security-scan #135
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-scan | |
| on: | |
| schedule: | |
| - cron: "45 8 * * 1" | |
| workflow_dispatch: | |
| env: | |
| APPLICATION: digital-land-platform | |
| DOCKER_REPO: public.ecr.aws/l6z6v3j6 | |
| ZAP_VERSION: 2.15.0 | |
| jobs: | |
| dynamic-audit: | |
| runs-on: ubuntu-latest | |
| env: | |
| DOCKER_APPLICATION_TAG: latest | |
| outputs: | |
| alerts_info: ${{ steps.report.outputs.alerts_info }} | |
| alerts_low: ${{ steps.report.outputs.alerts_low }} | |
| alerts_medium: ${{ steps.report.outputs.alerts_medium }} | |
| alerts_high: ${{ steps.report.outputs.alerts_high }} | |
| alerts_total: ${{ steps.report.outputs.alerts_total }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: setup | |
| run: | | |
| sudo curl -SL https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose | |
| sudo chmod +x /usr/local/bin/docker-compose | |
| docker pull ${DOCKER_REPO}/${APPLICATION}:${DOCKER_APPLICATION_TAG} | |
| - name: attack | |
| run: | | |
| make docker-security-scan | |
| cat zap-working-dir/zap-report.md >> $GITHUB_STEP_SUMMARY | |
| - name: upload log | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: zap.log | |
| path: zap-working-dir/zap.log | |
| - name: parse report | |
| id: report | |
| run: | | |
| echo "alerts_info=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "0") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_low=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "1") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_medium=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "2") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_high=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "3") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_total=$(jq -rc '[ .site[0].alerts[] ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
| static-audit: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| alerts_undefined: ${{ steps.report.outputs.alerts_undefined }} | |
| alerts_low: ${{ steps.report.outputs.alerts_low }} | |
| alerts_medium: ${{ steps.report.outputs.alerts_medium }} | |
| alerts_high: ${{ steps.report.outputs.alerts_high }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| - name: setup | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y rsync | |
| pip install git+https://github.com/acodeninja/bandit_markdown_formatter@main | |
| npm install | |
| - name: audit | |
| run: | | |
| bandit -x ./tests/,./node_modules/ -r -f markdown -o bandit-report.md . || true | |
| bandit -x ./tests/,./node_modules/ -r -f json -o bandit-report.json . || true | |
| cat bandit-report.md >> $GITHUB_STEP_SUMMARY | |
| - name: parse report | |
| id: report | |
| run: | | |
| echo "alerts_undefined=$(jq -rc '.metrics._totals."SEVERITY.UNDEFINED"' bandit-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_low=$(jq -rc '.metrics._totals."SEVERITY.LOW"' bandit-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_medium=$(jq -rc '.metrics._totals."SEVERITY.MEDIUM"' bandit-report.json)" >> $GITHUB_OUTPUT | |
| echo "alerts_high=$(jq -rc '.metrics._totals."SEVERITY.HIGH"' bandit-report.json)" >> $GITHUB_OUTPUT | |
| send-report: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - dynamic-audit | |
| - static-audit | |
| steps: | |
| - name: send report notification | |
| uses: slackapi/slack-github-action@v1 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: 'planning-data-platform' | |
| payload: | | |
| { | |
| "text": "Security Scan: digital-land.info", | |
| "icon_emoji": ":lock:", | |
| "username": "SecurityScanner", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Security Scan: digital-land.info" | |
| } | |
| }, | |
| { | |
| "type": "context", | |
| "elements": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Dynamic Audit*" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*TOTAL* ${{ needs.dynamic-audit.outputs.alerts_total }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*HIGH* ${{ needs.dynamic-audit.outputs.alerts_high }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*MEDIUM* ${{ needs.dynamic-audit.outputs.alerts_medium }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*LOW* ${{ needs.dynamic-audit.outputs.alerts_low }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*INFO* ${{ needs.dynamic-audit.outputs.alerts_info }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "context", | |
| "elements": [ | |
| { | |
| "type": "mrkdwn", | |
| "text": "*Static Audit*" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*HIGH* ${{ needs.static-audit.outputs.alerts_high }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*MEDIUM* ${{ needs.static-audit.outputs.alerts_medium }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*LOW* ${{ needs.static-audit.outputs.alerts_low }}" | |
| }, | |
| { | |
| "type": "mrkdwn", | |
| "text": "*UNDEFINED* ${{ needs.static-audit.outputs.alerts_undefined }}" | |
| } | |
| ] | |
| }, | |
| { | |
| "type": "divider" | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "The report for this scan is available on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub>" | |
| } | |
| } | |
| ] | |
| } | |
| check-audit-errors: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - dynamic-audit | |
| - static-audit | |
| if: always() && contains(join(needs.*.result, ','), 'failure') | |
| steps: | |
| - name: send failure notification | |
| uses: slackapi/slack-github-action@v1 | |
| env: | |
| SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
| with: | |
| channel-id: 'planning-data-platform' | |
| payload: | | |
| { | |
| "text": "Security Scan: digital-land.info", | |
| "icon_emoji": ":alert:", | |
| "username": "SecurityScanner", | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Security Scan Failed: digital-land.info" | |
| } | |
| }, | |
| { | |
| "type": "divider" | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "The report for this scan is available on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub>" | |
| } | |
| } | |
| ] | |
| } |