-
Notifications
You must be signed in to change notification settings - Fork 6
152 lines (129 loc) · 5.81 KB
/
synk-zap-sls.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Define the name of the workflow
name: snyk-zap
# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch)
on:
push:
branches:
- SLS
pull_request:
branches:
- SLS
workflow_dispatch:
# Define the jobs that will be executed as part of the workflow
jobs:
# Job to build and push the ZAP Docker image to Docker Hub
Snyk-Docker-Image:
runs-on: [ncats-awsci-ln-githubrunner-dv-v-01, prod, ncats-aws-devops]
permissions:
actions: read
contents: read
security-events: write
issues: write
outputs:
build_version: ${{ steps.get_build_version.outputs.build_version }}
steps:
# Step 1: Checkout repository
- name: Checkout code
uses: actions/checkout@v4
# Step 2: Generate Build Version Number
- name: Generate Build Version Number
id: GET_BUILD_VERSION
run: |
# Get the last recorded date from the environment variable
LAST_DATE=$(date -d "$LAST_BUILD_DATE" +'%Y-%m-%d' 2>/dev/null || echo "")
# Get the current date
CURRENT_DATE=$(date +'%Y-%m-%d')
echo "Last recorded date: $LAST_DATE"
echo "Current date: $CURRENT_DATE"
# Check if it's a new day
if [ "$LAST_DATE" != "$CURRENT_DATE" ]; then
# Reset BUILDS_TODAY to 0 for the new day
BUILDS_TODAY=0
echo "Resetting BUILDS_TODAY to 0 for the new day"
else
# Calculate the number of builds today
BUILDS_TODAY=$(seq -f v$GITHUB_RUN_NUMBER.%g $(($GITHUB_RUN_NUMBER - 1)) | wc -l)
echo "Incrementing BUILDS_TODAY"
fi
# Store the current date for the next run
echo "LAST_BUILD_DATE=$CURRENT_DATE" >> $GITHUB_ENV
# Generate the build version with the number of builds today
BUILD_VERSION_GENERATED=$(date +v%Y.%m%d.$BUILDS_TODAY)
echo "Generated Build Version: $BUILD_VERSION_GENERATED"
echo "BUILD_VERSION=$BUILD_VERSION_GENERATED" >> $GITHUB_ENV
echo "BUILD=true" >> $GITHUB_ENV
echo "::set-output name=build_version::$BUILD_VERSION_GENERATED"
# # Step 3: Login to Dockerhub
# - name: Login to Dockerhub
# run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}"
# Step 4: Build a Docker image
- name: Build a Docker image
run: docker build --no-cache -f ./Dockerfile --build-arg NPM_TOKEN=${{ secrets.NPM_INSTALL_TOKEN }} --build-arg BUILD_VERSION=$BUILD_VERSION -t ncats/smartgraph_frontend:$BUILD_VERSION .
# Step 5: Run Snyk to check Docker image for vulnerabilities
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
id: docker-image-scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_CLI }}
with:
image: ncats/smartgraph_frontend:$BUILD_VERSION
args: --sarif-file-output=snyk.sarif --file=Dockerfile
- name: Replace security-severity undefined for license-related findings
run: |
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
# Step 6: Upload result to GitHub Code Scanning
- name: Upload result to GitHub Code Scanning
# continue-on-error: true
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: snyk.sarif
# Step 7: Generate Security Report
- name: Generate Security Report
uses: rsdmike/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
# Step 8: Uploads artifacts (PDF reports) generated during the workflow to download.
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
name: snyk-reports
path: ./*.pdf
ZAP-Docker-Scan:
needs: Snyk-Docker-Image
runs-on: [ncats-awsci-ln-githubrunner-dv-v-01, prod, ncats-aws-devops]
permissions:
actions: read
contents: read
security-events: write
issues: write
steps:
# Step 1: Get BUILD_VERSION from Snyk-Docker-Image job
- name: Get BUILD_VERSION from Snyk-Docker-Image job
id: get_runner_ip
run: |
echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV
echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)"
# Step 2: Add the command to start Docker image on port 4200
- name: Start Docker image on port 4200
run: docker run -d -p 4200:4200 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }}
# Step 3: ZAP BASELINE SCAN
- name: ZAP base Scan
uses: zaproxy/[email protected]
with:
target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4200' # ip address of the runner
docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
token: ${{ secrets.GITHUB_TOKEN }}
fail_action: false
# Step 4: Create SARIF file from ZAP results
- name: Create SARIF file from ZAP results
uses: SvanBoxel/zaproxy-to-ghas@main
# Step 5: Upload SARIF file to GitHub Code Scanning
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
# Step 6: Stop and remove the Docker container
- name: Stop and remove Docker container
run: docker stop $(docker ps -q --filter ancestor=ncats/smartgraph_frontend:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=ncats/smartgraph_frontend:$BUILD_VERSION) || true