Skip to content

Commit

Permalink
moved the upstream and registry1 to separate tasks
Browse files Browse the repository at this point in the history
Signed-off-by: naveensrinivasan <[email protected]>
  • Loading branch information
naveensrinivasan committed Apr 2, 2024
1 parent 1ab0cf2 commit 3840a1a
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 16 deletions.
43 changes: 37 additions & 6 deletions .github/workflows/scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,10 @@ on:
workflow_dispatch: {}

jobs:
scan:
# cannot scan registry1 and upstream at the same time because the sarif upload have a file limit of 20 files
scan-upstream:
runs-on: ubuntu-latest
name: Scan for vulnerabilities
name: Scan for vulnerabilities - Upstream
permissions:
contents: read
pull-requests: read
Expand All @@ -23,17 +24,47 @@ jobs:
fetch-depth: 0

- name: Environment setup
uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9
with:
username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

- name: Scan the repository for vulnerabilities

- name: Scan the repository for vulnerabilities - Upstream
run: |
uds run grype:install
uds run scan:upstream
- name: Upload SARIF files - Upstream
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
with:
sarif_file: ./sarif

scan-registry1:
runs-on: ubuntu-latest
name: Scan for vulnerabilities - Registry1
permissions:
contents: read
pull-requests: read

steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0

- name: Environment setup
uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9
with:
username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

- name: Scan the repository for vulnerabilities - Registry1
run: |
uds run grype:install
uds run scan:vulns
uds run scan:registry1
- name: Upload SARIF files
- name: Upload SARIF files - Registry1
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
with:
sarif_file: ./sarif
41 changes: 31 additions & 10 deletions tasks/scan.yaml
Original file line number Diff line number Diff line change
@@ -1,26 +1,47 @@
---
tasks:
- name: vulns
description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities
- name: upstream
description: Create a UDS package with upstream flavor, extract the SBOM, and analyze for vulnerabilities
actions:
- cmd: |
bash -c 'flavors=("upstream" "registry1")
for flavor in "${flavors[@]}"; do
bash -c '
flavor="upstream"
output_dir="sbom/$flavor"
mkdir -p "$output_dir"
uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
for file in "$output_dir"/*.zst; do
uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
done
done
sarif_output_dir="./sarif"
mkdir -p "$sarif_output_dir"
for flavor in "${flavors[@]}"; do
sarif_output_dir="./sarif"
mkdir -p "$sarif_output_dir"
find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
sarif_file_name="${flavor}_$(basename "${json_file}").sarif"
echo "Processing $json_file"
echo "Outputting to $sarif_output_dir/$sarif_file_name"
grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true
grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name"
echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
done
done'
'
- name: registry1
description: Create a UDS package with registry1 flavor, extract the SBOM, and analyze for vulnerabilities
actions:
- cmd: |
bash -c '
flavor="registry1"
output_dir="sbom/$flavor"
mkdir -p "$output_dir"
uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
for file in "$output_dir"/*.zst; do
uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
done
sarif_output_dir="./sarif"
mkdir -p "$sarif_output_dir"
find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
sarif_file_name="${flavor}_$(basename "${json_file}").sarif"
echo "Processing $json_file"
echo "Outputting to $sarif_output_dir/$sarif_file_name"
grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name"
echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
done
'

0 comments on commit 3840a1a

Please sign in to comment.