Skip to content

Commit

Permalink
code review comments
Browse files Browse the repository at this point in the history
Signed-off-by: naveensrinivasan <[email protected]>
  • Loading branch information
naveensrinivasan committed Apr 1, 2024
1 parent 28f1085 commit e8a02a0
Show file tree
Hide file tree
Showing 5 changed files with 57 additions and 33 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@ on:
workflow_dispatch: {}

jobs:
validate:
scan:
runs-on: ubuntu-latest
name: Scan for vulnerabilities
permissions:
contents: read
contents: read
pull-requests: read

steps:
Expand All @@ -22,17 +22,27 @@ jobs:
with:
fetch-depth: 0

- name: Environment setup # this is required for scanning ironbank images
- name: Environment setup
uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
with:
username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}

- name: Scan the repository for vulnerabilities
run: |
uds run vuln-check:grype-scan-sbom
uds run grype:install
uds run scan:vulns
upload-sarif:
runs-on: ubuntu-latest
strategy:
matrix:
repo: ['upstream', 'repo1']
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Upload SARIF files
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.0.0
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
with:
sarif_file: 'sarif/'
sarif_file: sarif/${{ matrix.repo }}/*.sarif
5 changes: 3 additions & 2 deletions tasks.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,8 @@ includes:
- pull: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/pull.yaml
- deploy: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/deploy.yaml
- setup: https://raw.githubusercontent.com/defenseunicorns/uds-common/v0.3.9/tasks/setup.yaml
- vuln-check: ./tasks/scanvulnerability.yaml
- scan: ./tasks/scan.yaml
- grype: ./tasks/grype.yaml

tasks:
- name: default
Expand Down Expand Up @@ -65,4 +66,4 @@ tasks:
- name: vuln-scan-package
description: Scan the GitLab package for vulnerabilities
actions:
- task: vuln-check:grype-scan-sbom
- task: scan:vulns
12 changes: 12 additions & 0 deletions tasks/grype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
---
tasks:
- name: install
description: Check if Grype is installed, if not install it
actions:
- cmd: |
if ! command -v grype &> /dev/null; then
echo "Grype could not be found, installing..."
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
else
echo "Grype is already installed."
fi
26 changes: 26 additions & 0 deletions tasks/scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
tasks:
- name: vulns
description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities
actions:
- cmd: |
flavors=("upstream" "registry1")
for flavor in "${flavors[@]}"; do
output_dir="sbom/$flavor"
mkdir -p "$output_dir"
uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
for file in "$output_dir"/*.zst; do
uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
done
done
for flavor in "${flavors[@]}"; do
sarif_output_dir="./sarif/$flavor"
mkdir -p "$sarif_output_dir"
find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
sarif_file_name="$(basename "${json_file}").sarif"
echo "Processing $json_file"
echo "Outputting to $sarif_output_dir/$sarif_file_name"
grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true
echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
done
done
25 changes: 0 additions & 25 deletions tasks/scanvulnerability.yaml

This file was deleted.

0 comments on commit e8a02a0

Please sign in to comment.