Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OPS-4460 - Github actions for pr validation #105

Merged
Original file line number Diff line number Diff line change
@@ -1,22 +1,19 @@
name: GitLeaks
name: GitLeaksPRValidation
on: [pull_request]

on:
pull_request:
branches:
- main
workflow_dispatch: {}
concurrency:
group: gitleaks-${{ github.ref }}
cancel-in-progress: true

jobs:
gitleaks-scan:
gitleaks-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-common-dev/fayasa/bulwark:latest
image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
env:
REPO: ${{ github.event.repository.name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
credentials:
username: _json_key
password: ${{ secrets.GCR_SPCD_JSON_KEY }}
GITLEAKS_CONFIG: /workspace/config.toml
steps:

- name: run-bulwark-gitleaks-scan
Expand All @@ -36,4 +33,4 @@ jobs:
exit 1
else
echo "GitLeaks validation check passed"
fi
fi
26 changes: 26 additions & 0 deletions .github/workflows/golicense-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: GoLicensesPRValidation
on: [pull_request]

concurrency:
group: go-licenses-${{ github.ref }}
cancel-in-progress: true

jobs:
go-licenses-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-images-public/golang:1.22-alpine
steps:
- name: install-go-licenses
run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest

- name: checkout
uses: actions/checkout@v3

- name: set-github-access
run: |
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github

- name: go-licenses-scan
run: go-licenses check --ignore github.com/spectrocloud ./...
38 changes: 38 additions & 0 deletions .github/workflows/gosec-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: GoSecPRValidation
on: [pull_request]

concurrency:
group: gosec-${{ github.ref }}
cancel-in-progress: true

jobs:
gosec-pr-scan:
runs-on: ubuntu-latest
container:
image: gcr.io/spectro-dev-public/bulwark/gosec:latest
env:
REPO: ${{ github.event.repository.name }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: gosec-scan
shell: sh
env:
BRANCH: ${{ github.head_ref || github.ref_name }}
GO111MODULE: on
run: /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:-G101"

- name: check-result
shell: sh
run: |
resultPath=$REPO-result.json
issues=$(cat $resultPath | jq -r '.Stats.found')
echo "Found ${issues} issues"
echo "Issues by Rule ID"
jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
if [ "$issues" -gt 0 ]; then
echo "GoSec SAST scan failed with below findings..."
cat $resultPath
exit 1
else
echo "GoSec SAST scan passed"
fi
28 changes: 28 additions & 0 deletions .github/workflows/govulncheck-pr-validation.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: GoVulnCheckPRValidation
on: [pull_request]

concurrency:
group: govulncheck-${{ github.ref }}
cancel-in-progress: true

jobs:
govulncheck-pr-scan:
runs-on: security-runner
container:
image: gcr.io/spectro-images-public/golang:1.22-alpine
steps:
- name: install-govulncheck
run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest

- name: checkout
uses: actions/checkout@v3

- name: set-github-access
run: |
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github
/usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github
- name: govulncheck-scan
run: |
go version
govulncheck -mode source ./...
Loading