PCP-2008 : CICD changes w.r.t. PCP-1844

spectrocloud · Oct 16, 2023 · 15f520a · 15f520a
1 parent 78f8267
commit 15f520a
Show file tree

Hide file tree

Showing 4 changed files with 144 additions and 0 deletions.
diff --git a/.github/workflows/bulwark-gitleaks-pr-validation.yaml b/.github/workflows/bulwark-gitleaks-pr-validation.yaml
@@ -0,0 +1,38 @@
+name: BulwarkGitLeaks
+on: [pull_request]
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        ref: ${{ github.event.pull_request.head.ref }}
+        repository: ${{ github.event.pull_request.head.repo.full_name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: /workspace/config.toml
+    steps:
+
+      - name: run-bulwark-gitleaks-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=./$REPO/gitleaks.json
+          cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
+          total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
+          if [ "$total_failed_tests" -gt 0 ]; then
+            echo "GitLeaks validation check failed with above findings..."
+            exit 1
+          else 
+            echo "GitLeaks validation check passed"
+          fi
diff --git a/.github/workflows/bulwark-gosec-pr-scan.yaml b/.github/workflows/bulwark-gosec-pr-scan.yaml
@@ -0,0 +1,41 @@
+name: BulwarkGoSec
+on: [pull_request]
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      credentials:
+        username: _json_key
+        password: ${{ secrets.GCR_SPCD_JSON_KEY }}
+    steps:
+
+      - name: run-gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: |
+          /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:all"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else 
+            echo "GoSec SAST scan passed"
+          fi
diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml
@@ -0,0 +1,32 @@
+name: GoLicenses
+on: [pull_request]
+
+concurrency:
+  group: golicenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  golicense-pr-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: install-git
+        run: sudo apt-get install -y git
+
+      - name: install-golicenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: golicense-scan
+        run: |
+          go-licenses check --ignore github.com/spectrocloud ./bulwark
+          go-licenses check --ignore github.com/spectrocloud ./dynamo
+          go-licenses check --ignore github.com/spectrocloud ./spate/genco
+#          go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate
diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml
@@ -0,0 +1,33 @@
+name: GoVulnCheck
+on: [pull_request]
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image:  gcr.io/spectro-images-public/golang:alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./bulwark
+          govulncheck -mode source ./dynamo
+          govulncheck -mode source ./spate/genco
+          govulncheck -mode source ./spate/xk6-spate
+