From 190c7d76a06d9e611817221f864f19637f5ab9b1 Mon Sep 17 00:00:00 2001 From: Rkareko Date: Thu, 31 Aug 2023 11:49:17 +0300 Subject: [PATCH 1/3] Add Trivy, CodeQL and Dependabot integration --- .github/dependabot.yml | 17 ++++ .github/workflows/ci.yml | 50 ++++++++++ .github/workflows/codeql-analysis.yml | 72 ++++++++++++++ .github/workflows/trivy-repo-scan.yml | 129 ++++++++++++++++++++++++++ 4 files changed, 268 insertions(+) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/ci.yml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/trivy-repo-scan.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..736a90d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + # Keep maven dependencies up-to-date + - package-ecosystem: maven + # Look for `pom.xml` in the `root` directory + directory: "/" + # Check the maven registry for updates every day (weekdays) + schedule: + interval: daily + open-pull-requests-limit: 0 + target-branch: "master" + # Raise all maven pull requests with custom labels + labels: + - "dependencies" + reviewers: + - "hilpitome" + - "ndegwamartin" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..21480cd --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,50 @@ +# This workflow will build a Java project with Maven +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven + +name: Java CI with Maven + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + run-unit-tests: + + runs-on: ubuntu-18.04 + + steps: + - uses: actions/checkout@v2 + with: + submodules: recursive + + - name: Set up JDK 11 + uses: actions/setup-java@v1 + with: + java-version: 11 + + - name: Run Unit tests with Maven + run: mvn -B clean test jacoco:report --file pom.xml --no-transfer-progress + + - name: Set Branch name Environment variable + env: + BRANCH_NAME_OR_REF: ${{ github.head_ref || github.ref }} + run: echo "BRANCH_NAME=${BRANCH_NAME_OR_REF#refs/heads/}" >> $GITHUB_ENV + + - name: Set PR Number Environment variable + run: | + echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV + + - name: Upload coveralls report + env: + COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_TOKEN }} + run: | + mvn -B coveralls:report --file pom.xml \ + --no-transfer-progress \ + -D repoToken="$COVERALLS_REPO_TOKEN" \ + -D serviceName=Github \ + -D branch="$BRANCH_NAME" \ + -D pullRequest="$PR_NUMBER" \ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 0000000..cdb6755 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,72 @@ + +name: "CodeQL Repository scan" + +on: + push: + branches: + - main + pull_request: + schedule: + - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # wokflow_dispatch option enables for manual scanning + workflow_dispatch: + + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + + + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + - name: Autobuild Java Code + uses: github/codeql-action/autobuild@v2 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml new file mode 100644 index 0000000..f2fde2d --- /dev/null +++ b/.github/workflows/trivy-repo-scan.yml @@ -0,0 +1,129 @@ +name: Trivy Security Scan on repository +on: + push: + branches: + - main + pull_request: + schedule: + - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # Below is for manual scanning + workflow_dispatch: + +env: + FULL_SUMMARY: "" + PATCH_SUMMARY: "" + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode - SARIF + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-repo-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-repo-results.sarif' + + - name: Run Trivy vulnerability scanner in repo mode - JSON (Full) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'json' + output: 'trivy-repo-full-results.json' + + - name: Create summary of trivy issues on Repository Full scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No vulnerabilities found" + fi + echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'json' + output: 'trivy-repo-fixable-results.json' + + - name: Create summary of trivy issues on Repository scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No issues or vulnerability fixes available" + fi + echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Generate trivy HTML report on Repository for download + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'template' + template: '@/contrib/html.tpl' + output: 'trivy-repo-report.html' + + - name: Upload Trivy results as an artifact + uses: actions/upload-artifact@v3 + with: + name: "trivy-repo-report.html" + path: './trivy-repo-report.html' + retention-days: 30 + + - name: Send Slack Notification + uses: slackapi/slack-github-action@v1.23.0 + with: + payload: | + { + "text": "Trivy scan results for ${{ github.repository }} repository", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days." + } + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK From 76b70545bdad9e82d769852da5973b22632643ca Mon Sep 17 00:00:00 2001 From: Rkareko Date: Thu, 31 Aug 2023 12:15:19 +0300 Subject: [PATCH 2/3] Remove ci config --- .github/workflows/ci.yml | 50 ---------------------------------------- 1 file changed, 50 deletions(-) delete mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml deleted file mode 100644 index 21480cd..0000000 --- a/.github/workflows/ci.yml +++ /dev/null @@ -1,50 +0,0 @@ -# This workflow will build a Java project with Maven -# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven - -name: Java CI with Maven - -on: - push: - branches: - - main - pull_request: - branches: - - main - -jobs: - run-unit-tests: - - runs-on: ubuntu-18.04 - - steps: - - uses: actions/checkout@v2 - with: - submodules: recursive - - - name: Set up JDK 11 - uses: actions/setup-java@v1 - with: - java-version: 11 - - - name: Run Unit tests with Maven - run: mvn -B clean test jacoco:report --file pom.xml --no-transfer-progress - - - name: Set Branch name Environment variable - env: - BRANCH_NAME_OR_REF: ${{ github.head_ref || github.ref }} - run: echo "BRANCH_NAME=${BRANCH_NAME_OR_REF#refs/heads/}" >> $GITHUB_ENV - - - name: Set PR Number Environment variable - run: | - echo "PR_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")" >> $GITHUB_ENV - - - name: Upload coveralls report - env: - COVERALLS_REPO_TOKEN: ${{ secrets.COVERALLS_TOKEN }} - run: | - mvn -B coveralls:report --file pom.xml \ - --no-transfer-progress \ - -D repoToken="$COVERALLS_REPO_TOKEN" \ - -D serviceName=Github \ - -D branch="$BRANCH_NAME" \ - -D pullRequest="$PR_NUMBER" \ From 6babe7f4dbd77b35422ba5431c1c8ab5a1c2aab9 Mon Sep 17 00:00:00 2001 From: Rkareko Date: Thu, 31 Aug 2023 12:45:34 +0300 Subject: [PATCH 3/3] update branch name --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 736a90d..0e80b8f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -8,7 +8,7 @@ updates: schedule: interval: daily open-pull-requests-limit: 0 - target-branch: "master" + target-branch: "main" # Raise all maven pull requests with custom labels labels: - "dependencies"