-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
25ee976
commit eddb6b7
Showing
9 changed files
with
316 additions
and
59 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: Checkov Scan | ||
|
|
||
| on: workflow_dispatch | ||
|
|
||
| jobs: | ||
| scan: | ||
| permissions: | ||
| security-events: write | ||
| contents: read | ||
| id-token: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v3 | ||
| - name: Setup Python | ||
| uses: actions/[email protected] | ||
| - name: Checkov GitHub Action | ||
| uses: bridgecrewio/checkov-action@v12 | ||
| with: | ||
| output_format: cli,sarif | ||
| output_file_path: console,results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,59 +1,40 @@ | ||
| name: Endor Labs Scan | ||
| on: | ||
| workflow_dispatch: | ||
| inputs: | ||
| api: | ||
| description: "Enter the target Endor Labs API" | ||
| required: true | ||
| type: choice | ||
| default: https://api.endorlabs.com | ||
| options: | ||
| - https://api.staging.endorlabs.com | ||
| - https://api.endorlabs.com | ||
| tenant_name: | ||
| description: "Enter your Endor Labs namespace?" | ||
| required: true | ||
| type: string | ||
| jobs: | ||
| scan-repo: | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
| - name: Setup namespace Environment Variables | ||
| run: | | ||
| NAMESPACE=$(jq -r '.inputs.tenant_name' $GITHUB_EVENT_PATH) | ||
| echo "::add-mask::$NAMESPACE" | ||
| echo NAMESPACE=$NAMESPACE >> $GITHUB_ENV | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Setup Java | ||
| uses: actions/setup-java@v4 | ||
| with: | ||
| distribution: "temurin" | ||
| java-version: "17" | ||
| cache: maven | ||
| cache-dependency-path: pom.xml | ||
|
|
||
| - name: Set up Maven | ||
| uses: stCarolas/[email protected] | ||
| with: | ||
| maven-version: 3.9.4 | ||
| - name: Compile Package | ||
| run: mvn clean install | ||
|
|
||
| - name: Endor Labs Workflow Dispatch | ||
| if: ${{ github.event_name == 'workflow_dispatch' }} | ||
| uses: endorlabs/github-action@736c93ea52b002f2ac229aaeb273b102cbf6fe12 | ||
| with: | ||
| namespace: ${{ github.event.inputs.tenant_name }} | ||
| scan_summary_output_type: "table" | ||
| pr: "false" | ||
| enable_github_action_token: "true" | ||
| scan_dependencies: "true" | ||
| scan_secrets: "true" | ||
| scan_git_logs: "true" | ||
| additional_args: "--as-default-branch --api=${{ github.event.inputs.api }}" | ||
| name: Endor Labs Scan | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ main ] | ||
| pull_request: | ||
| branches: [ main ] | ||
| workflow_dispatch: | ||
| inputs: | ||
| tenant_name: | ||
| description: "Enter your Endor Labs tenant name:" | ||
| required: true | ||
| type: string | ||
|
|
||
| jobs: | ||
| scan: | ||
| permissions: | ||
| security-events: write | ||
| contents: read | ||
| id-token: write | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v3 | ||
| - name: Setup Java | ||
| uses: actions/setup-java@v3 | ||
| with: | ||
| distribution: 'microsoft' | ||
| java-version: '17' | ||
| - name: Compile Package | ||
| run: mvn clean install | ||
| - name: Run endorctl | ||
| uses: endorlabs/github-action@b51bd06466b545f01a6ac788e3e1147695d3936c | ||
| with: | ||
| namespace: "${{ github.event.inputs.tenant_name }}" | ||
| sarif_file: findings.sarif | ||
| - name: Upload SARIF to github | ||
| uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd | ||
| with: | ||
| sarif_file: findings.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: Run Scorecard | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Run Scorecard | ||
| runs-on: ubuntu-latest | ||
| permissions: read-all | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: OSSF Scorecard action | ||
| uses: ossf/[email protected] | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Run Another SCA | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Run Another SCA | ||
| runs-on: ubuntu-latest | ||
| permissions: read-all | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Run another SCA | ||
| run: | | ||
| curl --compressed https://static.snyk.io/cli/latest/snyk-linux -o snyk | ||
| chmod +x ./snyk | ||
| ./snyk test --all-projects |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,78 @@ | ||
| name: Release Workflow Modified | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Build and Sign | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Build JAR | ||
| run: mvn clean install -Dskiptests=true | ||
|
|
||
| - name: Create container | ||
| run: docker build -t jscott932/app-java-demo:latest . | ||
|
|
||
| - name: Get Image Digest to Sign | ||
| run: | | ||
| IMAGE_SHA=$(docker inspect jscott932/app-java-demo:latest | jq -r '.[].Id') | ||
| IMAGE_NAME=jscott932/app-java-demo | ||
| SIGNING_TARGET="$IMAGE_NAME"@"$IMAGE_SHA" | ||
