Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PCP-2010: validation checks added #125

Open
wants to merge 1 commit into
base: spectro-master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions .github/workflows/bulwark-gitleaks-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
name: BulwarkGitLeaks
on: [pull_request]

concurrency:
group: gitleaks-${{ github.ref }}
cancel-in-progress: true

jobs:
gitleaks-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
env:
REPO: ${{ github.event.repository.name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_CONFIG: /workspace/config.toml
steps:

- name: run-bulwark-gitleaks-scan
shell: sh
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"

- name: check-result
shell: sh
run: |
resultPath=./$REPO/gitleaks.json
cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
if [ "$total_failed_tests" -gt 0 ]; then
echo "GitLeaks validation check failed with above findings..."
exit 1
else
echo "GitLeaks validation check passed"
fi
35 changes: 35 additions & 0 deletions .github/workflows/bulwark-gosec-pr-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: BulwarkGoSec
on: [pull_request]

concurrency:
group: gosec-${{ github.ref }}
cancel-in-progress: true

jobs:
gosec-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-dev-public/bulwark/gosec:latest
steps:

- name: run-gosec-scan
shell: sh
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
GO111MODULE: on
run: |
/workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:all"

- name: check-result
shell: sh
run: |
resultPath=$REPO-result.json
issues=$(cat $resultPath | jq -r '.Stats.found')
echo "Found ${issues} issues"
if [ "$issues" -gt 0 ]; then
echo "GoSec SAST scan failed with below findings..."
cat $resultPath
exit 1
else
echo "GoSec SAST scan passed"
fi
31 changes: 31 additions & 0 deletions .github/workflows/golicense-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: GoLicenses
on: [pull_request]

concurrency:
group: golicenses-${{ github.ref }}
cancel-in-progress: true

jobs:
golicense-pr-scan:
runs-on: ubuntu-latest
steps:
- name: install-git
run: sudo apt-get install -y git

- name: install-golicenses
run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest

- name: checkout
uses: actions/checkout@v3

- name: set-github-access
run: |
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github

- name: golicense-scan
run: |
go-licenses check --ignore github.com/spectrocloud ./
# go-licenses check --ignore github.com/spectrocloud ./hack/tools
# go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate
33 changes: 33 additions & 0 deletions .github/workflows/govulncheck-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: GoVulnCheck
on: [pull_request]

concurrency:
group: govulncheck-${{ github.ref }}
cancel-in-progress: true

jobs:
govulncheck-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-images-public/golang:alpine
steps:
- name: install-govulncheck
run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest

- name: checkout
uses: actions/checkout@v3

- name: set-github-access
run: |
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github

- name: govulncheck-scan
run: |
go version
govulncheck -mode source ./
govulncheck -mode source ./hack/tools



Loading