Skip to content

Commit d360c19

Browse files
ezhang6811thpierce
andauthored
add daily scan (#738)
* add daily scan * remove test trigger * update metric publishing * align format with adot daily scans * update cadence --------- Co-authored-by: Thomas Pierce <thp@amazon.com>
1 parent 40cd819 commit d360c19

1 file changed

Lines changed: 118 additions & 0 deletions

File tree

.github/workflows/daily-scan.yml

Lines changed: 118 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,118 @@
1+
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
## SPDX-License-Identifier: Apache-2.0
3+
# Performs a daily scan of:
4+
# * The X-Ray Node.js SDK source code, using Trivy
5+
# * Project dependencies, using DependencyCheck
6+
#
7+
# Publishes results to CloudWatch Metrics.
8+
name: Daily scan
9+
10+
on:
11+
schedule: # scheduled to run every 6 hours
12+
- cron: '0 */6 * * *' # "At minute 0 past every 6th hour."
13+
workflow_dispatch: # be able to run the workflow on demand
14+
15+
env:
16+
AWS_DEFAULT_REGION: us-east-1
17+
18+
permissions:
19+
id-token: write
20+
contents: read
21+
22+
jobs:
23+
scan_and_report:
24+
runs-on: ubuntu-latest
25+
steps:
26+
- name: Checkout repo for dependency scan
27+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
28+
with:
29+
fetch-depth: 0
30+
31+
- name: Setup Node.js for dependency scan
32+
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 #v4.0.4
33+
with:
34+
node-version: '18'
35+
36+
- name: Build Node.js project for scanning
37+
run: npm install
38+
39+
- name: Install Java for dependency scan
40+
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
41+
with:
42+
java-version: 17
43+
distribution: 'temurin'
44+
45+
- name: Configure AWS credentials for dependency scan
46+
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
47+
with:
48+
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
49+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
50+
51+
- name: Get NVD API key for dependency scan
52+
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
53+
id: nvd_api_key
54+
with:
55+
secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
56+
parse-json-secrets: true
57+
58+
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
59+
- name: Install and run dependency scan
60+
id: dep_scan
61+
if: always()
62+
run: |
63+
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
64+
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
65+
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
66+
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
67+
gpg --verify dependency-check.zip.asc
68+
unzip dependency-check.zip
69+
./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "."
70+
71+
- name: Print dependency scan results on failure
72+
if: ${{ steps.dep_scan.outcome != 'success' }}
73+
run: less dependency-check-report.html
74+
75+
- name: Perform high severity scan on source code
76+
if: always()
77+
id: high_scan_latest
78+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
79+
with:
80+
scan-type: 'fs'
81+
scan-ref: '.'
82+
severity: 'CRITICAL,HIGH'
83+
exit-code: '1'
84+
85+
- name: Perform low severity scan on source code
86+
if: always()
87+
id: low_scan_latest
88+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1
89+
with:
90+
scan-type: 'fs'
91+
scan-ref: '.'
92+
severity: 'MEDIUM,LOW,UNKNOWN'
93+
exit-code: '1'
94+
95+
- name: Configure AWS Credentials for emitting metrics
96+
if: always()
97+
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
98+
with:
99+
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
100+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
101+
102+
- name: Publish high scan status
103+
if: always()
104+
run: |
105+
value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
106+
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
107+
--metric-name Success \
108+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
109+
--value $value
110+
111+
- name: Publish low scan status
112+
if: always()
113+
run: |
114+
value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
115+
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
116+
--metric-name Success \
117+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
118+
--value $value

0 commit comments

Comments
 (0)