test

Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>

Author: vipin230

.github/workflows/ci-main-pull-request.yml

@@ -541,6 +541,36 @@ on:
       #   required: false
       #   default: 'https://polaris.blackduck.com'
       #   type: string
+      perform-wiz-scan:
+        description: 'Perform Wiz CLI security scan on Docker image'
+        required: false
+        type: boolean
+        default: false
+      wiz-fail-build:
+        description: 'Fail the build on Wiz policy violations'
+        required: false
+        type: boolean
+        default: true
+      wiz-fail-on-critical:
+        description: 'Fail the pipeline if Wiz finds CRITICAL vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      wiz-fail-on-high:
+        description: 'Fail the pipeline if Wiz finds HIGH vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      wiz-fail-on-medium:
+        description: 'Fail the pipeline if Wiz finds MEDIUM vulnerabilities'
+        required: false
+        type: boolean
+        default: false
+      wiz-fail-on-low:
+        description: 'Fail the pipeline if Wiz finds LOW vulnerabilities'
+        required: false
+        type: boolean
+        default: false
 
 env:
   PRIMARY_APPLICATION: ${{ inputs.application }} # was 'default'   # Custom repo property [primaryApplication]: chef360, automate, infra-server, habitat, supermarket, licensing, downloads, chef-client, inspec, chef-workstation (or derivatives like habitat-builder)
@@ -979,156 +1009,27 @@ jobs:
   run-grype-image:
     name: 'Grype Docker image scan'
     if: ${{ inputs.perform-grype-image-scan }}
-    uses: chef/common-github-actions/.github/workflows/grype.yml@main
+    uses: chef/common-github-actions/.github/workflows/grype.yml@grype-wiz
     needs: checkout
     secrets: inherit
     with:
       fail-grype-on-high: ${{ inputs.grype-image-fail-on-high }}
       fail-grype-on-critical: ${{ inputs.grype-image-fail-on-critical }}
       grype-image-skip-aws: ${{ inputs.grype-image-skip-aws }}
 
