diff --git a/.github/broadcast-files-config.yaml b/.github/broadcast-files-config.yaml index a166f0f1..e27eaee1 100644 --- a/.github/broadcast-files-config.yaml +++ b/.github/broadcast-files-config.yaml @@ -155,25 +155,25 @@ secutiry_scan_for_atp: bot_branch_name: broadcast-security-scan commit_message: | feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies - Related issue: https://github.com/Netcracker/qubership-workflow-hub/issues/466 + Related issue: https://github.com/Netcracker/qubership-workflow-hub/issues/466, https://github.com/Netcracker/.github/issues/223 secutiry_scan_for_atp_playwright: patterns_to_include: workflow-templates/security-scan.yml destination: .github/workflows bot_branch_name: broadcast-security-scan commit_message: | feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for ATP playwright - Related issue: https://github.com/Netcracker/.github/issues/211 + Related issue: https://github.com/Netcracker/.github/issues/211, https://github.com/Netcracker/.github/issues/223 secutiry_scan_for_apihub: patterns_to_include: workflow-templates/security-scan.yml destination: .github/workflows bot_branch_name: broadcast-security-scan commit_message: | feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for APIHUB - Related issue: https://github.com/Netcracker/.github/issues/209 + Related issue: https://github.com/Netcracker/.github/issues/209, https://github.com/Netcracker/.github/issues/223 secutiry_scan_for_nifi: patterns_to_include: workflow-templates/security-scan.yml destination: .github/workflows bot_branch_name: broadcast-security-scan commit_message: | feat(ci): add security-scan workflow to scan for vulnerabilities in dependencies for NiFi - Related issue: https://github.com/Netcracker/.github/issues/213 \ No newline at end of file + Related issue: https://github.com/Netcracker/.github/issues/213, https://github.com/Netcracker/.github/issues/223 \ No newline at end of file diff --git a/workflow-templates/security-scan-apihub.yml b/workflow-templates/security-scan-apihub.yml new file mode 100644 index 00000000..38cdaec9 --- /dev/null +++ b/workflow-templates/security-scan-apihub.yml @@ -0,0 +1,99 @@ +name: Security Scan Docker Packages +run-name: > + Security Scan #${{ github.run_number }} for ${{ inputs.image != '' && inputs.image != null && inputs.image || 'all repository docker images' }} +on: + workflow_dispatch: + inputs: + target: + description: "Target type for the scan (docker, etc.)" + required: false + type: choice + options: + - docker + - source + image: + description: "Docker image (for docker). By default ghcr.io//:latest" + required: false + default: "" + type: string + tag: + description: "Tag of the image to scan. By default 'latest'" + required: false + default: "latest" + type: string + only-high-critical: + description: "Scope only HIGH + CRITICAL" + required: false + default: true + type: boolean + trivy-scan: + description: "Trivy scan" + required: false + default: true + type: boolean + grype-scan: + description: "Grype scan" + required: false + default: true + type: boolean + continue-on-error: + description: "Continue on error" + required: false + default: true + type: boolean + only-fixed: + description: "Ignore unfixed vulnerabilities" + required: false + default: true + type: boolean + schedule: + - cron: "0 3 * * 0" # every Sunday at 03:00 UTC + +jobs: + debug-packages: + runs-on: ubuntu-latest + permissions: + packages: read + outputs: + packages: ${{ steps.ghcr.outputs.packages }} + has-packages: ${{ steps.ghcr.outputs.has-packages }} + steps: + - name: List GHCR packages for this repo + id: ghcr + uses: Netcracker/qubership-workflow-hub/actions/ghcr-discover-repo-packages@v2.0.3 + env: + GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} + + - name: Print packages + run: