feat: add circleci orbs

.github/ISSUE_TEMPLATE/BUG.md

@@ -0,0 +1,33 @@
+---
+name: "\U0001F41E  Bug report"
+about: Report any bugs encountered while using this orb.
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+## Orb or Github Action version:
+
+<!---
+  e.g., 1.0.0
+  find this information in your config.yml file;
+  if the version is @volatile, check the top of your CircleCI-generated,
+  expanded configuration file, viewable from the "Configuration" tab of
+  any job page, for the orb's specific semantic version number
+-->
+
+## What happened:
+
+<!---
+  please include any relevant links to CircleCI workflows or jobs
+  where you saw this behavior
+-->
+
+## Expected behavior:
+
+<!--- what should happen, ideally? -->
+
+## Additional Information:
+
+<!--- Provide any additional context possible. -->

.github/ISSUE_TEMPLATE/FEATURE_REQUEST.md

@@ -0,0 +1,14 @@
+---
+name: "\U0001F680 Feature Request"
+about: Propose changes to the orb.
+title: ''
+labels: feature_request
+assignees: ''
+---
+
+## Describe Request:
+
+## Examples:
+
+## Supporting Documentation Links:
+

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1 @@
+blank_issues_enabled: false

.github/PULL_REQUEST_TEMPLATE/PULL_REQUEST.md

@@ -0,0 +1,35 @@
+
+**SEMVER Update Type:**
+- [ ] Major
+- [ ] Minor
+- [ ] Patch
+
+## Description:
+
+<!---
+  Describe your changes in detail, preferably in an imperative mood,
+  i.e., "add `commandA` to `jobB`"
+ -->
+
+## Motivation:
+
+<!---
+  Share any open issues this PR references or otherwise describe the motivation to submit this pull request.
+ -->
+
+ **Closes Issues:**
+-  ISSUE URL
+
+## Checklist:
+
+<!--
+	Thank you for contributing to CircleCI Orbs!
+	before submitting your a request, please go through the following
+	items and place an x in the [ ] if they have been completed
+-->
+- [ ] Scripts work locally
+- [ ] Github Action is working with and have describtion for each step and parameter.
+- [ ] All new jobs, commands, executors, parameters have descriptions (CircleCI).
+- [ ] Usage Example version numbers have been updated.
+- [ ] Changelog has been updated.
+- [ ] Update `quay.io/dreamquark/security-report:latest` after merging into main (for dreamquark reviewer only)

.github/workflows/security-report.yaml

@@ -0,0 +1,45 @@
+name: Security report workflow
+
+# Controls when the action will run. Workflow runs when manually triggered using the UI
+# or API.
+on:
+  push:
+    branches:
+    - main
+    tags:
+    - 'v*'
+    paths:
+    - docker-image/**
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "greet"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-20.04
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+    - uses: actions/checkout@v2
+
+    - name: Extract branch name
+      shell: bash
+      run: echo "##[set-output name=branch;]${GITHUB_REF#refs/*/}"
+      id: extract_branch
+
+    - name: Login to Quay.io
+      uses: docker/login-action@v1
+      with:
+        registry: quay.io
+        username: ${{ secrets.DOCKER_USERNAME }}
+        password: ${{ secrets.DOCKER_PASSWORD }}
+
+    - name: Build & push security-report docker image
+      run: |
+        unameOut="${{ steps.extract_branch.outputs.branch }}"
+        case "${unameOut}" in
+            main)     tag=stable;;
+            develop)  tag=latest;;
+            v*)       tag=${unameOut};;
+        esac
+        make -C docker-image DOCKER_TAG=${tag}

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2021 DreamQuark
+Copyright (c) 2021 <organization>
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -0,0 +1,30 @@
+# set default shell
+SHELL := /bin/bash
+.SHELLFLAGS = -c
+
+NAMESPACE=dreamquark-ai
+VCS_PROVIDER=github
+ORG_NAME=dreamquark-ai
+ORB_NAME=ci-security-report
+ORB_FILE=./orbs/orb.yml
+ORB_DIR=./orbs
+VERSION=1.0.0
+
+pack-orb:
+	circleci orb pack $(ORB_DIR) > $(ORB_FILE)
+.PHONY: pack-orb
+
+validate-orb:
+	circleci orb validate $(ORB_FILE)
+.PHONY: validate-orb
+
+publish-orb:
+	circleci orb publish $(ORB_FILE) $(NAMESPACE)/$(ORB_NAME)@$(VERSION)
+.PHONY: publish-orb
+
+all: pack-orb validate-orb publish-orb clear
+.PHONY: all
+
+clear:
+	rm -f $(ORB_FILE)
+.PHONY: clear

