From 48cd39e83176895f2be69af5babd54a1193f964f Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Thu, 2 May 2024 11:47:22 -0400 Subject: [PATCH 01/11] Create codeql-sls.yml --- .github/workflows/codeql-sls.yml | 54 ++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 .github/workflows/codeql-sls.yml diff --git a/.github/workflows/codeql-sls.yml b/.github/workflows/codeql-sls.yml new file mode 100644 index 0000000..a487356 --- /dev/null +++ b/.github/workflows/codeql-sls.yml @@ -0,0 +1,54 @@ +# Define the name of the workflow +name: "CodeQL SLS" + +# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) +on: + push: + branches: + - SLS + +# Define the jobs that will be executed as part of the workflow +jobs: + analyze: + name: Analyze + runs-on: [ncats-awsci-ln-githubrunner-dv-v-01, prod, ncats-aws-devops] + + # Define the matrix strategy for parallel runs with different languages + strategy: + fail-fast: false + matrix: + language: [ 'javascript-typescript' ] + + steps: + # Step 1: Checkout repository + - name: Checkout repository + uses: actions/checkout@v4 + + # Step 2: Initialize CodeQL for scanning + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + + # Step 3: Autobuild the code. + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # Step 4: Analyzes the code using CodeQL, with the analysis category based on the matrix language. + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + # Step 5: Generate Security Report + - name: Generate Security Report + uses: rsdmike/github-security-report-action@v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + # Step 6: Uploads artifacts (PDF reports) generated during the workflow to download. + - name: Upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: reports + path: ./*.pdf From 60689fa1a9353b764b11aa144004325ee03ac6f4 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Thu, 2 May 2024 11:50:33 -0400 Subject: [PATCH 02/11] Create synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 152 +++++++++++++++++++++++++++++ 1 file changed, 152 insertions(+) create mode 100644 .github/workflows/synk-zap-sls.yml diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml new file mode 100644 index 0000000..44b9755 --- /dev/null +++ b/.github/workflows/synk-zap-sls.yml @@ -0,0 +1,152 @@ +# Define the name of the workflow +name: snyk-zap + +# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) +on: + push: + branches: + - SLS + pull_request: + branches: + - SLS + workflow_dispatch: + +# Define the jobs that will be executed as part of the workflow +jobs: + # Job to build and push the ZAP Docker image to Docker Hub + Snyk-Docker-Image: + runs-on: [ncats-awsci-ln-githubrunner-dv-v-01, prod, ncats-aws-devops] + permissions: + actions: read + contents: read + security-events: write + issues: write + + outputs: + build_version: ${{ steps.get_build_version.outputs.build_version }} + + steps: + # Step 1: Checkout repository + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Generate Build Version Number + - name: Generate Build Version Number + id: GET_BUILD_VERSION + run: | + # Get the last recorded date from the environment variable + LAST_DATE=$(date -d "$LAST_BUILD_DATE" +'%Y-%m-%d' 2>/dev/null || echo "") + + # Get the current date + CURRENT_DATE=$(date +'%Y-%m-%d') + echo "Last recorded date: $LAST_DATE" + echo "Current date: $CURRENT_DATE" + + # Check if it's a new day + if [ "$LAST_DATE" != "$CURRENT_DATE" ]; then + # Reset BUILDS_TODAY to 0 for the new day + BUILDS_TODAY=0 + echo "Resetting BUILDS_TODAY to 0 for the new day" + else + # Calculate the number of builds today + BUILDS_TODAY=$(seq -f v$GITHUB_RUN_NUMBER.%g $(($GITHUB_RUN_NUMBER - 1)) | wc -l) + echo "Incrementing BUILDS_TODAY" + fi + + # Store the current date for the next run + echo "LAST_BUILD_DATE=$CURRENT_DATE" >> $GITHUB_ENV + + # Generate the build version with the number of builds today + BUILD_VERSION_GENERATED=$(date +v%Y.%m%d.