-
Notifications
You must be signed in to change notification settings - Fork 3
207 lines (202 loc) · 7.19 KB
/
Copy pathsuper-devsecops.yml
File metadata and controls
207 lines (202 loc) · 7.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
name: Super DevSecOps Pipeline
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
permissions:
contents: read
jobs:
code_quality:
name: Eslint
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run ESLint
run: |
yarn install
npx eslint .
continue-on-error: true
syft-source-sbom:
name: SBOM for Source Code
needs: code_quality
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Scan the source code and upload dependency results
uses: anchore/sbom-action@ace0b9722a703812d78949ee4ac5b90de1c0eba2
with:
path: .
dependency-snapshot: true
format: spdx-json
build:
name: Build
runs-on: ubuntu-latest
needs: syft-source-sbom
strategy:
matrix:
node-version: [16.x, 18.x, 20.x]
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout Repository to Runner Context
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Use Node version ${{ matrix.node-version }}
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: ${{ matrix.node-version }}
cache: "yarn"
- name: Install Dependencies
run: |
yarn install
test:
name: Unit Tests
runs-on: ubuntu-latest
needs: build
strategy:
matrix:
node-version: [16.x, 18.x, 20.x]
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout Repository to Runner Context
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Use Node version ${{ matrix.node-version }}
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: ${{ matrix.node-version }}
cache: "yarn"
- name: Test with Jest
run: |
yarn install
yarn test
sast_codeql:
name: SAST with CodeQL
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
needs: test
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["javascript-typescript"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Initialize CodeQL
uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
with:
category: "/language:${{matrix.language}}"
sast_sonar:
name: SAST with SonarCloud
permissions:
pull-requests: read # allows SonarCloud to decorate PRs with analysis results
runs-on: ubuntu-latest
needs: test
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Analyze with SonarCloud
uses: SonarSource/sonarcloud-github-action@5ee47de3c96f0c1c51b09d2ff1fec0cfeefcf67c
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
with:
args: -Dsonar.projectKey=stormsinbrewing_savvy-devsecops
-Dsonar.organization=stormsinbrewing
security_scorecard:
name: OpenSSF Security Scorecards
runs-on: ubuntu-latest
permissions:
# Don't make global permission: https://github.com/ossf/scorecard-action#workflow-restrictions
security-events: write # Needed to upload the results to code-scanning dashboard.
id-token: write # Needed to publish results and get a badge (see publish_results below).
needs: test
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
with:
results_file: results.sarif
results_format: sarif
repo_token: ${{ secrets.GITHUB_TOKEN }}
publish_results: true
- name: "Upload artifact"
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: SARIF file
path: results.sarif
retention-days: 5
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
with:
sarif_file: results.sarif
build-and-push-image:
name: BnP GHCR
permissions:
contents: write
packages: write
runs-on: ubuntu-latest
needs: sast_codeql
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Log in to the Container registry
uses: docker/login-action@1f401f745bf57e30b3a2800ad308a87d2ebdf14b
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: BnP Docker Image
run: |
docker build -t ghcr.io/stormsinbrewing/savvy-devsecops .
docker push ghcr.io/stormsinbrewing/savvy-devsecops
- name: Image SBOM Scan with Syft
uses: anchore/sbom-action@ace0b9722a703812d78949ee4ac5b90de1c0eba2
with:
image: "ghcr.io/stormsinbrewing/savvy-devsecops"
dependency-snapshot: true
format: spdx-json
artifact-name: spdx.docker.json