README.md

@@ -1,13 +1,22 @@
-# Dreamquark security report action
+# Dreamquark CI security report
 
-This action is meant for generating differntial secirity reports based on [trivy](https://github.com/aquasecurity/trivy) to be published as a comment of a pull request. 
+This action is meant for generating differential security reports based on [Trivy](https://github.com/aquasecurity/trivy) to be published as a comment of a pull request. 
 
-From a base image used as reference, it underlies the new security failures and the one that have been removed after changes in your source code. 
+From a base image used as reference, it underlies the new security vulnerabilities and the one that have been removed after changes in your source code. 
 
 
 ## Example of usage
 
-Before calling the action make sure to get the images (the base and the new one) in the pipeline either by pulling or building them.  
+>### Prerequesites
+
+Before calling the action or the orbs, you need to make sure, in the job or in the workflow that:
+  * An environment variable is set in your GitHub secrets or in your CircleCI context valued with
+  a valid Github PAT with rights on repositories. The scripts expect to get an environment variable named
+  `GITHUB_PAT`.
+
+  * The images (the base and the new one) exist in the pipeline either by pulling or building them.  
+
+>### Use of the Github Action
 
 ```name: Example of workflow for security report
 
@@ -21,35 +30,88 @@ jobs:
     - uses: actions/checkout@master
 
     - name: Pull the base image
-      run: docker pull python:3.10-rc-slim
+      run: docker pull python:3.8-buster
 
     - name: Build the new image
       run: docker build -t python:security-test -f example/Dockerfile .
 
     - name: "Security reports"
-      uses: dreamquark-ai/github-action-security-report@main
+      uses: dreamquark-ai/ci-security-report@main
       env:
-        GITHUB_PAT: ${{secrets.SECURITY_REPORT_ACTION_EXAMPLE_PAT}}
+        GITHUB_PAT: ${{secrets.PAT_SECURITY_REPORT_ACTION_EXAMPLE}}
       with:
         image: 'python'
-        base-tag: 3.10-rc-slim
+        base-tag: '3.8-buster'
         new-tag: 'security-test'
-        orga: 'dreamquark-ai'
-        repo: 'github-action-security-report'
+        orga: 'PaulBarrie'
+        repo: 'ci-security-report-example'
         pr-nb: ${{ github.event.number }}
-        topic: 'example'
+        topic: 'github-example'
 ```
 
+>### Use of the CircleCI Orb
+
+```version: 2.1
+
+orbs:
+  security-report: dreamquark-ai/[email protected]
+
+executors:
+  security-report: dreamquark-ai/[email protected]
+
+jobs:
+  security-report-example:
+    executor: security-report/default
+    working_directory: /root/ci-example
+    steps:
+      - checkout
+      - setup_remote_docker:
+          docker_layer_caching: false
+          version: 20.10.2
+      - run:
+          name: "Build & pull the images for security report"
+          command: |
+            docker pull python:3.8-buster
+            docker build -t python:security-test -f example/Dockerfile .
+            
+      - security-report/security-report:
+          image: 'python'
+          base-tag: '3.8-buster'
+          new-tag: 'security-test'
+          orga: 'PaulBarrie'
+          repo: 'ci-security-report-example'
+          topic: 'circleci-example'
+
+workflows:
+  CI-security-test:
+    jobs:
+      - security-report-example:
+          context: security-report-example
+```
 ## Inputs
 
 |   Name  | Type | Default | Required | Description |
 |---    |:-:    |:-: |:-: |:-: |
 image | `string` |  | `true` | The image on which differential reports must be performed |a
 base-tag | `string` | `latest` | `true` | The tag of the base image used as reference |a
 new-tag | `string` | `security-test` | `true` | The tag of the new image used to seek out new and removed vulnerabilities |a
+repo | `string` | `dreamquark-ai` | `true` |  Your GitHub organization name |a
 repo | `string` |  | `true` |  Repository on which the action is triggered |a
 pr-nb | `string` |  | `true` | PR number on which to comment with the security report |a
 topic | `string` | `image` | `true` | The title of the report: used to identify the security report |a
 
