security-scan #136
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: security-scan | |
on: | |
schedule: | |
- cron: "45 8 * * 1" | |
workflow_dispatch: | |
env: | |
APPLICATION: digital-land-platform | |
DOCKER_REPO: public.ecr.aws/l6z6v3j6 | |
ZAP_VERSION: 2.15.0 | |
jobs: | |
dynamic-audit: | |
runs-on: ubuntu-latest | |
env: | |
DOCKER_APPLICATION_TAG: latest | |
outputs: | |
alerts_info: ${{ steps.report.outputs.alerts_info }} | |
alerts_low: ${{ steps.report.outputs.alerts_low }} | |
alerts_medium: ${{ steps.report.outputs.alerts_medium }} | |
alerts_high: ${{ steps.report.outputs.alerts_high }} | |
alerts_total: ${{ steps.report.outputs.alerts_total }} | |
steps: | |
- uses: actions/checkout@v4 | |
- name: setup | |
run: | | |
sudo curl -SL https://github.com/docker/compose/releases/download/v2.10.2/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose | |
sudo chmod +x /usr/local/bin/docker-compose | |
docker pull ${DOCKER_REPO}/${APPLICATION}:${DOCKER_APPLICATION_TAG} | |
- name: attack | |
run: | | |
make docker-security-scan | |
cat zap-working-dir/zap-report.md >> $GITHUB_STEP_SUMMARY | |
- name: upload log | |
uses: actions/upload-artifact@v3 | |
if: always() | |
with: | |
name: zap.log | |
path: zap-working-dir/zap.log | |
- name: parse report | |
id: report | |
run: | | |
echo "alerts_info=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "0") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_low=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "1") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_medium=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "2") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_high=$(jq -rc '[ .site[0].alerts[] | select(.riskcode == "3") | .riskcode ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_total=$(jq -rc '[ .site[0].alerts[] ] | length' zap-working-dir/zap-report.json)" >> $GITHUB_OUTPUT | |
static-audit: | |
runs-on: ubuntu-latest | |
outputs: | |
alerts_undefined: ${{ steps.report.outputs.alerts_undefined }} | |
alerts_low: ${{ steps.report.outputs.alerts_low }} | |
alerts_medium: ${{ steps.report.outputs.alerts_medium }} | |
alerts_high: ${{ steps.report.outputs.alerts_high }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.9' | |
- name: setup | |
run: | | |
sudo apt-get update && sudo apt-get install -y rsync | |
pip install git+https://github.com/acodeninja/bandit_markdown_formatter@main | |
npm install | |
- name: audit | |
run: | | |
bandit -x ./tests/,./node_modules/ -r -f markdown -o bandit-report.md . || true | |
bandit -x ./tests/,./node_modules/ -r -f json -o bandit-report.json . || true | |
cat bandit-report.md >> $GITHUB_STEP_SUMMARY | |
- name: parse report | |
id: report | |
run: | | |
echo "alerts_undefined=$(jq -rc '.metrics._totals."SEVERITY.UNDEFINED"' bandit-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_low=$(jq -rc '.metrics._totals."SEVERITY.LOW"' bandit-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_medium=$(jq -rc '.metrics._totals."SEVERITY.MEDIUM"' bandit-report.json)" >> $GITHUB_OUTPUT | |
echo "alerts_high=$(jq -rc '.metrics._totals."SEVERITY.HIGH"' bandit-report.json)" >> $GITHUB_OUTPUT | |
send-report: | |
runs-on: ubuntu-latest | |
needs: | |
- dynamic-audit | |
- static-audit | |
steps: | |
- name: send report notification | |
uses: slackapi/slack-github-action@v1 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: 'planning-data-platform' | |
payload: | | |
{ | |
"text": "Security Scan: digital-land.info", | |
"icon_emoji": ":lock:", | |
"username": "SecurityScanner", | |
"blocks": [ | |
{ | |
"type": "header", | |
"text": { | |
"type": "plain_text", | |
"text": "Security Scan: digital-land.info" | |
} | |
}, | |
{ | |
"type": "context", | |
"elements": [ | |
{ | |
"type": "mrkdwn", | |
"text": "*Dynamic Audit*" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*TOTAL* ${{ needs.dynamic-audit.outputs.alerts_total }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*HIGH* ${{ needs.dynamic-audit.outputs.alerts_high }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*MEDIUM* ${{ needs.dynamic-audit.outputs.alerts_medium }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*LOW* ${{ needs.dynamic-audit.outputs.alerts_low }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*INFO* ${{ needs.dynamic-audit.outputs.alerts_info }}" | |
} | |
] | |
}, | |
{ | |
"type": "context", | |
"elements": [ | |
{ | |
"type": "mrkdwn", | |
"text": "*Static Audit*" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*HIGH* ${{ needs.static-audit.outputs.alerts_high }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*MEDIUM* ${{ needs.static-audit.outputs.alerts_medium }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*LOW* ${{ needs.static-audit.outputs.alerts_low }}" | |
}, | |
{ | |
"type": "mrkdwn", | |
"text": "*UNDEFINED* ${{ needs.static-audit.outputs.alerts_undefined }}" | |
} | |
] | |
}, | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "The report for this scan is available on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub>" | |
} | |
} | |
] | |
} | |
check-audit-errors: | |
runs-on: ubuntu-latest | |
needs: | |
- dynamic-audit | |
- static-audit | |
if: always() && contains(join(needs.*.result, ','), 'failure') | |
steps: | |
- name: send failure notification | |
uses: slackapi/slack-github-action@v1 | |
env: | |
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} | |
with: | |
channel-id: 'planning-data-platform' | |
payload: | | |
{ | |
"text": "Security Scan: digital-land.info", | |
"icon_emoji": ":alert:", | |
"username": "SecurityScanner", | |
"blocks": [ | |
{ | |
"type": "header", | |
"text": { | |
"type": "plain_text", | |
"text": "Security Scan Failed: digital-land.info" | |
} | |
}, | |
{ | |
"type": "divider" | |
}, | |
{ | |
"type": "section", | |
"text": { | |
"type": "mrkdwn", | |
"text": "The report for this scan is available on <https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|GitHub>" | |
} | |
} | |
] | |
} |