-
Notifications
You must be signed in to change notification settings - Fork 3
80 lines (80 loc) · 3.08 KB
/
sbom_registration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: Register tags from Trivy scan result on CI
on:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
tag_registration:
runs-on: ubuntu-latest
environment: threatconnectome
strategy:
matrix:
node-version: [20.x]
defaults:
run:
working-directory: ./
steps:
- name: Check out code from GitHub
uses: actions/checkout@v4
- name: Setup node.js environment
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
cache-dependency-path: ./web/package-lock.json
- run: npm ci --omit=dev
working-directory: ./web
- name: Run Trivy scan on CI and output report
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "./"
list-all-pkgs: true
exit-code: 0
format: json
output: trivy-ci-result.json
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
- name: Upload trivy-ci-result.json as an artifact
uses: actions/upload-artifact@v4
with:
name: trivy-ci-result
path: ./trivy-ci-result.json
- name: Download trivy_tags.py
run: wget https://storage.googleapis.com/metemcyber/trivy_tags.py
- name: Transform CI scan result by trivy_tags.py
run: python3 trivy_tags.py -i trivy-ci-result.json -o artifact_tags.jsonl
- name: Upload artifact_tags.jsonl as an artifact
uses: actions/upload-artifact@v4
with:
name: artifact_tags
path: ./artifact_tags.jsonl
- name: Get AuthToken from RefreshToken
run: |
echo "AUTHTOKEN=$(curl -X 'POST' \
'${{ secrets.TC_API_URL }}/auth/refresh' \
-H 'accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"refresh_token": "${{ secrets.THREATCONNECTOME_REFRESHTOKEN }}"
}' | jq -r .access_token)" >> "$GITHUB_ENV"
- name: Get repository name
run: echo "REPOSITORY_NAME=${GITHUB_REPOSITORY#"${GITHUB_REPOSITORY_OWNER}"/}" >> "$GITHUB_ENV"
- name: Set tag group name
run: |
if [ -n "${{ secrets.SERVICE_NAME }}" ]; then
echo "SERVICE_NAME=${{ secrets.SERVICE_NAME }}" >> "$GITHUB_ENV"
else
echo "SERVICE_NAME=${{ env.REPOSITORY_NAME }}" >> "$GITHUB_ENV"
fi
- name: Call upload_pteam_tags_file API to register tags
run: |
curl -fX 'POST' \
'${{ secrets.TC_API_URL }}/pteams/${{ secrets.THREATCONNECTOME_TEAM_ID }}/upload_tags_file?service=${{ env.SERVICE_NAME }}&force_mode=True' \
-H 'Authorization: Bearer ${{ env.AUTHTOKEN }}' \
-H 'accept: application/json' \
-H 'Content-Type: multipart/form-data' \
-F 'file=@artifact_tags.jsonl'