-
Notifications
You must be signed in to change notification settings - Fork 53
133 lines (116 loc) · 5.5 KB
/
daily-scan.yml
File metadata and controls
133 lines (116 loc) · 5.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
# Performs a daily scan of:
# * The X-Ray Ruby SDK published artifact dependencies, using Trivy
# * Project dependencies, using DependencyCheck
#
# Publishes results to CloudWatch Metrics.
name: Daily scan
on:
schedule: # scheduled to run every 6 hours
- cron: '50 */6 * * *' # "At minute 50 past every 6th hour."
workflow_dispatch: # be able to run the workflow on demand
env:
AWS_DEFAULT_REGION: us-east-1
permissions:
id-token: write
contents: read
jobs:
scan_and_report:
runs-on: ubuntu-latest
steps:
- name: Checkout repo for dependency scan
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
with:
fetch-depth: 0
- name: Setup Ruby for dependency scan
uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f #v1.295.0
with:
ruby-version: '3.0'
- name: Install published package for scanning
run: |
mkdir -p scan-target && cd scan-target
echo 'source "https://rubygems.org"' > Gemfile
echo 'gem "aws-xray-sdk"' >> Gemfile
bundle install --path vendor/bundle
- name: Install Java for dependency scan
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
with:
java-version: 17
distribution: 'temurin'
- name: Configure AWS credentials for dependency scan
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
with:
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Get secrets for dependency scan
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
id: nvd_api_key
with:
secret-ids: |
${{ secrets.NVD_API_KEY_SECRET_ARN }}
OSS_INDEX, ${{ secrets.OSS_INDEX_SECRET_ARN }}
parse-json-secrets: true
- name: Install bundle-audit for dependency scan
run: gem install bundler-audit
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
- name: Install and run dependency scan
id: dep_scan
if: always()
run: |
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
gpg --verify dependency-check.zip.asc
unzip dependency-check.zip
./dependency-check/bin/dependency-check.sh --enableExperimental --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} --suppression .github/dependency-check-suppressions.xml -s "scan-target/"
- name: Print dependency scan results on failure
if: ${{ steps.dep_scan.outcome != 'success' }}
run: less dependency-check-report.html
- name: Perform high severity scan on published artifact dependencies
if: always()
id: high_scan_latest
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
with:
scan-type: 'fs'
scan-ref: 'scan-target/'
severity: 'CRITICAL,HIGH'
exit-code: '1'
scanners: 'vuln'
env:
TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml
- name: Perform low severity scan on published artifact dependencies
if: always()
id: low_scan_latest
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
with:
scan-type: 'fs'
scan-ref: 'scan-target/'
severity: 'MEDIUM,LOW,UNKNOWN'
exit-code: '1'
scanners: 'vuln'
env:
TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml
- name: Configure AWS Credentials for emitting metrics
if: always()
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
with:
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Publish high scan status
if: always()
run: |
value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
--value $value
- name: Publish low scan status
if: always()
run: |
value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
--value $value