From 6e3a36f16c5273e36bc72dc45fe0b94501d20c36 Mon Sep 17 00:00:00 2001 From: christosservosNCIN Date: Mon, 26 Feb 2024 11:31:47 +0200 Subject: [PATCH] centralized security workflows --- .github/workflows/dependencycheck.yml | 38 +++++---------- .github/workflows/gitleaks.yml | 33 ++++--------- .github/workflows/sonar.yml | 69 +++++---------------------- 3 files changed, 32 insertions(+), 108 deletions(-) diff --git a/.github/workflows/dependencycheck.yml b/.github/workflows/dependencycheck.yml index 0b4b338..1861cb8 100644 --- a/.github/workflows/dependencycheck.yml +++ b/.github/workflows/dependencycheck.yml @@ -1,31 +1,15 @@ -name: SCA - Dependency-Check +name: SCA - Dependency-Check Caller on: push: - branches: [ 'main', 'release/*', 'feature/*', 'fix/*', 'refactor/*' ] - tags: [ v* ] + branches-ignore: + - 'dependabot/*' workflow_dispatch: - + jobs: - Dependency_check: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Depcheck Action - SCA - uses: dependency-check/Dependency-Check_Action@main - id: Depcheck - with: - project: '${{ github.repository }}' - path: '.' - format: 'HTML' - out: 'reports' # this is the default, no need to specify unless you wish to override it - args: > - --enableRetired - --enableExperimental - - name: Upload results - SCA - uses: actions/upload-artifact@master - with: - name: Depcheck report - path: ${{github.workspace}}/reports \ No newline at end of file + + SCA_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sca.yml@main + secrets: + NVD_API_KEY: ${{ secrets.NVD_API_KEY }} + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} \ No newline at end of file diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml index 6658d3e..a32a740 100644 --- a/.github/workflows/gitleaks.yml +++ b/.github/workflows/gitleaks.yml @@ -1,27 +1,14 @@ -name: Secret Scanning - Gitleaks +name: Secret Scanning - Gitleaks Caller on: push: - branches: [ 'main', 'release/*', 'feature/*', 'fix/*', 'refactor/*' ] - tags: [ v* ] + branches-ignore: + - 'dependabot/*' + workflow_dispatch: + jobs: - Secret-Scanning: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Run Gitleaks from container - run: | - docker create --name GL --entrypoint /bin/bash --interactive --volume ${{ github.workspace }}:/src zricethezav/gitleaks - docker start GL - docker exec GL git config --global --add safe.directory '/src' - docker exec --user $(id -u):$(id -g) GL gitleaks detect --source=/src --verbose -c /src/security/gitleaks/gitleaks.toml --report-path /src/gitleaks-report.json - continue-on-error: true - - - name: upload_artifacts - uses: actions/upload-artifact@v3 - with: - name: Gitleaks Artifact Upload - path: ${{ github.workspace }}/gitleaks-report.json \ No newline at end of file + Secret_Scanning_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/secretscanning.yml@main + secrets: + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} \ No newline at end of file diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml index c470f90..2c7fbdb 100644 --- a/.github/workflows/sonar.yml +++ b/.github/workflows/sonar.yml @@ -1,64 +1,17 @@ -name: SAST - SonarCloud +name: SAST - SonarCloud Caller on: push: - branches: [ 'main', 'release/*', 'feature/*', 'fix/*', 'refactor/*' ] - tags: [ v* ] + branches-ignore: + - 'dependabot/*' pull_request_target: workflow_dispatch: - + jobs: - check_secret: - name: Check secret presence - runs-on: ubuntu-latest - steps: - - run: if [[ -z "$SONAR_TOKEN" ]]; then exit 1; else echo "Secret exists. The workflow will be continued"; fi - env: + + SAST_caller: + uses: eu-digital-identity-wallet/eudi-infra-ci/.github/workflows/sast_action.yml@main + secrets: SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - P_WD_analysis: - name: SAST - SonarCloud - Push/WD analysis - needs: check_secret - runs-on: ubuntu-latest - if: (github.event_name == 'push'|| github.event_name == 'workflow_dispatch') - steps: - - name: Checkout action - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: setup projectkey - run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV - - name: SonarCloud Scan - Action - uses: SonarSource/sonarcloud-github-action@master - with: - args: > - -Dsonar.organization=${{ github.repository_owner }} - -Dsonar.projectKey=${{ env.PROJECTKEY }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - PR_analysis: - name: SAST- SonarCloud - PR analysis - needs: check_secret - runs-on: ubuntu-latest - if: (github.event_name == 'pull_request_target') - steps: - - name: Checkout action - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - ref: ${{ github.event.pull_request.head.sha }} - - name: setup projectkey - run: echo "PROJECTKEY=${{ github.repository_owner}}_$(echo ${{ github.repository }} | sed 's/.*\///')" >> $GITHUB_ENV - - name: SonarCloud Scan - Action - uses: SonarSource/sonarcloud-github-action@master - with: - args: > - -Dsonar.organization=${{ github.repository_owner }} - -Dsonar.projectKey=${{ env.PROJECTKEY }} - -Dsonar.pullrequest.key=${{ github.event.pull_request.number }} - -Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} - -Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} # Needed to get PR information, if any - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DOJO_TOKEN: ${{ secrets.DOJO_TOKEN }} + DOJO_URL: ${{ secrets.DOJO_URL }} \ No newline at end of file