actions --- .circleci/config.yml | 25 +------------------ .github/workflows/security_owasp.yml | 12 +++++++++ .github/workflows/security_trivy.yml | 12 +++++++++ .../security_veracode_pipeline_scan.yml | 12 +++++++++ .../security_veracode_policy_scan.yml | 12 +++++++++ 5 files changed, 49 insertions(+), 24 deletions(-) create mode 100644 .github/workflows/security_owasp.yml create mode 100644 .github/workflows/security_trivy.yml create mode 100644 .github/workflows/security_veracode_pipeline_scan.yml create mode 100644 .github/workflows/security_veracode_policy_scan.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 472a8bff..40b32058 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -195,27 +195,4 @@ workflows: - hmpps-common-vars - use-of-force-prod requires: - - request-prod-approval - - security: - triggers: - - schedule: - cron: "0 7 * * 1-5" - filters: - branches: - only: - - main - jobs: - - hmpps/npm_security_audit: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - hmpps-common-vars - - hmpps/trivy_latest_scan: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - hmpps-common-vars - - hmpps/veracode_policy_scan: - slack_channel: << pipeline.parameters.alerts-slack-channel >> - context: - - veracode-credentials - - hmpps-common-vars + - request-prod-approval \ No newline at end of file diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml new file mode 100644 index 00000000..fefee71a --- /dev/null +++ b/.github/workflows/security_owasp.yml @@ -0,0 +1,12 @@ +name: Security OWASP dependency check +on: + workflow_dispatch: + schedule: + - cron: "19 6 * * MON-FRI" # Every weekday +jobs: + security-kotlin-owasp-check: + name: Kotlin security OWASP dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v1 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml new file mode 100644 index 00000000..990bb490 --- /dev/null +++ b/.github/workflows/security_trivy.yml @@ -0,0 +1,12 @@ +name: Security trivy dependency check +on: + workflow_dispatch: + schedule: + - cron: "19 6 * * MON-FRI" # Every weekday +jobs: + security-kotlin-trivy-check: + name: Project security trivy dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v1 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml new file mode 100644 index 00000000..4cbc201e --- /dev/null +++ b/.github/workflows/security_veracode_pipeline_scan.yml @@ -0,0 +1,12 @@ +name: Security veracode pipeline scan +on: + workflow_dispatch: + schedule: + - cron: "34 6 * * 1" # Every Monday +jobs: + security-veracode-pipeline-scan: + name: Project security veracode pipeline scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v1 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml new file mode 100644 index 00000000..564ec52a --- /dev/null +++ b/.github/workflows/security_veracode_policy_scan.yml @@ -0,0 +1,12 @@ +name: Security veracode policy scan +on: + workflow_dispatch: + schedule: + - cron: "19 6 * * MON-FRI" # Every weekday +jobs: + security-veracode-policy-check: + name: Project security veracode policy scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v1 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: inherit