-  run-grype-hab-package-scan:
-    name: 'Grype scan Habitat packages from bldr.habitat.sh'
-    if: ${{ inputs.perform-grype-hab-scan == true }}
-    uses: chef/common-github-actions/.github/workflows/grype-hab-package-scan.yml@main
+  run-wiz-scan:
+    name: 'Wiz CLI security scan'
+    if: ${{ inputs.perform-wiz-scan == true }}
+    uses: chef/common-github-actions/.github/workflows/wiz.yml@grype-wiz
     needs: checkout
-    secrets: inherit
     with:
-      build_package: ${{ inputs.grype-hab-build-package }}
-      hab_origin: ${{ inputs.grype-hab-origin }}
-      hab_package: ${{ inputs.grype-hab-package }}
-      hab_version: ${{ inputs.grype-hab-version }}
-      hab_release: ${{ inputs.grype-hab-release }}
-      hab_channel: ${{ inputs.grype-hab-channel }}
-      hab_path: ${{ inputs.grype-hab-path }}
-      scan-linux: ${{ inputs.grype-hab-scan-linux }}
-      scan-windows: ${{ inputs.grype-hab-scan-windows }}
-      scan-macos: ${{ inputs.grype-hab-scan-macos }}
-      fail-grype-on-high: ${{ inputs.grype-fail-on-high }}
-      fail-grype-on-critical: ${{ inputs.grype-fail-on-critical }}
-  
-    # run-srcclr:
-    #   if: ${{ inputs.perform-srcclr-scan == true }}
-    #   uses: chef/common-github-actions/.github/workflows/srcclr.yml@main
-    #   needs: run-scc
-
-    # run-veracode-sca:
-    #   if: ${{ inputs.perform-veracode-sca-scan == true }}
-    #   uses: chef/common-github-actions/.github/workflows/veracode-sca.yml@main
-    #   needs: run-scc
-    #   secrets: inherit
-    
-  ci-build:
-    name: 'Build/compilation and unit tests (CI)'
-    if : ${{ inputs.build == true }}
-    needs: checkout
-    timeout-minutes: 40 # Maximum allowed minutes for GitHub-hosted runners (6 hours = 360 minutes)
-    runs-on: ubuntu-latest
-    # TODO: make this matrix strategy, and allow language compiler version overrides
-    steps:
-      - name: 'Build language: ${{ inputs.language }}'
-        run: |
-          echo "Building application in language ${{ env.GA_BUILD_LANGUAGE }}"
-          echo " passed in with ${{ inputs.language }}"
-      - name: Checkout repository
-        uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - name: Configure git for private Go modules
-        if: inputs.language == 'go'
-        env:
-          GOPRIVATE: ${{ inputs.go-private-modules }}
-        run: git config --global url."https://${{ secrets.GH_TOKEN || secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
-      - name: 'Go build'
-        if: ${{ inputs.language == 'go' && env.GA_BUILD_PROFILE == 'cli' }}
-        continue-on-error: true
-        # TODO: make this a matrix on WIndows/Mac/Linux
-        # TODO: parameterize build output path
-        run: |
-          ls
-          pwd
-          go mod tidy
-          go build -o ./bin/${{ env.REPO_NAME }} .
-      - name: 'Go unit tests'
-        if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
-        continue-on-error: true
-        run: |
-          go test -v ./... > ${{ inputs.unit-test-output-path }}
-
-      # TODO: add unit-test-command-override if go test is not desired        
-
-      - name: Upload test coverage artifact
-        if: ${{ inputs.language == 'go' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
-        uses: actions/upload-artifact@v4
-        # TODO: parameterize the unit test and coverage report names
-        with:
-            # Name of the artifact to upload.
-            name: test-coverage.out
-            # A file, directory or wildcard pattern that describes what to upload
-            path: ${{ inputs.unit-test-output-path }}
-        #   run: go test -v -coverprofile="coverage.out" ./... and upload artifact!
-        #     - name: Build for Rust binary
-        #       if: ${{ env.GA_BUILD_LANGUAGE == 'rust' }}  
-        #       run: echo 'hello world'
-        #       # cargo build --release --target-dir ./bin
-
-      #     - name: Build for Ruby binary 
-      # simple bundle install to generate gemlock(puts them in directory vendor/bundle, and uses actual gemspec for deployment to get multi-architecture ), then build gem
-      # https://bundler.io/man/bundle-install.1.html
-      - name: Set up Ruby # Fixed: Ruby setup was missing, causing "bundle: command not found" errors
-        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
-        uses: ruby/setup-ruby@v1
-        with:
-          ruby-version: '3.4'
-          bundler-cache: false
-
-      - name: Configure Bundler for private Ruby gems
-        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
-        run: |
-          if [ -z "${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}" ]; then
-            echo "Skipping: PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE secret not configured or not in scope"
-            exit 0
-          fi
-          bundle config set --local github.com "x-access-token:${{ secrets.PRIVATE_ACCESS_KITCHEN_CHEF_ENTERPRISE }}"
-
-      - name: 'Ruby build'
-        if: ${{ inputs.language == 'ruby' && inputs.build-profile == 'cli' }}
-        continue-on-error: true
-        run: |
-          mkdir -p vendor
-          if [ -f "Gemfile.lock" ]; then
-            bundle install --deployment
-          else
-            echo "No Gemfile.lock found, creating it now"
-            bundle install --path vendor/bundle # Fixed: Removed --deployment flag when lockfile doesn't exist
-          fi
-          bundle exec rake build
-      # this does not work on all repos - chef-telemetry needs bundle install to generate gemfile.lock, but chef-cli does not commit gemfile.lock and needs bundle install to generate it at runtime - add flag to control whether bundle install is run in ci-build or language-specific checks
-      # TODO: detect if rakefile exists, else do bundler default
-      - name: 'Ruby unit tests'
-        if: ${{ inputs.language == 'ruby' && inputs.unit-tests == true && inputs.build-profile == 'cli' }}
-        continue-on-error: true
-        run: |
-          echo "Running Ruby unit tests with output to ${{ inputs.unit-test-output-path }}"
-        # bundle exec rake spec --trace > ${{ inputs.unit-test-output-path }}
+      fail-build: ${{ inputs.wiz-fail-build }}
+      fail-on-critical: ${{ inputs.wiz-fail-on-critical }}
+      fail-on-high: ${{ inputs.wiz-fail-on-high }}
+      fail-on-medium: ${{ inputs.wiz-fail-on-medium }}
+      fail-on-low: ${{ inputs.wiz-fail-on-low }}
+    secrets: inherit
 
