Merge branch 'main' into clickup-integrations

.github/workflows/ci.yml

@@ -47,18 +47,26 @@ jobs:
       contents: read
     needs: [prepare-matrix]
     strategy:
-      max-parallel: 5
+      max-parallel: 10
       matrix:
         integration: ${{fromJson(needs.prepare-matrix.outputs.matrix)}}
+        platform:
+          - linux/amd64
+          - linux/arm64
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
         with:
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          platforms: ${{ matrix.platform }}
+
       - name: Prepare Docker images tags
         id: prepare_tags
         run: |
@@ -74,6 +82,7 @@ jobs:
 
           dockerfile_path=integrations/_infra/Dockerfile
           if test -e $folder/../Dockerfile; then
+            echo "Choosing a custom Dockerfile for ${{ matrix.integration }}"
             dockerfile_path=$folder/../Dockerfile
           fi
           echo "dockerfile_path=$dockerfile_path" >> $GITHUB_OUTPUT
@@ -92,16 +101,31 @@ jobs:
             echo "is_dev_version=false" >> $GITHUB_OUTPUT
           fi
 
+      - name: Get used docker base image
+        id: get-docker-image
+        run: |
+          echo "base_image=$(cat ${{ steps.prepare_tags.outputs.dockerfile_path }} | head -n 1 | awk -F '=' '{print $2}' )" >> $GITHUB_OUTPUT
+
+      - name: Cache Docker images
+        uses: ScribeMD/[email protected]
+        with:
+          key: docker-${{ matrix.integration }}-${{ steps.get-docker-image.outputs.base_image }}-${{ matrix.platform }}
+
       - name: Build
         uses: docker/build-push-action@v6
         with:
           context: .
           file: ${{ steps.prepare_tags.outputs.dockerfile_path }}
-          platforms: linux/amd64,linux/arm64
+          platforms: ${{ matrix.platform }}
           push: false
+          load: true
           cache-from: type=gha
           cache-to: type=gha,mode=max
           tags: ${{ steps.prepare_tags.outputs.tags }}
           build-args: |
             BUILD_CONTEXT=${{ steps.prepare_tags.outputs.context_dir }}
             INTEGRATION_VERSION=${{ steps.prepare_tags.outputs.version }}
+
+      - name: Verify Built Image
+        run: |
+          docker run --platform ${{ matrix.platform }} --rm --entrypoint bash ${{ steps.prepare_tags.outputs.tags }} -c 'ocean version'

.github/workflows/core-test.yml

@@ -29,6 +29,12 @@ jobs:
         run: |
           make install
 
+      - name: Unit Test Core
+        env:
+          PYTEST_ADDOPTS: --junitxml=junit/unit-test-results-ocean/core.xml
+        run: |
+          make test
+
       - name: Build core for smoke test
         run: |
           make build
@@ -42,15 +48,25 @@ jobs:
         run: |
           ./scripts/run-smoke-test.sh
 
-      - name: Unit and Smoke Test Core
+      - name: Smoke Test Core
         env:
-          PYTEST_ADDOPTS: --junitxml=junit/test-results-ocean/core.xml
+          PYTEST_ADDOPTS: --junitxml=junit/smoke-test-results-ocean/core.xml
           PORT_CLIENT_ID: ${{ secrets.PORT_CLIENT_ID }}
           PORT_CLIENT_SECRET: ${{ secrets.PORT_CLIENT_SECRET }}
           PORT_BASE_URL: ${{ secrets.PORT_BASE_URL }}
           SMOKE_TEST_SUFFIX: ${{ github.run_id }}
         run: |
-          make test
+          make test/smoke
+
+      - name: Cleanup Smoke Test
+        env:
+          PYTEST_ADDOPTS: --junitxml=junit/smoke-test-results-ocean/core.xml
+          PORT_CLIENT_ID: ${{ secrets.PORT_CLIENT_ID }}
+          PORT_CLIENT_SECRET: ${{ secrets.PORT_CLIENT_SECRET }}
+          PORT_BASE_URL: ${{ secrets.PORT_BASE_URL }}
+          SMOKE_TEST_SUFFIX: ${{ github.run_id }}
+        run: |
+          make test/smoke
 
