diff --git a/.github/workflows/snyk-zap.yml b/.github/workflows/snyk-zap.yml index 53bd609..edc6238 100644 --- a/.github/workflows/snyk-zap.yml +++ b/.github/workflows/snyk-zap.yml @@ -77,90 +77,14 @@ jobs: # # Step 5: Run Snyk to check Docker image for vulnerabilities - name: Run Snyk to check Docker image for vulnerabilities - continue-on-error: true + continue-on-error: false uses: snyk/actions/docker@master id: docker-image-pharos-graphql-server-scan env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: + command: monitor image: ncats/pharos-graphql-server:$BUILD_VERSION - args: "--sarif-file-output=snyk.sarif --file=Dockerfile" + args: "--file=Dockerfile" - - name: Replace security-severity undefined for license-related findings - continue-on-error: true - run: | - sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif - sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif - - # Step 6: Upload result to GitHub Code Scanning - - name: Upload result to GitHub Code Scanning - continue-on-error: true - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: snyk.sarif - - # Step 7: Generate Security Report - - name: Generate Security Report - continue-on-error: true - uses: rsdmike/github-security-report-action@v3.0.4 - with: - token: ${{ secrets.GITHUB_TOKEN }} - - # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. - - name: Upload Artifacts - continue-on-error: true - uses: actions/upload-artifact@v4 - with: - name: reports - path: ./*.pdf - - ZAP-Docker-Scan: - needs: Snyk-Docker-Image - runs-on: - group: ncats-onprem-internal-runners - - permissions: - actions: read - contents: read - security-events: write - issues: write - - steps: - # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job - - name: Get BUILD_VERSION from Snyk-Docker-Image job - id: get_runner_ip - run: | - echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV - echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" - - - name: Login to Dockerhub - run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" - - # Step 2: Add the command to start Docker image on port 8000 - - name: Start Docker image on port 8000 - continue-on-error: true - run: docker run -d -p 8000:8000 ncats/pharos-graphql-server:${{ needs.Snyk-Docker-Image.outputs.build_version }} - - # Step 3: ZAP BASELINE SCAN - - name: ZAP base Scan - continue-on-error: true - uses: zaproxy/action-baseline@v0.11.0 - with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' - docker_name: 'ghcr.io/zaproxy/zaproxy:stable' - token: ${{ secrets.GITHUB_TOKEN }} - fail_action: false - - # Step 4: Stop and remove the Docker container - - name: Stop and remove Docker container - run: docker stop $(docker ps -q --filter ancestor=ncats/pharos-graphql-server:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=ncats/pharos-graphql-server:$BUILD_VERSION) || true - - # Step 5: Create SARIF file from ZAP results - - name: Create SARIF file from ZAP results - uses: SvanBoxel/zaproxy-to-ghas@main - - # Step 6: Upload SARIF file to GitHub Code Scanning - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif + \ No newline at end of file