echo '${{ steps.ghcr.outputs.packages }}' | jq '.' + + - name: Continue only if repo has GHCR packages + if: ${{ steps.ghcr.outputs.has-packages == 'true' }} + run: echo "Packages found!" + + security-scan-matrix: + needs: debug-packages + if: ${{ inputs.image == '' || inputs.image == null }} + strategy: + matrix: + package: ${{ fromJson(needs.debug-packages.outputs.packages) }} + + name: "Run Security Scan (matrix)" + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3 + with: + target: ${{ inputs.target || 'docker' }} + image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'dev') }} + + security-scan-single: + needs: debug-packages + if: ${{ inputs.image != '' && inputs.image != null }} + name: "Run Security Scan (single image)" + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3 + with: + target: ${{ inputs.target || 'docker' }} + image: ${{ inputs.image }} + only-high-critical: ${{ inputs.only-high-critical || true }} + trivy-scan: ${{ inputs.trivy-scan || true }} + grype-scan: ${{ inputs.grype-scan || true }} + only-fixed: ${{ inputs.only-fixed || true }} + continue-on-error: ${{ inputs.continue-on-error || true }} diff --git a/workflow-templates/security-scan.yml b/workflow-templates/security-scan.yml index 21e747f9..4c60abfe 100644 --- a/workflow-templates/security-scan.yml +++ b/workflow-templates/security-scan.yml @@ -16,6 +16,11 @@ on: required: false default: "" type: string + tag: + description: "Tag of the image to scan. By default 'latest'" + required: false + default: "latest" + type: string only-high-critical: description: "Scope only HIGH + CRITICAL" required: false @@ -50,51 +55,40 @@ jobs: permissions: packages: read outputs: - ghcr-packages: ${{ steps.pkgs.outputs.ghcr-packages }} + packages: ${{ steps.ghcr.outputs.packages }} + has-packages: ${{ steps.ghcr.outputs.has-packages }} steps: - - name: Show raw GHCR response - id: pkgs + - name: List GHCR packages for this repo + id: ghcr + uses: Netcracker/qubership-workflow-hub/actions/ghcr-discover-repo-packages@v2.0.3 env: - GH_TOKEN: ${{ secrets.GH_PAT_PACKAGES }} - OWNER: ${{ github.repository_owner }} - run: | - api_url="https://api.github.com/users/${OWNER}/packages?package_type=container" - echo "Request: $api_url" - - response=$(curl -sS \ - -H "Authorization: Bearer $GH_TOKEN" \ - -H "Accept: application/vnd.github+json" \ - "$api_url") + GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }} - packages=$(echo "$response" | jq -c --arg owner "$OWNER" ' - [.[] - | select(.repository.full_name == "nookyo/qubership-monitoring-operator") - | { name: .name, repository: .repository.name, full_name: .repository.full_name, path: "ghcr.io/\($owner)/\(.name)" } - ] - ') + - name: Print packages + run: echo '${{ steps.ghcr.outputs.packages }}' | jq '.' - echo "ghcr-packages=$packages" >> "$GITHUB_OUTPUT" - echo "Raw response:" - echo "$packages" + - name: Continue only if repo has GHCR packages + if: ${{ steps.ghcr.outputs.has-packages == 'true' }} + run: echo "Packages found!" security-scan-matrix: needs: debug-packages if: ${{ inputs.image == '' || inputs.image == null }} strategy: matrix: - package: ${{ fromJson(needs.debug-packages.outputs.ghcr-packages) }} + package: ${{ fromJson(needs.debug-packages.outputs.packages) }} name: "Run Security Scan (matrix)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3 with: target: ${{ inputs.target || 'docker' }} - image: ${{ format('{0}:main', matrix.package.path) }} + image: ${{ format('{0}:{1}', matrix.package.path, inputs.tag || 'latest') }} security-scan-single: needs: debug-packages if: ${{ inputs.image != '' && inputs.image != null }} name: "Run Security Scan (single image)" - uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@v2.0.3 with: target: ${{ inputs.target || 'docker' }} image: ${{ inputs.image }}