$BUILDS_TODAY) + echo "Generated Build Version: $BUILD_VERSION_GENERATED" + echo "BUILD_VERSION=$BUILD_VERSION_GENERATED" >> $GITHUB_ENV + echo "BUILD=true" >> $GITHUB_ENV + echo "::set-output name=build_version::$BUILD_VERSION_GENERATED" + + # Step 3: Login to Dockerhub + - name: Login to Dockerhub + run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" + + # Step 4: Build a Docker image + - name: Build a Docker image + run: docker build --no-cache -f ./Dockerfile --build-arg NPM_TOKEN=${{ secrets.NPM_INSTALL_TOKEN }} --build-arg BUILD_VERSION=$BUILD_VERSION -t ncats/smartgraph_frontend:$BUILD_VERSION . + + # Step 5: Run Snyk to check Docker image for vulnerabilities + - name: Run Snyk to check Docker image for vulnerabilities + continue-on-error: true + uses: snyk/actions/docker@master + id: docker-image-scan + env: + SNYK_TOKEN: ${{ secrets.SNYK_CLI }} + with: + image: ncats/smartgraph_api:$BUILD_VERSION + args: --sarif-file-output=snyk.sarif --file=Dockerfile + + - name: Replace security-severity undefined for license-related findings + run: | + sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif + sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif + + # Step 6: Upload result to GitHub Code Scanning + - name: Upload result to GitHub Code Scanning + # continue-on-error: true + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: snyk.sarif + + # Step 7: Generate Security Report + - name: Generate Security Report + uses: rsdmike/github-security-report-action@v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + # Step 8: Uploads artifacts (PDF reports) generated during the workflow to download. + - name: Upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: reports + path: ./*.pdf + + ZAP-Docker-Scan: + needs: Snyk-Docker-Image + runs-on: [ncats-awsci-ln-githubrunner-dv-v-01, prod, ncats-aws-devops] + permissions: + actions: read + contents: read + security-events: write + issues: write + + steps: + # Step 1: Get BUILD_VERSION from Snyk-Docker-Image job + - name: Get BUILD_VERSION from Snyk-Docker-Image job + id: get_runner_ip + run: | + echo "BUILD_VERSION=${{ needs.Snyk-Docker-Image.outputs.build_version }}" >> $GITHUB_ENV + echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" + + # Step 2: Add the command to start Docker image on port 4200 + - name: Start Docker image on port 4200 + run: docker run -d -p 4200:4200 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }} + + # Step 3: ZAP BASELINE SCAN + - name: ZAP base Scan + uses: zaproxy/action-baseline@v0.11.0 + with: + target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4200' # ip address of the runner + docker_name: 'ghcr.io/zaproxy/zaproxy:stable' + token: ${{ secrets.GITHUB_TOKEN }} + fail_action: false + + # Step 4: Create SARIF file from ZAP results + - name: Create SARIF file from ZAP results + uses: SvanBoxel/zaproxy-to-ghas@main + + # Step 5: Upload SARIF file to GitHub Code Scanning + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + + # Step 6: Stop and remove the Docker container + - name: Stop and remove Docker container + run: docker stop $(docker ps -q --filter ancestor=ncats/smartgraph_frontend:$BUILD_VERSION) && docker rm $(docker ps -a -q --filter ancestor=ncats/smartgraph_frontend:$BUILD_VERSION) || true From 167ac4c964733aeb2df43e40a0f430211819e73f Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 12:53:59 -0400 Subject: [PATCH 03/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index 44b9755..c3b04e7 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -132,7 +132,7 @@ jobs: - name: ZAP base Scan uses: zaproxy/action-baseline@v0.11.0 with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4200' # ip address of the runner + target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner docker_name: 'ghcr.io/zaproxy/zaproxy:stable' token: ${{ secrets.GITHUB_TOKEN }} fail_action: false From e10503a5d121077cf8d81df819d42d5401e74404 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 12:59:08 -0400 Subject: [PATCH 04/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index c3b04e7..f68454b 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -63,9 +63,9 @@ jobs: echo "BUILD=true" >> $GITHUB_ENV echo "::set-output name=build_version::$BUILD_VERSION_GENERATED" - # Step 3: Login to Dockerhub - - name: Login to Dockerhub - run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" + # # Step 3: Login to Dockerhub + # - name: Login to Dockerhub + # run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" # Step 4: Build a Docker image - name: Build a Docker image @@ -104,7 +104,7 @@ jobs: - name: Upload Artifacts uses: actions/upload-artifact@v4 with: - name: reports + name: snyk-reports path: ./*.pdf ZAP-Docker-Scan: From 4831f0e4df7c2b67cc00c5a2a1e6202d505bad79 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:00:31 -0400 Subject: [PATCH 05/11] Update codeql-sls.yml --- .github/workflows/codeql-sls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-sls.yml b/.github/workflows/codeql-sls.yml index a487356..5bba4c4 100644 --- a/.github/workflows/codeql-sls.yml +++ b/.github/workflows/codeql-sls.yml @@ -50,5 +50,5 @@ jobs: - name: Upload Artifacts uses: actions/upload-artifact@v4 with: - name: reports + name: codeql-reports path: ./*.pdf From 