-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
EvoluciveBOT has applied security_workflow (#50)
* EvoluciveBOT has applied security_workflow This is an automated task. Please consider this while reiviewing this pull request. > The complete description of what we are doing on this pull request, > and the motivation behind it can be found at: > [security_workflow](https://github.com/olxbr/evolucivebot/tree/main/src/roles/security_workflow) * update workflow Co-authored-by: Evolucivebot <[email protected]> Co-authored-by: Débora Pires <[email protected]>
- Loading branch information
1 parent
2acd64b
commit dcbdb0c
Showing
1 changed file
with
141 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,141 @@ | ||
name: Security Workflow | ||
|
||
on: [push, pull_request, workflow_dispatch] | ||
|
||
jobs: | ||
|
||
get-teams: | ||
name: "Get repository team names" | ||
runs-on: ubuntu-latest | ||
outputs: | ||
teams: ${{ steps.teams.outputs.teams }} | ||
|
||
if: | | ||
github.actor != 'dependabot[bot]' && | ||
((github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || | ||
github.event_name == 'pull_request' || | ||
github.event_name == 'workflow_dispatch') | ||
steps: | ||
- name: Export team names | ||
id: teams | ||
run: | | ||
TEAMS=$( \ | ||
curl -s -H "Authorization: token ${{ secrets.SECURITY_WORKFLOW_GH_PAT }}" \ | ||
-H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$GITHUB_REPOSITORY/teams | \ | ||
jq -c '. | [.[]? | .name ]' \ | ||
) | ||
echo "::set-output name=teams::$TEAMS" | ||
static-analysis: | ||
name: "Static Analysis" | ||
runs-on: ubuntu-latest | ||
needs: get-teams | ||
|
||
if: | | ||
github.actor != 'dependabot[bot]' && | ||
((github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) || | ||
github.event_name == 'pull_request' || | ||
github.event_name == 'workflow_dispatch') | ||
steps: | ||
- name: Run checkout - push | ||
if: github.event_name == 'push' | ||
uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 1 | ||
|
||
- name: Run checkout - pull_request / workflow_dispatch | ||
if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' | ||
uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 0 | ||
|
||
- name: Run Gitleaks | ||
id: gitleaks | ||
uses: olxbr/gitleaks-action@main | ||
|
||
- name: Submit Gitleaks metrics | ||
run: | | ||
ENDPOINT=$(echo "${{ secrets.GH_METRICS_SERVER_ENDPOINT }}" | awk -F/ '{print $3}') | ||
DATA=$( \ | ||
jq -n \ | ||
--arg GITHUB_WORKFLOW "$GITHUB_WORKFLOW" \ | ||
--arg GITHUB_JOB "$GITHUB_JOB" \ | ||
--arg GITHUB_RUN_ID "$GITHUB_RUN_ID" \ | ||
--arg GITHUB_SHA "$GITHUB_SHA" \ | ||
--arg GITHUB_REPOSITORY "$GITHUB_REPOSITORY" \ | ||
--arg GITLEAKS_EXIT_CODE "${{ steps.gitleaks.outputs.exit_code }}" \ | ||
--argjson GITLEAKS_RESULT '${{ steps.gitleaks.outputs.result }}' \ | ||
--argjson TEAMS '${{ needs.get-teams.outputs.teams }}' \ | ||
'{ | ||
"workflow_job": { | ||
"name": $GITHUB_WORKFLOW, | ||
"id": $GITHUB_JOB, | ||
"run_id": $GITHUB_RUN_ID, | ||
"head_sha": $GITHUB_SHA | ||
}, | ||
"repository": { | ||
"full_name": $GITHUB_REPOSITORY | ||
}, | ||
"custom_metrics": { | ||
"outputs.exit_code": $GITLEAKS_EXIT_CODE, | ||
"outputs.result": $GITLEAKS_RESULT, | ||
"outputs.repository_teams": $TEAMS | ||
} | ||
}' \ | ||
) | ||
curl -sv "https://${ENDPOINT}/gitleaks" -d "$DATA" -H "Content-Type: application/json" --connect-timeout 15 --max-time 30 | ||
- name: Notify bad Gitleaks exit code | ||
if: steps.gitleaks.outputs.exit_code != 0 | ||
run: | | ||
TEAMS=$(echo '${{ needs.get-teams.outputs.teams }}' | jq '.[]' | tr -d '\\"') | ||
MESSAGE=$(printf "Summary report for <https://github.com/$GITHUB_REPOSITORY|$GITHUB_REPOSITORY> is ready for review.\nAssociated teams in this repository:\n\`\`\`$TEAMS\`\`\`") | ||
REPOSITORY_RUN="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | ||
DATA=$( \ | ||
jq -n \ | ||
--arg CHANNEL "${{ secrets.SECURITY_WORKFLOW_SLACK_CHANNEL_ID }}" \ | ||
--arg REPOSITORY_RUN "$REPOSITORY_RUN" \ | ||
--arg MESSAGE "$MESSAGE" \ | ||
'{ | ||
"channel": $CHANNEL, | ||
"blocks": [ | ||
{ | ||
"type": "header", | ||
"text": { | ||
"type": "plain_text", | ||
"text": "Gitleaks raised issues" | ||
} | ||
}, | ||
{ | ||
"type": "section", | ||
"text": { | ||
"type": "mrkdwn", | ||
"text": $MESSAGE | ||
}, | ||
"accessory": { | ||
"type": "button", | ||
"text": { | ||
"type": "plain_text", | ||
"text": "See report" | ||
}, | ||
"url": $REPOSITORY_RUN | ||
} | ||
} | ||
] | ||
}' \ | ||
) | ||
curl -sv \ | ||
-d "$DATA" \ | ||
-H "Content-type: application/json" \ | ||
-H "Authorization: Bearer ${{ secrets.SEC_BOT_SLACK_TOKEN }}" \ | ||
-X POST https://slack.com/api/chat.postMessage | ||
- name: Evaluate Gitleaks exit code | ||
if: steps.gitleaks.outputs.exit_code != 0 | ||
uses: actions/github-script@v5 | ||
with: | ||
script: | | ||
core.setFailed("Gitleaks encountered leaks. Please fix it in order to keep a safe work.") | ||