Skip to content

Commit

Permalink
Adds devguard and license check workflows
Browse files Browse the repository at this point in the history
Signed-off-by: Sebastian Kawelke <[email protected]>
  • Loading branch information
seb-kw committed Nov 21, 2024
1 parent 80bda4a commit ef4acfb
Show file tree
Hide file tree
Showing 6 changed files with 229 additions and 234 deletions.
136 changes: 10 additions & 126 deletions .github/workflows/devsecops.yaml
Original file line number Diff line number Diff line change
@@ -1,130 +1,14 @@
# DevSecOps Workflow Definition
# This workflow is triggered on every push to the repository
name: DevSecOps Workflow

on: push

# Environment variables used across multiple jobs
env:
IMAGE_TAG: ghcr.io/${{ github.repository }}:unstable
name: DevGuard Workflow

on:
push:

jobs:
# Secret scanning job to detect secrets in codebase
secret-scanning:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4 # Check out the repository content to the runner
- name: Run Gitleaks Scan
# Running Gitleaks to scan the code for secrets
run: |
docker run --rm -v $(pwd):/code -u $(id -u):$(id -g) zricethezav/gitleaks:v8.18.1 -s /code detect -f sarif -r /code/gitleaks.sarif.json
- name: Upload sarif file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gitleaks.sarif.json
category: secret-scanning

# Software Composition Analysis (SCA) to find vulnerabilities in project dependencies
sca:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in fs mode
# Running Trivy to scan the filesystem for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
severity: "CRITICAL,HIGH"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
category: "sca"

# Static Application Security Testing (SAST) to identify security vulnerabilities in source code
sast:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Semgrep
# Running Semgrep for static code analysis to identify security issues
uses: docker://returntocorp/semgrep
with:
args: semgrep scan /github/workspace --sarif -o /github/workspace/semgrep.sarif.json
- name: Upload sarif file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif.json
category: sast

# Docker image build job
build-image:
runs-on: ubuntu-latest
outputs:
image_path: ${{ steps.build_output.outputs.image_path }}
steps:
- uses: actions/checkout@v4
- name: Set IMAGE_TAG if tagged
# Setting the image tag if the push is a tag push
run: echo "IMAGE_TAG=ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
if: startsWith(github.ref, 'refs/tags/')
- name: Build Docker image with Kaniko
# Building the Docker image using Kaniko
id: build_image
uses: docker://gcr.io/kaniko-project/executor:v1.9.2
with:
args: --destination=${{ env.IMAGE_TAG }} --context=/github/workspace --dockerfile=/github/workspace/Dockerfile --no-push --tarPath /github/workspace/image.tar
- name: Upload artifact
# Uploading the built Docker image as an artifact
uses: actions/upload-artifact@v4
with:
name: docker-image
path: image.tar

# Image scanning job to detect vulnerabilities in the built Docker image
image-scanning:
needs: build-image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: docker-image
path: .
- name: Run Trivy vulnerability scanner in tarball mode
# Running Trivy to scan the Docker image for vulnerabilities
uses: aquasecurity/trivy-action@master
with:
input: /github/workspace/image.tar
severity: "CRITICAL,HIGH"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
category: "image-scanning"

# Publish job to push the Docker image to a registry
publish:
needs: [build-image, image-scanning, secret-scanning, sca, sast]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
name: docker-image
path: .
- uses: imjasonh/[email protected]
- name: Set IMAGE_TAG if tagged
# Setting the image tag if the push is a tag push
run: echo "IMAGE_TAG=ghcr.io/${{ github.repository }}:${GITHUB_REF#refs/tags/}" >> $GITHUB_ENV
if: startsWith(github.ref, 'refs/tags/')
- name: Push Docker image to GitHub image Registry
# Pushing the Docker image to GitHub Container Registry
run: crane push image.tar ${{ env.IMAGE_TAG }}
devguard-scanner:
uses: l3montree-dev/devguard-action/.github/workflows/full.yml@main
with:
asset-name: "l3montree-cybersecurity/projects/devguard/assets/devguard-documentation"
secrets:
devguard-token: ${{ secrets.DEVGUARD_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/licenses.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ jobs:
- uses: ralexander-phi/license_approval@master
with:
working_directory: ${{ github.workspace }}
extra_flags: --decisions_file ./docs/dependency_decisions.yml
extra_flags: --decisions_file ./doc/dependency_decisions.yml
85 changes: 85 additions & 0 deletions doc/dependency_decisions.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
---
- - :permit
- Apache-2.0
- :who: Sebastian Kawelke
:why: OSI-approved OSS license, https://dwheeler.com/essays/floss-license-slide.html
:when: 2024-05-13 13:45:20.797550000 Z
- - :permit
- New BSD
- :who: Sebastian Kawelke
:why: OSI-approved OSS license, https://dwheeler.com/essays/floss-license-slide.html
:when: 2024-05-13 13:45:20.797550000 Z
- - :permit
- Mozilla Public License 2.0
- :who: Sebastian Kawelke
:why: OSI-approved OSS license, https://dwheeler.com/essays/floss-license-slide.html
:when: 2024-05-13 13:45:20.797550000 Z
- - :permit
- MIT
- :who: Sebastian Kawelke
:why: OSI-approved OSS license, https://dwheeler.com/essays/floss-license-slide.html
:when: 2024-05-13 13:45:20.797550000 Z
- - :permit
- Simplified BSD
- :who: Sebastian Kawelke
:why: OSI-approved OSS license, The 2-Clause BSD License, permissive, https://dwheeler.com/essays/floss-license-slide.html
:when: 2024-05-13 13:45:20.797550000 Z
- - :permit
- ISC
- :who: Sebastian Kawelke
:why: OSI-approved OSS license
:when: 2024-06-10 13:45:20.797550000 Z
- - :approve
- "@img/sharp-libvips-darwin-arm64"
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:10.171932000 Z
- - :approve
- argparse
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:19.432343000 Z
- - :approve
- caniuse-lite
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:26.105488000 Z
- - :approve
- jackspeak
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:31.978283000 Z
- - :approve
- language-subtag-registry
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:41.253727000 Z
- - :approve
- path-scurry
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:52.832818000 Z
- - :approve
- robust-predicates
- :who:
:why:
:versions: []
:when: 2024-11-21 14:49:58.159887000 Z
- - :approve
- tslib
- :who:
:why:
:versions: []
:when: 2024-11-21 14:50:05.281379000 Z
- - :approve
- xmldom-sre
- :who:
:why:
:versions: []
:when: 2024-11-21 14:50:09.920121000 Z
Loading

0 comments on commit ef4acfb

Please sign in to comment.