From 91969ab4ae2ce6740ef2fd7655fec8a8573144ee Mon Sep 17 00:00:00 2001 From: "kedar.jamkhindikar@spectrocloud.com" <79581321+kedar-calsoftinc@users.noreply.github.com> Date: Thu, 19 Oct 2023 19:59:03 +0530 Subject: [PATCH] PCP-2012 : added validation checks --- .../bulwark-gitleaks-pr-validation.yaml | 36 +++++++++++++++++++ .github/workflows/bulwark-gosec-pr-scan.yaml | 35 ++++++++++++++++++ .../workflows/golicense-pr-validation.yaml | 31 ++++++++++++++++ .../workflows/govulncheck-pr-validation.yaml | 33 +++++++++++++++++ 4 files changed, 135 insertions(+) create mode 100644 .github/workflows/bulwark-gitleaks-pr-validation.yaml create mode 100644 .github/workflows/bulwark-gosec-pr-scan.yaml create mode 100644 .github/workflows/golicense-pr-validation.yaml create mode 100644 .github/workflows/govulncheck-pr-validation.yaml diff --git a/.github/workflows/bulwark-gitleaks-pr-validation.yaml b/.github/workflows/bulwark-gitleaks-pr-validation.yaml new file mode 100644 index 0000000000..6e50bc2a1e --- /dev/null +++ b/.github/workflows/bulwark-gitleaks-pr-validation.yaml @@ -0,0 +1,36 @@ +name: BulwarkGitLeaks +on: [pull_request] + +concurrency: + group: gitleaks-${{ github.ref }} + cancel-in-progress: true + +jobs: + gitleaks-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest + env: + REPO: ${{ github.event.repository.name }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_CONFIG: /workspace/config.toml + steps: + + - name: run-bulwark-gitleaks-scan + shell: sh + env: + BRANCH: ${{ github.head_ref || github.ref_name }} + run: /workspace/bulwark -name CodeSASTGitLeaks -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD" + + - name: check-result + shell: sh + run: | + resultPath=./$REPO/gitleaks.json + cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\: + total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l` + if [ "$total_failed_tests" -gt 0 ]; then + echo "GitLeaks validation check failed with above findings..." + exit 1 + else + echo "GitLeaks validation check passed" + fi \ No newline at end of file diff --git a/.github/workflows/bulwark-gosec-pr-scan.yaml b/.github/workflows/bulwark-gosec-pr-scan.yaml new file mode 100644 index 0000000000..bbc50ca193 --- /dev/null +++ b/.github/workflows/bulwark-gosec-pr-scan.yaml @@ -0,0 +1,35 @@ +name: BulwarkGoSec +on: [pull_request] + +concurrency: + group: gosec-${{ github.ref }} + cancel-in-progress: true + +jobs: + gosec-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-dev-public/bulwark/gosec:latest + steps: + + - name: run-gosec-scan + shell: sh + env: + BRANCH: ${{ github.head_ref || github.ref_name }} + GO111MODULE: on + run: | + /workspace/bulwark -name CodeSASTGoSec -verbose -target $REPO -tags "branch:$BRANCH,rules:all" + + - name: check-result + shell: sh + run: | + resultPath=$REPO-result.json + issues=$(cat $resultPath | jq -r '.Stats.found') + echo "Found ${issues} issues" + if [ "$issues" -gt 0 ]; then + echo "GoSec SAST scan failed with below findings..." + cat $resultPath + exit 1 + else + echo "GoSec SAST scan passed" + fi diff --git a/.github/workflows/golicense-pr-validation.yaml b/.github/workflows/golicense-pr-validation.yaml new file mode 100644 index 0000000000..129eea9f91 --- /dev/null +++ b/.github/workflows/golicense-pr-validation.yaml @@ -0,0 +1,31 @@ +name: GoLicenses +on: [pull_request] + +concurrency: + group: golicenses-${{ github.ref }} + cancel-in-progress: true + +jobs: + golicense-pr-scan: + runs-on: ubuntu-latest + steps: + - name: install-git + run: sudo apt-get install -y git + + - name: install-golicenses + run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@latest + + - name: checkout + uses: actions/checkout@v3 + + - name: set-github-access + run: | + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github + + - name: golicense-scan + run: | + go-licenses check --ignore github.com/spectrocloud ./ +# go-licenses check --ignore github.com/spectrocloud ./hack/tools +# go-licenses check --ignore github.com/spectrocloud ./spate/xk6-spate \ No newline at end of file diff --git a/.github/workflows/govulncheck-pr-validation.yaml b/.github/workflows/govulncheck-pr-validation.yaml new file mode 100644 index 0000000000..711dd704be --- /dev/null +++ b/.github/workflows/govulncheck-pr-validation.yaml @@ -0,0 +1,33 @@ +name: GoVulnCheck +on: [pull_request] + +concurrency: + group: govulncheck-${{ github.ref }} + cancel-in-progress: true + +jobs: + govulncheck-pr-scan: + runs-on: ubuntu-latest + container: + image: gcr.io/spectro-images-public/golang:alpine + steps: + - name: install-govulncheck + run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest + + - name: checkout + uses: actions/checkout@v3 + + - name: set-github-access + run: | + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf ssh://git@github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf https://github + /usr/bin/git config --global --add url."https://${{ secrets.GH_TOKEN }}:x-oauth-basic@github".insteadOf git@github + + - name: govulncheck-scan + run: | + go version + govulncheck -mode source ./ + govulncheck -mode source ./hack/tools + + +