-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
34f424e
commit 7965fcc
Showing
23 changed files
with
442 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
--- | ||
name: "\U0001F41E Bug report" | ||
about: Report any bugs encountered while using this orb. | ||
title: '' | ||
labels: bug | ||
assignees: '' | ||
|
||
--- | ||
|
||
## Orb or Github Action version: | ||
|
||
<!--- | ||
e.g., 1.0.0 | ||
find this information in your config.yml file; | ||
if the version is @volatile, check the top of your CircleCI-generated, | ||
expanded configuration file, viewable from the "Configuration" tab of | ||
any job page, for the orb's specific semantic version number | ||
--> | ||
|
||
## What happened: | ||
|
||
<!--- | ||
please include any relevant links to CircleCI workflows or jobs | ||
where you saw this behavior | ||
--> | ||
|
||
## Expected behavior: | ||
|
||
<!--- what should happen, ideally? --> | ||
|
||
## Additional Information: | ||
|
||
<!--- Provide any additional context possible. --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
--- | ||
name: "\U0001F680 Feature Request" | ||
about: Propose changes to the orb. | ||
title: '' | ||
labels: feature_request | ||
assignees: '' | ||
--- | ||
|
||
## Describe Request: | ||
|
||
## Examples: | ||
|
||
## Supporting Documentation Links: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
blank_issues_enabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
|
||
**SEMVER Update Type:** | ||
- [ ] Major | ||
- [ ] Minor | ||
- [ ] Patch | ||
|
||
## Description: | ||
|
||
<!--- | ||
Describe your changes in detail, preferably in an imperative mood, | ||
i.e., "add `commandA` to `jobB`" | ||
--> | ||
|
||
## Motivation: | ||
|
||
<!--- | ||
Share any open issues this PR references or otherwise describe the motivation to submit this pull request. | ||
--> | ||
|
||
**Closes Issues:** | ||
- ISSUE URL | ||
|
||
## Checklist: | ||
|
||
<!-- | ||
Thank you for contributing to CircleCI Orbs! | ||
before submitting your a request, please go through the following | ||
items and place an x in the [ ] if they have been completed | ||
--> | ||
- [ ] Scripts work locally | ||
- [ ] Github Action is working with and have describtion for each step and parameter. | ||
- [ ] All new jobs, commands, executors, parameters have descriptions (CircleCI). | ||
- [ ] Usage Example version numbers have been updated. | ||
- [ ] Changelog has been updated. | ||
- [ ] Update `quay.io/dreamquark/security-report:latest` after merging into main (for dreamquark reviewer only) |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
name: Security report workflow | ||
|
||
# Controls when the action will run. Workflow runs when manually triggered using the UI | ||
# or API. | ||
on: | ||
push: | ||
branches: | ||
- main | ||
tags: | ||
- 'v*' | ||
paths: | ||
- docker-image/** | ||
workflow_dispatch: | ||
|
||
# A workflow run is made up of one or more jobs that can run sequentially or in parallel | ||
jobs: | ||
# This workflow contains a single job called "greet" | ||
build: | ||
# The type of runner that the job will run on | ||
runs-on: ubuntu-20.04 | ||
# Steps represent a sequence of tasks that will be executed as part of the job | ||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Extract branch name | ||
shell: bash | ||
run: echo "##[set-output name=branch;]${GITHUB_REF#refs/*/}" | ||
id: extract_branch | ||
|
||
- name: Login to Quay.io | ||
uses: docker/login-action@v1 | ||
with: | ||
registry: quay.io | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
|
||
- name: Build & push security-report docker image | ||
run: | | ||
unameOut="${{ steps.extract_branch.outputs.branch }}" | ||
case "${unameOut}" in | ||
main) tag=stable;; | ||
develop) tag=latest;; | ||
v*) tag=${unameOut};; | ||
esac | ||
make -C docker-image DOCKER_TAG=${tag} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
# set default shell | ||
SHELL := /bin/bash | ||
.SHELLFLAGS = -c | ||
|
||
NAMESPACE=dreamquark-ai | ||
VCS_PROVIDER=github | ||
ORG_NAME=dreamquark-ai | ||
ORB_NAME=ci-security-report | ||
ORB_FILE=./orbs/orb.yml | ||
ORB_DIR=./orbs | ||
VERSION=1.0.0 | ||
|
||
pack-orb: | ||
circleci orb pack $(ORB_DIR) > $(ORB_FILE) | ||
.PHONY: pack-orb | ||
|
||
validate-orb: | ||
circleci orb validate $(ORB_FILE) | ||
.PHONY: validate-orb | ||
|
||
publish-orb: | ||
circleci orb publish $(ORB_FILE) $(NAMESPACE)/$(ORB_NAME)@$(VERSION) | ||
.PHONY: publish-orb | ||
|
||
all: pack-orb validate-orb publish-orb clear | ||
.PHONY: all | ||
|
||
clear: | ||
rm -f $(ORB_FILE) | ||
.PHONY: clear |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,22 @@ | ||
# Dreamquark security report action | ||
# Dreamquark CI security report | ||
|
||
This action is meant for generating differntial secirity reports based on [trivy](https://github.com/aquasecurity/trivy) to be published as a comment of a pull request. | ||
This action is meant for generating differential security reports based on [Trivy](https://github.com/aquasecurity/trivy) to be published as a comment of a pull request. | ||
|
||
From a base image used as reference, it underlies the new security failures and the one that have been removed after changes in your source code. | ||
From a base image used as reference, it underlies the new security vulnerabilities and the one that have been removed after changes in your source code. | ||
|
||
|
||
## Example of usage | ||
|
||