       - name: Install current core for all integrations
         run: |
@@ -66,7 +82,7 @@ jobs:
         uses: mikepenz/action-junit-report@v4
         if: ${{ always() }}
         with:
-          report_paths: '**/junit/test-results-**/*.xml'
+          report_paths: '**/junit/**-test-results-**/*.xml'
           include_passed: true
           require_tests: true
           fail_on_failure: true

.github/workflows/create-new-sonarcloud-project.yml

@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
       - name: Get all changed integrations
         id: changed-integrations
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           json: true
           dir_names: true

.github/workflows/detect-changes-matrix.yml

@@ -26,7 +26,7 @@ jobs:
 
       - name: Get list of changed files
         id: changed-files
-        uses: tj-actions/changed-files@v45.0.2
+        uses: tj-actions/changed-files@v45
         with:
           dir_names: true
           json: true
@@ -41,6 +41,7 @@ jobs:
             integrations:
               - 'integrations/**'
               - '!integrations/**/*.md'
+              - '!integrations/_infra/*'
 
       - name: Set integrations and all matrix
         id: set-all-matrix

.github/workflows/docker-images-security-scan.yml

@@ -0,0 +1,136 @@
+name: Scan docker images
+on:
+  workflow_dispatch:
+    inputs:
+      image:
+        type: choice
+        description: Image/s to scan
+        # This is a bit annoying, there's no real way to display the integrations dynamically in a dropdown for the action dispatcher
+        options:
+          - all
+          - aws
+          - azure-devops
+          - dynatrace
+          - fake-integration
+          - gcp
+          - jenkins
+          - kafka
+          - launchdarkly
+          - newrelic
+          - opencost
+          - pagerduty
+          - servicenow
+          - sonarqube
+          - terraform-cloud
+          - argocd
+          - azure
+          - datadog
+          - firehydrant
+          - gitlab
+          - jira
+          - kubecost
+          - linear
+          - octopus
+          - opsgenie
+          - sentry
+          - snyk
+          - statuspage
+          - wiz
+
+jobs:
+  detect-images:
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.set-images.outputs.images }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Determine which image to scan
+        id: set-images
+        run: |
+          PROJECTS=$(ls --color=never ./integrations | grep -Ev '_infra')
+          if [[ "${{ inputs.image }}" != "all" ]]; then
+            PROJECTS="${{ inputs.image }}"
+          fi
+          IMAGES_WITH_VERSIONS=()
+          for PROJECT in ${PROJECTS}; do
+              if [[ ! -f ./integrations/"${PROJECT}"/pyproject.toml ]]; then
+                  continue
+              fi
+              VERSION=$(cat ./integrations/"${PROJECT}"/pyproject.toml | grep -E '^version = "(.*)"$' | awk -F ' ' '{print $3};' | sed 's/"//g')
+              if [[ -n ${VERSION} ]]; then
+                  IMAGES_WITH_VERSIONS+=( "${PROJECT}:${VERSION}" )
+              fi
+          done
+          IMAGES=$(echo "${IMAGES_WITH_VERSIONS[@]}" | jq -R -s -c  'split(" ") | map(select(length > 0))')
+          echo "Images to scan: ${IMAGES}"
+          echo "images=${IMAGES}" >> $GITHUB_OUTPUT
+  scan-images:
+    needs: detect-images
+    runs-on: ubuntu-latest
+    strategy:
+      max-parallel: 2
+      matrix:
+        image: ${{ fromJson(needs.detect-images.outputs.images) }}
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: linux/amd64,linux/arm64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract version and image tag
+        id: enrich-version
+        run: |
+          INTEGRATION=$(echo "${{ matrix.image }}" | awk -F ':' '{print $1};')
+          VERSION=$(echo "${{ matrix.image }}" | awk -F ':' '{print $2};')
+          IDENTIFIER="${INTEGRATION}-${VERSION}-${{ github.sha }}"
+          IMAGE_FULL_TAG="port-ocean-security-tests-${INTEGRATION}:${VERSON}${{ github.sha }}"
+          echo "integration=${INTEGRATION}" >> ${GITHUB_OUTPUT}
+          echo "version=${VERSION}" >> ${GITHUB_OUTPUT}
+          echo "identifier=${IDENTIFIER}" >> ${GITHUB_OUTPUT}
+          echo "image_tag=${IMAGE_FULL_TAG}" >> ${GITHUB_OUTPUT}
+
+      - name: Build
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./integrations/_infra/Dockerfile
+          platforms: linux/amd64
+          push: false
+          tags: ${{ steps.enrich-version.outputs.image_tag }}
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          build-args: |
+            BUILD_CONTEXT=./integrations/${{ steps.enrich-version.outputs.integration }}
+            INTEGRATION_VERSION=${{ steps.enrich-version.outputs.version }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.enrich-version.outputs.image_tag }}
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          output: trivy-${{ steps.enrich-version.outputs.integration }}.txt
+
+      - name: Publish Trivy Output to Summary
+        run: |
+          if [[ -s trivy-${{ steps.enrich-version.outputs.integration }}.txt ]]; then
+            {
+              echo "### Security Output"
+              echo "<details><summary>Click to expand</summary>"
+              echo ""
+              echo '```terraform'
+              cat trivy-${{ steps.enrich-version.outputs.integration }}.txt
+              echo '```'
+              echo "</details>"
+            } >> $GITHUB_STEP_SUMMARY
+          fi