974e3495aa459a2b1407a9a2f6303b20903b8cb4 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:15:58 -0400 Subject: [PATCH 06/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index f68454b..af52fed 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -79,7 +79,7 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: - image: ncats/smartgraph_api:$BUILD_VERSION + image: ncats/smartgraph_frontend:$BUILD_VERSION args: --sarif-file-output=snyk.sarif --file=Dockerfile - name: Replace security-severity undefined for license-related findings From 5d11b3a404ce9c4041847cb76c4a268b27723a7b Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:24:24 -0400 Subject: [PATCH 07/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index af52fed..ea0c98a 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -132,7 +132,7 @@ jobs: - name: ZAP base Scan uses: zaproxy/action-baseline@v0.11.0 with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8000' # ip address of the runner + target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4201' # ip address of the runner docker_name: 'ghcr.io/zaproxy/zaproxy:stable' token: ${{ secrets.GITHUB_TOKEN }} fail_action: false From 3da76416d83226498261fbb842507920638a80bb Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:36:50 -0400 Subject: [PATCH 08/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index ea0c98a..b5413fd 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -125,14 +125,14 @@ jobs: echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" # Step 2: Add the command to start Docker image on port 4200 - - name: Start Docker image on port 4200 - run: docker run -d -p 4200:4200 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }} + - name: Start Docker image on port 80 + run: docker run -d -p 80:80 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }} # Step 3: ZAP BASELINE SCAN - name: ZAP base Scan uses: zaproxy/action-baseline@v0.11.0 with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4201' # ip address of the runner + target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8023' # ip address of the runner docker_name: 'ghcr.io/zaproxy/zaproxy:stable' token: ${{ secrets.GITHUB_TOKEN }} fail_action: false From 8e6c0b70608bdf80865e5a2212d1bfa16300d980 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:48:57 -0400 Subject: [PATCH 09/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index b5413fd..a80c055 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -125,14 +125,14 @@ jobs: echo "::set-output name=runner_ip::$(hostname -I | cut -d' ' -f1)" # Step 2: Add the command to start Docker image on port 4200 - - name: Start Docker image on port 80 - run: docker run -d -p 80:80 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }} + - name: Start Docker image on port 4200 + run: docker run -d -p 4200:4200 ncats/smartgraph_frontend:${{ needs.Snyk-Docker-Image.outputs.build_version }} # Step 3: ZAP BASELINE SCAN - name: ZAP base Scan uses: zaproxy/action-baseline@v0.11.0 with: - target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:8023' # ip address of the runner + target: 'http://${{ steps.get_runner_ip.outputs.runner_ip }}:4200' # ip address of the runner docker_name: 'ghcr.io/zaproxy/zaproxy:stable' token: ${{ secrets.GITHUB_TOKEN }} fail_action: false From 32f0ca2e977e5138dec4bc9b35a0c5449b0281d9 Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:59:06 -0400 Subject: [PATCH 10/11] Update codeql-sls.yml --- .github/workflows/codeql-sls.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codeql-sls.yml b/.github/workflows/codeql-sls.yml index 5bba4c4..b1215fc 100644 --- a/.github/workflows/codeql-sls.yml +++ b/.github/workflows/codeql-sls.yml @@ -5,8 +5,12 @@ name: "CodeQL SLS" on: push: branches: - - SLS - + - development + pull_request: + branches: + - development + workflow_dispatch: + # Define the jobs that will be executed as part of the workflow jobs: analyze: From a7450357fce44da7ab3d559af34d56ee16a222ff Mon Sep 17 00:00:00 2001 From: venkatadhatri <80774439+venkatadhatri@users.noreply.github.com> Date: Fri, 3 May 2024 13:59:27 -0400 Subject: [PATCH 11/11] Update synk-zap-sls.yml --- .github/workflows/synk-zap-sls.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/synk-zap-sls.yml b/.github/workflows/synk-zap-sls.yml index a80c055..6919139 100644 --- a/.github/workflows/synk-zap-sls.yml +++ b/.github/workflows/synk-zap-sls.yml @@ -5,10 +5,10 @@ name: snyk-zap on: push: branches: - - SLS + - development pull_request: branches: - - SLS + - development workflow_dispatch: # Define the jobs that will be executed as part of the workflow