From beafd2dec2a4a449a4d7adf79bf9c087826bf851 Mon Sep 17 00:00:00 2001 From: divyansh42 Date: Mon, 28 Mar 2022 17:37:21 +0530 Subject: [PATCH] Add CRDA starter workflow and modify openshift workflow Signed-off-by: divyansh42 --- code-scanning/crda.yml | 126 ++++++++++++++++++ code-scanning/properties/crda.properties.json | 7 + deployments/openshift.yml | 19 ++- 3 files changed, 150 insertions(+), 2 deletions(-) create mode 100644 code-scanning/crda.yml create mode 100644 code-scanning/properties/crda.properties.json diff --git a/code-scanning/crda.yml b/code-scanning/crda.yml new file mode 100644 index 0000000..d5bb88f --- /dev/null +++ b/code-scanning/crda.yml @@ -0,0 +1,126 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow performs a static analysis of your source code using +# Red Hat CodeReady Dependency Analytics. + +# Scans are triggered: +# 1. On every push to default and protected branches +# 2. On every Pull Request targeting the default branch +# 3. On a weekly schedule +# 4. Manually, on demand, via the "workflow_dispatch" event + +# 💁 The CRDA Starter workflow will: +# - Checkout your repository +# - Setup the required tool stack +# - Install the CRDA command line tool +# - Auto detect the manifest file and install the project's dependencies +# - Perform the security scan using CRDA +# - Upload the SARIF result to the GitHub Code Scanning which can be viewed under the security tab +# - Optionally upload the SARIF file as an artifact for the future reference + +# â„šī¸ Configure your repository and the workflow with the following steps: +# 1. Setup the tool stack based on the project's requirement. +# Refer to: https://github.com/redhat-actions/crda/#1-set-up-the-tool-stack +# 2. (Optional) CRDA action attempt to detect the language and install the +# required dependencies for your project. If your project doesn't aligns +# with the default dependency installation command mentioned here +# https://github.com/redhat-actions/crda/#3-installing-dependencies. +# Use the required inputs to setup the same +# 3. (Optional) CRDA action attempts to detect the manifest file if it is +# present in the root of the project and named as per the default mentioned +# here https://github.com/redhat-actions/crda/#3-installing-dependencies. +# If it deviates from the default, use the required inputs to setup the same +# 4. Setup Authentication - Create the CRDA_KEY or SNYK_TOKEN. +# Refer to: https://github.com/redhat-actions/crda/#4-set-up-authentication +# 5. (Optional) Upload SARIF file as an Artifact to download and view +# 6. Commit and push the workflow file to your default branch to trigger a workflow run. + +# 👋 Visit our GitHub organization at https://github.com/redhat-actions/ to see our actions and provide feedback. + +name: CRDA Scan + +# Controls when the workflow will run +on: + # TODO: Customize trigger events based on your DevSecOps processes + # + # This workflow is made to run with OpenShift starter workflow + # https://github.com/actions/starter-workflows/blob/main/deployments/openshift.yml + # However, if you want to run this workflow as a standalone workflow, please + # uncomment the 'push' trigger below and configure it based on your requirements. + # + workflow_call: + secrets: + CRDA_KEY: + required: false + SNYK_TOKEN: + required: false + workflow_dispatch: + + # push: + # branches: [ $default-branch, $protected-branches ] + + # pull_request_target is used to securely share secret to the PR's workflow run. + # For more info visit: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target + pull_request_target: + branches: [ $default-branch ] + types: [ assigned, opened, synchronize, reopened, labeled, edited ] + +permissions: + contents: read + +jobs: + crda-scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for redhat-actions/crda to upload SARIF results + name: Scan project vulnerabilities with CRDA + runs-on: ubuntu-20.04 + steps: + + - name: Check out repository + uses: actions/checkout@v2 + + # ******************************************************************* + # Required: Instructions to setup project + # 1. Setup Go, Java, Node.js or Python depending on your project type + # 2. Setup Actions are listed below, choose one from them: + # - Go: https://github.com/actions/setup-go + # - Java: https://github.com/actions/setup-java + # - Node.js: https://github.com/actions/setup-node + # - Python: https://github.com/actions/setup-python + # + # Example: + # - name: Setup Node + # uses: actions/setup-node@v2 + # with: + # node-version: '14' + + # https://github.com/redhat-actions/openshift-tools-installer/blob/main/README.md + - name: Install CRDA CLI + uses: redhat-actions/openshift-tools-installer@v1 + with: + source: github + github_pat: ${{ github.token }} + # Choose the desired version of the CRDA CLI + crda: "latest" + + ###################################################################################### + # https://github.com/redhat-actions/crda/blob/main/README.md + # + # By default, CRDA will detect the manifest file and install the required dependencies + # using the standard command for the project type. + # If your project doesn't aligns with the defaults mentioned in this action, you will + # need to set few inputs that are described here: + # https://github.com/redhat-actions/crda/blob/main/README.md#3-installing-dependencies + # Visit https://github.com/redhat-actions/crda/#4-set-up-authentication to understand + # process to get a SNYK_TOKEN or a CRDA_KEY + - name: CRDA Scan + id: scan + uses: redhat-actions/crda@v1 + with: + crda_key: ${{ secrets.CRDA_KEY }} # Either use crda_key or snyk_token + # snyk_token: ${{ secrets.SNYK_TOKEN }} + # upload_artifact: false # Set this to false to skip artifact upload diff --git a/code-scanning/properties/crda.properties.json b/code-scanning/properties/crda.properties.json new file mode 100644 index 0000000..9e1a7ac --- /dev/null +++ b/code-scanning/properties/crda.properties.json @@ -0,0 +1,7 @@ +{ + "name": "Red Hat CodeReady Dependency Analytics", + "creator": "Red Hat", + "description": "Scan your project's dependencies with CodeReady Dependency Analytics.", + "iconName": "openshift", + "categories": ["Code Scanning", "Go", "Python", "Node.js", "Java"] +} diff --git a/deployments/openshift.yml b/deployments/openshift.yml index 5775cb0..8504059 100644 --- a/deployments/openshift.yml +++ b/deployments/openshift.yml @@ -54,15 +54,30 @@ env: on: # https://docs.github.com/en/actions/reference/events-that-trigger-workflows + workflow_dispatch: push: # Edit to the branch(es) you want to build and deploy on each push. branches: [ $default-branch ] jobs: + # đŸ–Šī¸ EDIT if you want to run vulnerability check on your project before deploying + # the application. Please uncomment the below CRDA scan job and configure to run it in + # your workflow. For details about CRDA action visit https://github.com/redhat-actions/crda/blob/main/README.md + # + # TODO: Make sure to add 'CRDA Scan' starter workflow from the 'Actions' tab. + # For guide on adding new starter workflow visit https://docs.github.com/en/github-ae@latest/actions/using-workflows/using-starter-workflows + + crda-scan: + uses: ./.github/workflows/crda.yml + secrets: + CRDA_KEY: ${{ secrets.CRDA_KEY }} + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} # Either use SNYK_TOKEN or CRDA_KEY + openshift-ci-cd: + # đŸ–Šī¸ Uncomment this if you are using CRDA scan step above + # needs: crda-scan name: Build and deploy to OpenShift - # ubuntu-20.04 can also be used. - runs-on: ubuntu-18.04 + runs-on: ubuntu-20.04 environment: production outputs: