From 471599b065bd4bf167368395c605d1668a5f449f Mon Sep 17 00:00:00 2001
From: umar <umar@spectrocloud.com>
Date: Tue, 14 May 2024 18:55:47 +0530
Subject: [PATCH] OPS-4460 added scans for pr validation

---
 ...tleaks.yml => gitleaks-pr-validation.yaml} | 21 +++++-----
 .../workflows/golicense-pr-validation.yaml    | 25 ++++++++++++
 .github/workflows/gosec-pr-validation.yaml    | 38 +++++++++++++++++++
 .../workflows/govulncheck-pr-validation.yaml  | 28 ++++++++++++++
 4 files changed, 100 insertions(+), 12 deletions(-)
 rename .github/workflows/{gitleaks.yml => gitleaks-pr-validation.yaml} (76%)
 create mode 100644 .github/workflows/golicense-pr-validation.yaml
 create mode 100644 .github/workflows/gosec-pr-validation.yaml
 create mode 100644 .github/workflows/govulncheck-pr-validation.yaml

diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks-pr-validation.yaml
similarity index 76%
rename from .github/workflows/gitleaks.yml
rename to .github/workflows/gitleaks-pr-validation.yaml
index f2614057..a36eada8 100644
--- a/.github/workflows/gitleaks.yml
+++ b/.github/workflows/gitleaks-pr-validation.yaml
@@ -1,22 +1,19 @@
-name: GitLeaks
+name: GitLeaksPRValidation
+on: [pull_request]
 
-on:
-  pull_request:
-    branches:
-    - main
-  workflow_dispatch: {}
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
 
 jobs:
-  gitleaks-scan:
+  gitleaks-pr-scan:
     runs-on: ubuntu-latest
     container:
-      image: gcr.io/spectro-common-dev/fayasa/bulwark:latest
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
       env:
         REPO: ${{ github.event.repository.name }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      credentials:
-        username: _json_key
-        password: ${{ secrets.GCR_SPCD_JSON_KEY }}
+        GITLEAKS_CONFIG: /workspace/config.toml
     steps:
 
       - name: run-bulwark-gitleaks-scan
@@ -36,4 +33,4 @@ jobs:
             exit 1
           else 
             echo "GitLeaks validation check passed"
-          fi
+          fi
\ No newline at end of file
diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml
new file mode 100644
index 00000000..2a62c55d
--- /dev/null
+++ b/.github/workflows/golicense-pr-validation.yaml
@@ -0,0 +1,25 @@
+name: GoLicensesPRValidation
+on: [pull_request]
+
+concurrency:
+  group: go-licenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  go-licenses-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-go-licenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+
+      - name: go-licenses-scan
+        run: go-licenses check --ignore github.com/spectrocloud ./...
\ No newline at end of file
diff --git a/.github/workflows/gosec-pr-validation.yaml b/.github/workflows/gosec-pr-validation.yaml
new file mode 100644
index 00000000..e91f5167
--- /dev/null
+++ b/.github/workflows/gosec-pr-validation.yaml
@@ -0,0 +1,38 @@
+name: GoSecPRValidation
+on: [pull_request]
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:-G101"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          echo "Issues by Rule ID"
+          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else 
+            echo "GoSec SAST scan passed"
+          fi
\ No newline at end of file
diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml
new file mode 100644
index 00000000..efc0b9f3
--- /dev/null
+++ b/.github/workflows/govulncheck-pr-validation.yaml
@@ -0,0 +1,28 @@
+name: GoVulnCheckPRValidation
+on: [pull_request]
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: security-runner
+    container:
+      image: gcr.io/spectro-images-public/golang:1.22-alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: set-github-access
+        run: |
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf https://github
+          /usr/bin/git config --global --add url."https://${{ secrets.GITHUB_TOKEN }}:x-oauth-basic@github".insteadOf git@github
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./...
\ No newline at end of file