feat: add security scanning on CI workflow (#112)

* feat: added security scanning on docker images with trivy * chore: tigger CI workflow * chore: tigger CI workflow * fix: removed security scannning until tirvy-actions is on the allowed list-a * feat: added security scanning on php dependencies with snyk * chore: tigger CI workflow * chore: tigger CI workflow * fix: auth snyk before scanning * fix: correctly run the snyk command * fix: checkout before scanning * fix: reverting last commit * feat: changing way to get snyk working, installing package * fix: add checkout * feat: auth and run test * fix: change of plan, use snyk action set up * fix: add the php snyk actions * fix: setup snyk with php * chore: checking if snyk is installed * fix: using synk test to scan * fix: syntax error * fix: added secret to php.yaml * fix: using synk test to scan * feat: testing adding a sperate security workflow * fix: track security.yaml * feat: snyk tests run on security * feat: adding checkout action * fix: remvoed snyk from php.yaml * fix: scheduled everymonday at 00:00UTC * fix: only run security checks on images that have changed * fix: remove scheduling in security.yaml * chore: remove debugging echo * feat: add docker scanning with trivy * fix: add env variables to security.yaml * fix: image-ref points to correct branch * fix: image-ref points to the dockerfile * fix: image-ref points to the built image in GHCR * chore: trying to find where the docker images are * fix: clean up security.yaml * feat: adding scheduing to security.yaml * fix: each repo scan in its own job * fix: added working-directory * refactor: remove dependancy-scan, each check if scheduled run or not * fix: syntax error * refactor: chaning names * fix: track dependency-scan.yaml * fix: remove ref * refactor: chaning names and reverting changing * fix: track security-app.yaml * chore: triggering ci * feat: added terraform scanning * fix: remove need to check if terraform scanning works * fix: uploading trivy scan * fix: continue on error * fix: display trivy results * fix: upload to github code scanning * fix: run on all branches * fix: run on call * fix: display trivy results * fix: trivy uploading to code scanning * feat: terraform scanning is now on schedule * refactor: clearn-up * feat: add docker scanning with trivy * fix: changed trivy version * fix: try and find the image refs * fix: try and find the image refs * fix: scanning with a diffrent image ref * fix: remove echo * fix: changed trivy image ref * ci: add local registry * ci: build and push to local registry * ci: add diver-opts to buildx setup * ci: revert docker.yaml * ci: set working directory in terraform folder * ci: fail when vunrability found * ci: scan terrform directory within step * ci: exclude downloaded modules for terraform scanning * ci: cat results * ci: cat results * ci: exclude downloaded modules for terraform scanning * ci: upload sarif to gh code scanning * fix: empty commit * fix: revert dockerfile back * feat: upload results from app scan to github * feat: upload results from app scan to github for api and selfserve * feat: on fail, still uplaod to github. changed sarif upload paths * fix: revert dockerfile * ci: cleaned up and updated workflows * fix: removed continue-on-error in security-app.yaml Co-authored-by: JoshuaLicense <JoshuaLicense@users.noreply.github.com> * fix: removed all continue-on-error in security-app.yaml --------- Co-authored-by: JoshuaLicense <JoshuaLicense@users.noreply.github.com>
dvsa · May 20, 2024 · 2832f47 · 2832f47
1 parent 3ad631a
commit 2832f47
Show file tree

Hide file tree

Showing 3 changed files with 162 additions and 0 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -322,3 +322,32 @@ jobs:
       id-token: write
       pull-requests: write
     secrets: inherit
+
+  security-app:
+    name: Security App
+    needs:
+      - orchestrator
+    strategy:
+      matrix:
+        project:
+          - api
+          - selfserve
+          - internal
+        exclude:
+          - project: ${{ (needs.orchestrator.outputs.should-build-api || needs.orchestrator.outputs.should-build-api-docker) && 'ignored' || 'api' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-selfserve || needs.orchestrator.outputs.should-build-selfserve-docker) && 'ignored' || 'selfserve' }}
+          - project: ${{ (needs.orchestrator.outputs.should-build-internal || needs.orchestrator.outputs.should-build-internal-docker) && 'ignored' || 'internal' }}
+    uses: ./.github/workflows/security-app.yaml
+    with:
+      project: ${{ matrix.project }}
+    permissions:
+      contents: read
+      security-events: write
+    secrets: inherit
+
+  security-terraform:
+    name: Security Terraform
+    uses: ./.github/workflows/security-terraform.yaml
+    permissions:
+      contents: read
+      security-events: write
diff --git a/.github/workflows/security-app.yaml b/.github/workflows/security-app.yaml
@@ -0,0 +1,100 @@
+name: Security App
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        type: string
+        default: 5.3.0
+        required: false
+      project:
+        type: string
+        required: true
+  schedule:
+    # Weekly on Monday at 00:00 UTC
+    - cron: 0 0 * * 1
+
+jobs:
+  dependency-scan-api:
+    if: github.event_name == 'schedule' || inputs.project == 'api'
+    name: API
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/api
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-backend
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/api
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan api repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/api/snyk-results.sarif
+
+  dependency-scan-selfserve:
+    if: github.event_name == 'schedule' || inputs.project == 'selfserve'
+    name: Selfserve
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/selfserve
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-selfserve
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/selfserve
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan selfserve repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/selfserve/snyk-results.sarif
+
+  dependency-scan-internal:
+    if: github.event_name == 'schedule' || inputs.project == 'internal'
+    name: Internal
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: app/internal
+    env:
+      # Temporary until this repository becomes a mono-repository: https://dvsa.atlassian.net/browse/VOL-4961.
+      REMOTE_REPOSITORY: dvsa/olcs-internal
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.REMOTE_REPOSITORY }}
+          path: app/internal
+      - name: Setup Snyk
+        uses: snyk/actions/setup@master
+      - name: Scan internal repository
+        run: snyk test --sarif-file-output=snyk-results.sarif
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: app/internal/snyk-results.sarif
diff --git a/.github/workflows/security-terraform.yaml b/.github/workflows/security-terraform.yaml
@@ -0,0 +1,33 @@
+name: Security Terraform
+
+on:
+  workflow_call:
+  schedule:
+    # Weekly on Monday at 00:00 UTC
+    - cron: 0 0 * * 1
+
+env:
+  TRIVY_TF_EXCLUDE_DOWNLOADED_MODULES: true
+
+jobs:
+  terraform-scan:
+    name: Terraform Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Scan Terraform
+        uses: aquasecurity/trivy-action@master
+        with:
+          exit-code: 1
+          scan-ref: "infra/terraform"
+          scan-type: "config"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Results to GitHub Code Scanning
+        if: ${{ always() }}
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"