Before calling the action make sure to get the images (the base and the new one) in the pipeline either by pulling or building them. | ||
>### Prerequesites | ||
Before calling the action or the orbs, you need to make sure, in the job or in the workflow that: | ||
* An environment variable is set in your GitHub secrets or in your CircleCI context valued with | ||
a valid Github PAT with rights on repositories. The scripts expect to get an environment variable named | ||
`GITHUB_PAT`. | ||
|
||
* The images (the base and the new one) exist in the pipeline either by pulling or building them. | ||
|
||
>### Use of the Github Action | ||
```name: Example of workflow for security report | ||
|
@@ -21,35 +30,88 @@ jobs: | |
- uses: actions/checkout@master | ||
- name: Pull the base image | ||
run: docker pull python:3.10-rc-slim | ||
run: docker pull python:3.8-buster | ||
- name: Build the new image | ||
run: docker build -t python:security-test -f example/Dockerfile . | ||
- name: "Security reports" | ||
uses: dreamquark-ai/github-action-security-report@main | ||
uses: dreamquark-ai/ci-security-report@main | ||
env: | ||
GITHUB_PAT: ${{secrets.SECURITY_REPORT_ACTION_EXAMPLE_PAT}} | ||
GITHUB_PAT: ${{secrets.PAT_SECURITY_REPORT_ACTION_EXAMPLE}} | ||
with: | ||
image: 'python' | ||
base-tag: 3.10-rc-slim | ||
base-tag: '3.8-buster' | ||
new-tag: 'security-test' | ||
orga: 'dreamquark-ai' | ||
repo: 'github-action-security-report' | ||
orga: 'PaulBarrie' | ||
repo: 'ci-security-report-example' | ||
pr-nb: ${{ github.event.number }} | ||
topic: 'example' | ||
topic: 'github-example' | ||
``` | ||
|
||
>### Use of the CircleCI Orb | ||
```version: 2.1 | ||
orbs: | ||
security-report: dreamquark-ai/[email protected] | ||
executors: | ||
security-report: dreamquark-ai/[email protected] | ||
jobs: | ||
security-report-example: | ||
executor: security-report/default | ||
working_directory: /root/ci-example | ||
steps: | ||
- checkout | ||
- setup_remote_docker: | ||
docker_layer_caching: false | ||
version: 20.10.2 | ||
- run: | ||
name: "Build & pull the images for security report" | ||
command: | | ||
docker pull python:3.8-buster | ||
docker build -t python:security-test -f example/Dockerfile . | ||
- security-report/security-report: | ||
image: 'python' | ||
base-tag: '3.8-buster' | ||
new-tag: 'security-test' | ||
orga: 'PaulBarrie' | ||
repo: 'ci-security-report-example' | ||
topic: 'circleci-example' | ||
workflows: | ||
CI-security-test: | ||
jobs: | ||
- security-report-example: | ||
context: security-report-example | ||
``` | ||
## Inputs | ||
|
||
| Name | Type | Default | Required | Description | | ||
|--- |:-: |:-: |:-: |:-: | | ||
image | `string` | | `true` | The image on which differential reports must be performed |a | ||
base-tag | `string` | `latest` | `true` | The tag of the base image used as reference |a | ||
new-tag | `string` | `security-test` | `true` | The tag of the new image used to seek out new and removed vulnerabilities |a | ||
repo | `string` | `dreamquark-ai` | `true` | Your GitHub organization name |a | ||
repo | `string` | | `true` | Repository on which the action is triggered |a | ||
pr-nb | `string` | | `true` | PR number on which to comment with the security report |a | ||
topic | `string` | `image` | `true` | The title of the report: used to identify the security report |a | ||
|
||
|
||
## Code Description | ||
|
||
As you may notice in the GitHub action and orb's command definition, the last step consists in executing a `main.sh` script. This script calls three others: | ||
|
||
* A `parse-json.sh` script which will find the differences between the two previously generated Trivy report and will generate two json array files with all the vulnerabilities and their related details in the subfolder report: | ||
* A `old.json` file that will contain a list of all the vulnerabilities that have been withdrawn (i.e: the one which are in the report of the base image but not in the report of the new image). | ||
|
||
* A `new.json` file that will contain a list of all the vulnerabilities that have been added (i.e: the one which are not in the report of the base image but are in the report of the new image). | ||
|
||
* A `md-template.sh` script which will, from the two previously generated json files, generate a markdown summary with two tables containing the new and the removed vulnerabilities. | ||
* A `comment-pr.sh` script that will comment the specified pull request with the previously generated markdown report. Basically: | ||
* It looks like if a report already exists by parsing all the comments and checking if one matches with the specified topic. | ||
* If so, it deletes the previous comment (the previous security report in the pull request). | ||
* And to finish it adds a comment in the pull request using the markdown report. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
FROM docker:stable-git@sha256:13acdeba79907d8d4af41e0d6a08e47dbbbb3f4c1316e91088f3e0730b810706 | ||
|
||
WORKDIR /home/scripts | ||
|
||
RUN apk update &&\ | ||
apk add --no-cache bash git tar gzip ca-certificates docker jq sed curl &&\ | ||
TRIVY_RELEASE=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/tags" | jq .[0].name | sed 's/"//g' ) &&\ | ||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin $TRIVY_RELEASE &&\ | ||
git clone https://github.com/dreamquark-ai/github-action-security-report /tmp/security-report &&\ | ||
mv /tmp/security-report/scripts /home &&\ | ||
rm -rf /tmp/security-report/scripts | ||
|
||
|
Oops, something went wrong.