diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml new file mode 100644 index 00000000000..428493787c3 --- /dev/null +++ b/.github/codeql-config.yml @@ -0,0 +1,12 @@ +name: My CodeQL Analysis +description: A sample CodeQL analysis + +# Ignore the following directories +paths-ignore: + - "charts/**" + - "tools/**" + - "src/test/**" + +# # Specify the CodeQL queries to run +# queries: +# - my-query.ql \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000000..f64835f2ac1 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,17 @@ +version: 2 +updates: + # Keep maven dependencies up-to-date + - package-ecosystem: maven + # Look for `pom.xml` in the `root` directory + directory: "/" + # Check the maven registry for updates every day (weekdays) + schedule: + interval: daily + open-pull-requests-limit: 0 + target-branch: "security-scans-integrations" + # Raise all maven pull requests with custom labels + labels: + - "dependencies" + reviewers: + - "hilpitome" + - "ekigamba" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000000..7a7191fc072 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,85 @@ + +name: "CodeQL Repository scan" + +on: + push: + branches: + - security-scans-integration + + # # Publish `v1.2.3` tags as releases. + # tags: + # - v* + pull_request: + # schedule: + # - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # wokflow_dispatch option enables for manual scanning + workflow_dispatch: + + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'java' ] + + + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout repository + uses: actions/checkout@v3 + with: + submodules: recursive + + - name: Set up JDK 17 + uses: actions/setup-java@v1 + with: + java-version: 17 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: security-and-quality, security-extended + config-file: ./.github/codeql-config.yml + + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + - name: Autobuild Java Code + run: | + mvn clean install -DskipTests + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{matrix.language}}" + config-file: ./.github/codeql-config.yml diff --git a/.github/workflows/secrets-scan.yml b/.github/workflows/secrets-scan.yml new file mode 100644 index 00000000000..0b51e8adc84 --- /dev/null +++ b/.github/workflows/secrets-scan.yml @@ -0,0 +1,25 @@ +name: Leaked Secrets Scan +on: + push: + branches: + - security-scans-integrations + pull_request: + # schedule: + # - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # # Below is for manual scanning + # workflow_dispatch: +jobs: + TruffleHog: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + path: ./ + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --debug --only-verified \ No newline at end of file diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml new file mode 100644 index 00000000000..475adb08830 --- /dev/null +++ b/.github/workflows/trivy-repo-scan.yml @@ -0,0 +1,129 @@ +name: Trivy Security Scan on HAPI FHIR repository +on: + push: + branches: + - security-scans-integrations + # pull_request: + schedule: + - cron: '0 3 * * 1,3' # CodeQL Scan every Monday and Wednesday at 3 AM UTC + # Below is for manual scanning + workflow_dispatch: + +env: + FULL_SUMMARY: "" + PATCH_SUMMARY: "" + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Cancel previous workflow runs + uses: styfle/cancel-workflow-action@0.9.1 + with: + access_token: ${{ github.token }} + + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode - SARIF + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-repo-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-repo-results.sarif' + + - name: Run Trivy vulnerability scanner in repo mode - JSON (Full) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'json' + output: 'trivy-repo-full-results.json' + + - name: Create summary of trivy issues on Repository Full scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No vulnerabilities found" + fi + echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches) + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'json' + output: 'trivy-repo-fixable-results.json' + + - name: Create summary of trivy issues on Repository scan + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="No issues or vulnerability fixes available" + fi + echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV + + - name: Generate trivy HTML report on Repository for download + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'template' + template: '@/contrib/html.tpl' + output: 'trivy-repo-report.html' + + - name: Upload Trivy results as an artifact + uses: actions/upload-artifact@v3 + with: + name: "trivy-repo-report.html" + path: './trivy-repo-report.html' + retention-days: 30 + + - name: Send Slack Notification + uses: slackapi/slack-github-action@v1.23.0 + with: + payload: | + { + "text": "Trivy scan results for ${{ github.repository }} repository", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Total Vulnerabilities: ${{ env.FULL_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}" + } + }, + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": " View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days." + } + } + ] + } + env: + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK