OPS-4460 added scans for pr validation

.github/workflows/gitleaks.yml → .github/workflows/gitleaks-pr-validation.yaml

@@ -1,22 +1,19 @@
-name: GitLeaks
+name: GitLeaksPRValidation
+on: [pull_request]
 
-on:
-  pull_request:
-    branches:
-    - main
-  workflow_dispatch: {}
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  gitleaks-scan:
+  gitleaks-pr-scan:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/spectro-common-dev/fayasa/bulwark:latest
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
       env:
         REPO: ${{ github.event.repository.name }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      credentials:
-        username: _json_key
-        password: ${{ secrets.GCR_SPCD_JSON_KEY }}
+        GITLEAKS_CONFIG: /workspace/config.toml
     steps:
 
       - name: run-bulwark-gitleaks-scan
@@ -36,4 +33,4 @@ jobs:
             exit 1
           else 
             echo "GitLeaks validation check passed"
-          fi
+          fi

.github/workflows/golicense-pr-validation.yaml

@@ -0,0 +1,25 @@
+name: GoLicensesPRValidation
+on: [pull_request]
+
+concurrency:
+  group: go-licenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  go-licenses-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-go-licenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+
+      - name: go-licenses-scan
+        run: go-licenses check --ignore github.com/spectrocloud ./...

.github/workflows/gosec-pr-validation.yaml

@@ -0,0 +1,38 @@
+name: GoSecPRValidation
+on: [pull_request]
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:-G101"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          echo "Issues by Rule ID"
+          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else 
+            echo "GoSec SAST scan passed"
+          fi

.github/workflows/govulncheck-pr-validation.yaml

@@ -0,0 +1,28 @@
+name: GoVulnCheckPRValidation
+on: [pull_request]
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: security-runner
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./...