| echo ARTIFACT="$SIGNING_TARGET" >> $GITHUB_ENV | ||
| - name: Container Sign | ||
| uses: endorlabs/github-action/sign@736c93ea52b002f2ac229aaeb273b102cbf6fe12 | ||
| with: | ||
| namespace: "yolo" | ||
| artifact_name: ${{ env.ARTIFACT }} | ||
|
|
||
| - name: Run Tests | ||
| run: | | ||
| mvn test | ||
| - name: Endor Labs Dependency Scan | ||
| uses: endorlabs/[email protected] | ||
| with: | ||
| namespace: "yolo" | ||
| scan_summary_output_type: "table" | ||
| pr: "false" | ||
| enable_github_action_token: "true" | ||
| scan_dependencies: "true" | ||
| scan_secrets: "true" | ||
| scan_git_logs: "true" | ||
|
|
||
| - name: Run SAST | ||
| run: python3 -m pip install semgrep && semgrep scan | ||
|
|
||
| - name: Modify Container Image | ||
| run: docker run --name temp_container jscott932/app-java-demo:latest touch helloworld.txt && docker commit temp_container jscott932/app-java-demo:latest | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Get Image Digest to Verify | ||
| run: | | ||
| VERIFY_SHA=$(docker inspect jscott932/app-java-demo:latest | jq -r '.[].Id') | ||
| VERIFY_IMAGE_NAME=jscott932/app-java-demo | ||
| VERIFY_TARGET="$VERIFY_IMAGE_NAME"@"$VERIFY_SHA" | ||
| echo VERIFY_ARTIFACT="$VERIFY_TARGET" >> $GITHUB_ENV | ||
| - name: Container verify | ||
| uses: endorlabs/github-action/verify@736c93ea52b002f2ac229aaeb273b102cbf6fe12 | ||
| with: | ||
| namespace: "yolo" | ||
| artifact_name: ${{ env.VERIFY_ARTIFACT }} | ||
|
|
||
| - name: Push to Docker Hub | ||
| run: docker push jscott932/app-java-demo:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| name: Release Workflow | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Build and Sign | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Build JAR | ||
| run: mvn clean install -Dskiptests=true | ||
|
|
||
| - name: Create container | ||
| run: docker build -t jscott932/app-java-demo:latest . | ||
|
|
||
| - name: Get Image Digest to Sign | ||
| run: | | ||
| IMAGE_SHA=$(docker inspect jscott932/app-java-demo:latest | jq -r '.[].Id') | ||
| IMAGE_NAME=jscott932/app-java-demo | ||
| SIGNING_TARGET="$IMAGE_NAME"@"$IMAGE_SHA" | ||
| echo ARTIFACT="$SIGNING_TARGET" >> $GITHUB_ENV | ||
| - name: Container Sign | ||
| uses: endorlabs/github-action/sign@736c93ea52b002f2ac229aaeb273b102cbf6fe12 | ||
| with: | ||
| namespace: "yolo" | ||
| artifact_name: ${{ env.ARTIFACT }} | ||
|
|
||
| - name: Run Tests | ||
| run: | | ||
| mvn test | ||
| - name: Endor Labs Dependency Scan | ||
| uses: endorlabs/[email protected] | ||
| with: | ||
| namespace: "yolo" | ||
| scan_summary_output_type: "table" | ||
| pr: "false" | ||
| enable_github_action_token: "true" | ||
| scan_dependencies: "true" | ||
| scan_secrets: "true" | ||
| scan_git_logs: "true" | ||
|
|
||
| - name: Run SAST | ||
| run: python3 -m pip install semgrep && semgrep scan | ||
|
|
||
| - name: Login to Docker Hub | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
|
|
||
| - name: Get Image Digest to Verify | ||
| run: | | ||
| VERIFY_SHA=$(docker inspect jscott932/app-java-demo:latest | jq -r '.[].Id') | ||
| VERIFY_IMAGE_NAME=jscott932/app-java-demo | ||
| VERIFY_TARGET="$VERIFY_IMAGE_NAME"@"$VERIFY_SHA" | ||
| echo VERIFY_ARTIFACT="$VERIFY_TARGET" >> $GITHUB_ENV | ||
| - name: Container verify | ||
| uses: endorlabs/github-action/verify@736c93ea52b002f2ac229aaeb273b102cbf6fe12 | ||
| with: | ||
| namespace: "yolo" | ||
| artifact_name: ${{ env.VERIFY_ARTIFACT }} | ||
|
|
||
| - name: Push to Docker Hub | ||
| run: docker push jscott932/app-java-demo:latest |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| name: Run Semgrep | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Run Semgrep | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Run SAST | ||
| run: python3 -m pip install semgrep && semgrep scan |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| name: Run Trivy | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Run Trivy | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| id-token: write | ||
| contents: read | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Run Trivy | ||
| run: | | ||
| curl -LO https://url.to/trivy.tar.gz | ||
| tar -xzf ./trivy.tar.gz | ||
| chmod +x ./trivy | ||
| ./trivy fs --scanners vuln,secret,misconfig ./ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| name: Run Trufflehog | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| release: | ||
| name: Run Trufflehog | ||
| runs-on: ubuntu-latest | ||
| permissions: read-all | ||
| steps: | ||
|
|
||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: TruffleHog OSS | ||
| uses: trufflesecurity/[email protected] | ||
| with: | ||
| base: "" | ||
| head: ${{ github.ref_name }} | ||
| extra_args: --only-verified | ||
|
|