-    # - name: Configure git for private modules
-    #   env:
-    #     GOPRIVATE: github.com/progress-platform-services/*
-    #   run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
-    
-    # TODO: dynamic version detection stepswith new flags ${{ detect-version-source-type: 'none' # options include "none" (do not detect), "file", "github-tag" or "github-release"
-    # AND ${{ detect-version-source-parameter: '' # use for file name}}
-    # version: ${{ github.workflow.env.APP_VERSION }}
-    # version: ${{ needs.set-app-version.outputs.app-version }}
-      
-    # if you have a version file, you can read it in to an environment variable with
-    #     - name: Set variables
-    #       run: |
-    #         VER=$(cat VERSION)
-    #         echo "VERSION=$VER" >> $GITHUB_ENV
-    #   then ${{ env.VERSION }}
-  
   set-application-version:
     runs-on: ubuntu-latest
     name: 'Detect SBOM version for application'

.github/workflows/grype.yml

@@ -37,8 +37,6 @@ jobs:
           fetch-depth: 0
 
       - name: Configure git for private
-        env:
-          GOPRIVATE: ${{ inputs.go-private-modules }}
         run: git config --global url."https://${{ secrets.GH_TOKEN }}@github.com/".insteadOf "https://github.com/"
 
       - name: Install Grype
@@ -73,7 +71,7 @@ jobs:
           SCAN_NAME="${{ github.repository }}"
           
           if [ ! -f "Dockerfile" ]; then
-            echo "❌ No Dockerfile found - this workflow requires a Dockerfile to scan Docker image"
+            echo "❌ No Dockerfile found - cannot scan"
             exit 1
           fi
           
@@ -98,28 +96,15 @@ jobs:
           elif [ -f "Makefile" ] && grep -q "^compose-build:" Makefile; then
             echo "Using Makefile compose-build target with GITHUB_TOKEN"
             export GITHUB_TOKEN="${{ secrets.GH_TOKEN }}"
-            
-            # Record image IDs before build to detect newly built images
-            BEFORE_IDS=$(docker images -q --no-trunc | sort)
-            
             make compose-build
             
             echo "Detecting built images..."
-            # Find newly created images by comparing before/after image IDs
-            AFTER_IDS=$(docker images -q --no-trunc | sort)
-            NEW_IDS=$(comm -13 <(echo "$BEFORE_IDS") <(echo "$AFTER_IDS"))
+            docker compose images
+            
+            IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "^${REPO_NAME}" | grep -v "^<none>")
             
-            if [ -n "$NEW_IDS" ]; then
-              IMAGES=""
-              for id in $NEW_IDS; do
-                img=$(docker images --format "{{.Repository}}:{{.Tag}}" --filter "id=${id}" | grep -v "<none>" | head -1)
-                [ -n "$img" ] && IMAGES="${IMAGES}${img}"$'\n'
-              done
-              IMAGES=$(echo "$IMAGES" | grep -v '^$' | sort -u)
-            fi
-
             if [ -z "$IMAGES" ]; then
-              echo "No new images detected, scanning all recent images"
+              echo "No images found with prefix ${REPO_NAME}, scanning all recent images"
               IMAGES=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep -v "^<none>" | head -5)
             fi
           # Strategy 3: Fallback to standard docker build