 
+## Code Description
+
+As you may notice in the GitHub action and orb's command definition, the last step consists in executing a `main.sh` script. This script calls three others:
+
+* A `parse-json.sh` script which will find the differences between the two previously generated Trivy report and will generate two json array files with all the vulnerabilities and their related details in the subfolder report:
+  * A `old.json` file that will contain a list of all the vulnerabilities that have been withdrawn (i.e: the one which are in the report of the base image but not in the report of the new image).
+
+  * A `new.json` file that will contain a list of all the vulnerabilities that have been added (i.e: the one which are not in the report of the base image but are in the report of the new image).
 
+* A `md-template.sh` script which will, from the two previously generated json files, generate a markdown summary with two tables containing the new and the removed vulnerabilities.
+* A `comment-pr.sh` script that will comment the specified pull request with the previously generated markdown report. Basically:
+  * It looks like if a report already exists by parsing all the comments and checking if one matches with the specified topic.
+  * If so, it deletes the previous comment (the previous security report in the pull request).
+  * And to finish it adds a comment in the pull request using the markdown report.

action.yaml

@@ -1,4 +1,4 @@
-name: 'Security report'
+name: 'CI Security Report'
 description: 'Compare security reports between PR and develop'
 inputs:
   image:
@@ -26,13 +26,17 @@ inputs:
     description: 'The title of the report: used to identify the security report'
     default: 'image'
     required: true
+  trivy-timeout:
+    description: Set the time '<n>m' until when Trivy scan has to stop
+    default: 20m
+
 runs:
   using: 'composite'
   steps:
     - name: "Install trivy and set up folders"
       shell: bash
       run: |
-        mkdir -p ${{ github.action_path }}/reports
+        mkdir -p ${{ github.action_path }}/scripts/reports
         sudo apt-get install wget apt-transport-https gnupg lsb-release
         wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
         echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
@@ -41,17 +45,21 @@ runs:
 
     - name: "Security report on base image"
       shell: bash
-      working-directory: ${{ github.action_path }}/reports
-      run: trivy -q -f json -o report-base.json ${{inputs.image}}:${{inputs.base-tag}}
+      working-directory: ${{ github.action_path }}/scripts/reports
+      run: >
+        trivy -q -f json -o report-base.json --timeout ${{inputs.trivy-timeout}}
+        ${{inputs.image}}:${{inputs.base-tag}}
 
     - name: "Security report on the new image"
       shell: bash
-      working-directory: ${{ github.action_path }}/reports
-      run: trivy -q -f json -o report-new.json ${{inputs.image}}:${{inputs.new-tag}} 
+      working-directory: ${{ github.action_path }}/scripts/reports
+      run: >
+        trivy -q -f json -o report-new.json --timeout ${{inputs.trivy-timeout}}
+        ${{inputs.image}}:${{inputs.new-tag}}
     
     - name: "Compare the reports"
       shell: bash
-      working-directory: ${{ github.action_path }}
+      working-directory: ${{ github.action_path }}/scripts
       run: >
         ./main.sh --image ${{inputs.image}} --base-tag ${{inputs.base-tag}} --new-tag ${{inputs.new-tag}}
         --pull-request ${{inputs.pr-nb}} --topic ${{inputs.topic}} --repo ${{inputs.repo}} --orga ${{inputs.orga}}

docker-image/Dockerfile

@@ -0,0 +1,13 @@
+FROM docker:stable-git@sha256:13acdeba79907d8d4af41e0d6a08e47dbbbb3f4c1316e91088f3e0730b810706
+
+WORKDIR /home/scripts
+
+RUN apk update &&\
+    apk add --no-cache bash git tar gzip ca-certificates docker jq sed curl &&\
+    TRIVY_RELEASE=$(curl --silent  "https://api.github.com/repos/aquasecurity/trivy/tags" | jq .[0].name | sed 's/"//g' ) &&\
+    curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin $TRIVY_RELEASE &&\
+    git clone https://github.com/dreamquark-ai/github-action-security-report /tmp/security-report &&\
+    mv /tmp/security-report/scripts /home &&\
+    rm -rf /tmp/security-report/scripts
+
+