apm-security-scan-demo-app/.github/workflows/apm-security-scan.yml at main · devopsabcs-engineering/apm-security-scan-demo-app · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
name: APM Security Scan

on:
  workflow_dispatch:
  schedule:
    - cron: '0 6 * * 1'

permissions:
  security-events: write
  contents: read

jobs:
  semantic-scan:
    name: "Engine 3: Semantic Patterns (${{ matrix.app }})"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        app: ['001', '002', '003', '004', '005']
      fail-fast: false
    steps:
      - uses: actions/checkout@v4

      - uses: actions/checkout@v4
        with:
          repository: devopsabcs-engineering/apm-demo-app-${{ matrix.app }}
          path: target-app

      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Run semantic pattern scanner
        continue-on-error: true
        run: python src/converters/semantic-to-sarif.py --scan-dir target-app --output results.sarif

      - name: Upload Semantic SARIF to target repo
        if: always() && hashFiles('results.sarif') != ''
        env:
          GH_TOKEN: ${{ secrets.ORG_ADMIN_TOKEN }}
        run: |
          gzip -c results.sarif | base64 -w0 > /tmp/sarif_encoded.txt
          COMMIT_SHA=$(gh api repos/devopsabcs-engineering/apm-demo-app-${{ matrix.app }}/commits/main --jq '.sha')
          jq -n --arg sha "$COMMIT_SHA" --arg ref "refs/heads/main" --rawfile sarif /tmp/sarif_encoded.txt \
            '{commit_sha: $sha, ref: $ref, sarif: $sarif}' | \
          gh api --method POST \
            repos/devopsabcs-engineering/apm-demo-app-${{ matrix.app }}/code-scanning/sarifs \
            --input -
          echo "Uploaded semantic SARIF to apm-demo-app-${{ matrix.app }}"

  mcp-validation:
    name: "Engine 4: MCP Configuration (${{ matrix.app }})"
    runs-on: ubuntu-latest
    strategy:
      matrix:
        app: ['001', '002', '003', '004', '005']
      fail-fast: false
    steps:
      - uses: actions/checkout@v4

      - uses: actions/checkout@v4
        with:
          repository: devopsabcs-engineering/apm-demo-app-${{ matrix.app }}
          path: target-app

      - uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Validate MCP configuration
        continue-on-error: true
        run: python src/converters/mcp-to-sarif.py --scan-dir target-app --output mcp-results.sarif

      - name: Upload MCP SARIF to target repo
        if: always() && hashFiles('mcp-results.sarif') != ''
        env:
          GH_TOKEN: ${{ secrets.ORG_ADMIN_TOKEN }}
        run: |
          gzip -c mcp-results.sarif | base64 -w0 > /tmp/sarif_encoded.txt
          COMMIT_SHA=$(gh api repos/devopsabcs-engineering/apm-demo-app-${{ matrix.app }}/commits/main --jq '.sha')
          jq -n --arg sha "$COMMIT_SHA" --arg ref "refs/heads/main" --rawfile sarif /tmp/sarif_encoded.txt \
            '{commit_sha: $sha, ref: $ref, sarif: $sarif}' | \
          gh api --method POST \
            repos/devopsabcs-engineering/apm-demo-app-${{ matrix.app }}/code-scanning/sarifs \
            --input -
          echo "Uploaded MCP SARIF to apm-demo-app-${{ matrix.app }}"