-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: Add checkov in Github workflow #83
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -22,7 +22,7 @@ jobs: | |||||
steps: | ||||||
- uses: actions/checkout@v4.1.7 | ||||||
- name: Set up Python ${{ matrix.python-version }} | ||||||
uses: actions/setup-python@v5.1.0 | ||||||
uses: actions/setup-python@v5.1.1 | ||||||
with: | ||||||
python-version: ${{ matrix.python-version }} | ||||||
- name: Install Poetry Action | ||||||
|
@@ -56,15 +56,26 @@ jobs: | |||||
runs-on: ubuntu-latest | ||||||
steps: | ||||||
- uses: actions/checkout@v4.1.7 | ||||||
- name: Diffset | ||||||
id: diffset | ||||||
uses: softprops/diffset@v2.0.1 | ||||||
with: | ||||||
fetch-depth: 0 | ||||||
base: main | ||||||
glue_files: | | ||||||
**/*.py | ||||||
docker/* | ||||||
pyproject.toml | ||||||
- name: Pull official glue image | ||||||
if: steps.diffset.outputs.glue_files | ||||||
run: docker pull amazon/aws-glue-libs:glue_libs_4.0.0_image_01 | ||||||
- name: Build container | ||||||
if: steps.diffset.outputs.glue_files | ||||||
run: USER_ID=$(id -u) TARGET=coverage docker compose --file docker/docker-compose.yml build glue-utils | ||||||
- name: Run tests in container | ||||||
if: steps.diffset.outputs.glue_files | ||||||
run: USER_ID=$(id -u) TARGET=coverage docker compose --file docker/docker-compose.yml run --rm glue-utils -c "pytest --cov=glue_utils --cov-report=term --cov-report=xml" | ||||||
- name: SonarCloud Scan | ||||||
if: steps.diffset.outputs.glue_files | ||||||
uses: SonarSource/sonarcloud-github-action@master | ||||||
env: | ||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||||||
|
@@ -94,3 +105,24 @@ jobs: | |||||
- uses: actions/checkout@v4.1.7 | ||||||
- name: Check Makefile for errors | ||||||
uses: Uno-Takashi/checkmake-action@main | ||||||
checkov: | ||||||
name: Run Checkov | ||||||
runs-on: ubuntu-latest | ||||||
permissions: | ||||||
actions: read | ||||||
contents: read | ||||||
security-events: write | ||||||
steps: | ||||||
- uses: actions/checkout@v4.1.7 | ||||||
- name: Check code using Checkov | ||||||
uses: bridgecrewio/checkov-action@master | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🚨 suggestion (security): Consider pinning the Checkov action to a specific version Using
Suggested change
|
||||||
with: | ||||||
directory: . | ||||||
quiet: true | ||||||
output_format: cli,sarif | ||||||
output_file_path: console,results.sarif | ||||||
- name: Upload SARIF results | ||||||
if: success() || failure() | ||||||
uses: github/codeql-action/upload-sarif@v3 | ||||||
with: | ||||||
sarif_file: results.sarif |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,23 +17,23 @@ diverse, inclusive, and healthy community. | |
Examples of behavior that contributes to a positive environment for our | ||
community include: | ||
|
||
* Demonstrating empathy and kindness toward other people | ||
* Being respectful of differing opinions, viewpoints, and experiences | ||
* Giving and gracefully accepting constructive feedback | ||
* Accepting responsibility and apologizing to those affected by our mistakes, | ||
- Demonstrating empathy and kindness toward other people | ||
- Being respectful of differing opinions, viewpoints, and experiences | ||
- Giving and gracefully accepting constructive feedback | ||
- Accepting responsibility and apologizing to those affected by our mistakes, | ||
and learning from the experience | ||
* Focusing on what is best not just for us as individuals, but for the | ||
- Focusing on what is best not just for us as individuals, but for the | ||
overall community | ||
|
||
Examples of unacceptable behavior include: | ||
|
||
* The use of sexualized language or imagery, and sexual attention or | ||
- The use of sexualized language or imagery, and sexual attention or | ||
advances of any kind | ||
* Trolling, insulting or derogatory comments, and personal or political attacks | ||
* Public or private harassment | ||
* Publishing others' private information, such as a physical or email | ||
- Trolling, insulting or derogatory comments, and personal or political attacks | ||
- Public or private harassment | ||
- Publishing others' private information, such as a physical or email | ||
address, without their explicit permission | ||
* Other conduct which could reasonably be considered inappropriate in a | ||
- Other conduct which could reasonably be considered inappropriate in a | ||
professional setting | ||
|
||
## Enforcement Responsibilities | ||
|
@@ -106,7 +106,7 @@ Violating these terms may lead to a permanent ban. | |
### 4. Permanent Ban | ||
|
||
**Community Impact**: Demonstrating a pattern of violation of community | ||
standards, including sustained inappropriate behavior, harassment of an | ||
standards, including sustained inappropriate behavior, harassment of an | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. issue (documentation): Double space detected. There is a double space between 'behavior,' and 'harassment'. Please correct it to a single space. |
||
individual, or aggression toward or disparagement of classes of individuals. | ||
|
||
**Consequence**: A permanent ban from any sort of public interaction within | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,53 +1,54 @@ | ||
#checkov:skip=CKV_DOCKER_2: HEALTHCHECK is not needed for this container | ||
# ----------------------- Base ----------------------- | ||
FROM amazon/aws-glue-libs:glue_libs_4.0.0_image_01 as base | ||
|
||
# Copy requirements file that contains tooling. | ||
WORKDIR /home/glue_user/workspace | ||
|
||
# hadolint ignore=DL3013 | ||
RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user --upgrade pip \ | ||
&& mkdir -p docker | ||
|
||
|
||
# ----------------------- Test ----------------------- | ||
FROM base as test | ||
|
||
COPY docker/requirements.txt docker/requirements.txt | ||
|
||
RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user -r docker/requirements.txt | ||
|
||
COPY src pyproject.toml README.md ./ | ||
|
||
# Install this package. | ||
RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user . | ||
|
||
|
||
# --------------------- Coverage --------------------- | ||
FROM base as coverage | ||
|
||
# Pass the host user to the container. | ||
ARG USER_ID | ||
|
||
# Switch to root to be able to make changes in the container filesystem. | ||
USER root | ||
|
||
# Clean up /tmp which may already have glue_user-owned files with the | ||
# old UID. | ||
RUN rm -rf /tmp/* \ | ||
# Change UID of glue_user to be the same as host user. This allows | ||
# JupyterLab to write to the host system as glue_user. | ||
&& usermod -u $USER_ID glue_user | ||
|
||
# Switch to glue_user to be able to make changes for the user itself. | ||
USER glue_user | ||
|
||
COPY docker/requirements.txt docker/requirements.txt | ||
|
||
RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user -r docker/requirements.txt | ||
|
||
COPY src pyproject.toml README.md ./ | ||
|
||
# Install this package. | ||
RUN pip3 install --disable-pip-version-check --no-compile --no-cache-dir --no-warn-script-location --user . \ | ||
# Prepare a /tmp directory needed by Spark to start. | ||
&& mkdir -p /tmp/spark-events | ||
Check warning Code scanning / checkov Ensure that HEALTHCHECK instructions have been added to container images Warning
Ensure that HEALTHCHECK instructions have been added to container images
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚨 issue (security): Review the permissions granted to the Checkov job
The Checkov job is granted
actions: read
,contents: read
, andsecurity-events: write
permissions. Ensure that these permissions are necessary and follow the principle of least privilege to minimize security risks.