.github/workflows/sonarcloud-integrations.yml

@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
       - name: Get all changed integrations
         id: changed-integrations
-        uses: tj-actions/changed-files@v44
+        uses: tj-actions/changed-files@v45
         with:
           json: true
           dir_names: true

CHANGELOG.md

@@ -7,6 +7,43 @@ this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.htm
 
 <!-- towncrier release notes start -->
 
+## 0.12.3 (2024-10-09)
+
+### Improvements
+
+- Updated docker base image to improve security vulnerabilities
+
+
+## 0.12.2 (2024-10-06)
+
+### Improvements
+
+- Added a util `semaphore_async_iterator` to enable seamless control over concurrent executions.
+
+
+## 0.12.1 (2024-10-02)
+
+### Bug Fixes
+
+- Fixed a bug when running jq with iterator that caused the integration to crash
+- Reverted image to `python:3.11-slim-buster` to fix the issue with the alpine image
+
+## 0.12.0 (2024-10-01)
+
+### Improvements
+
+- Replace `python:3.11-slim-bookworm` with `python:3.11-alpine` to reduce dependencies and fix vulnerabilities
+
+### Bug Fixes
+
+- Fixed smoke tests to run concurrently and clean up after themselves
+
+## 0.11.0 (2024-09-29)
+
+### Improvements
+
+- Replace pyjq with jq.py to bump jq version from 1.5.2 to 1.7.1
+
 ## 0.10.12 (2024-09-19)
 
 ### Bug Fixes

Makefile

@@ -43,7 +43,7 @@ define deactivate_virtualenv
     fi
 endef
 
-.SILENT: install install/all test/all lint lint/fix build run new test test/watch clean bump/integrations bump/single-integration execute/all
+.SILENT: install install/all test/all test/smoke clean/smoke lint lint/fix build run new test test/watch clean bump/integrations bump/single-integration execute/all
 
 
 # Install dependencies
@@ -115,7 +115,13 @@ new:
 	$(ACTIVATE) && poetry run ocean new ./integrations --public
 
 test:
-	$(ACTIVATE) && pytest
+	$(ACTIVATE) && pytest -m 'not smoke'
+
+test/smoke:
+	$(ACTIVATE) && SMOKE_TEST_SUFFIX=$${SMOKE_TEST_SUFFIX:-default_value} pytest -m smoke
+
+clean/smoke:
+	$(ACTIVATE) && SMOKE_TEST_SUFFIX=$${SMOKE_TEST_SUFFIX:-default_value} python ./scripts/clean-smoke-test.py
 
 test/watch:
 	$(ACTIVATE) && \

integrations/_infra/Dockerfile

@@ -0,0 +1 @@
+./Dockerfile.Deb