PR Code Security Scan #269

Workflow file for this run

.github/workflows/pr-security.yml at 193237c

	name: PR Code Security Scan

	on:
	pull_request_review:
	types:
	- submitted
	- edited
	paths:
	- 'go.mod'
	- 'build/linux/Dockerfile'
	- 'build/linux/alpine.Dockerfile'
	- 'build/windows/Dockerfile'
	- '.github/workflows/pr-security.yml'

	jobs:
	server-dependencies:
	name: Server Dependency Check
	runs-on: ubuntu-latest
	if: >-
	github.event.pull_request &&
	github.event.review.body == '/scan'
	outputs:
	godiff: ${{ steps.set-diff-matrix.outputs.go_diff_result }}
	steps:
	- name: checkout repository
	uses: actions/checkout@master

	- name: install Go
	uses: actions/setup-go@v3
	with:
	go-version: '1.19.5'

	- name: download Go modules
	run: go get -t -v -d ./...

	- name: scan vulnerabilities by Snyk
	continue-on-error: true # To make sure that artifact upload gets called
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	run: \|
	yarn global add snyk
	snyk test --file=./go.mod --json-file-output=snyk.json 2>/dev/null \|\| :

	- name: upload scan result as pull-request artifact
	uses: actions/upload-artifact@v3
	with:
	name: go-security-scan-feature-result
	path: snyk.json

	- name: download artifacts from develop branch built by nightly scan
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	mv ./snyk.json ./go-snyk-feature.json
	(gh run download -n go-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) \|\| :
	if [[ -e ./snyk.json ]]; then
	mv ./snyk.json ./go-snyk-develop.json
	else
	echo "null" > ./go-snyk-develop.json
	fi

	- name: pr vs develop scan report comparison export to html
	run: \|
	$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=table --export --export-filename="/data/go-result")

	- name: upload html file as artifact
	uses: actions/upload-artifact@v3
	with:
	name: html-go-result-compare-to-develop-${{github.run_id}}
	path: go-result.html

	- name: analyse different vulnerabilities against develop branch
	id: set-diff-matrix
	run: \|
	result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=snyk --path="/data/go-snyk-feature.json" --compare-to="/data/go-snyk-develop.json" --output-type=matrix)
	echo "go_diff_result=${result}" >> $GITHUB_OUTPUT

	image-vulnerability:
	name: Image Vulnerability Check
	runs-on: ubuntu-latest
	if: >-
	github.event.pull_request &&
	github.event.review.body == '/scan'
	outputs:
	imagediff: ${{ steps.set-diff-matrix.outputs.image_diff_result }}
	steps:
	- name: checkout code
	uses: actions/checkout@master

	- name: install Go 1.19.5
	uses: actions/setup-go@v3
	with:
	go-version: '1.19.5'

	- name: download 3rd-party binaries
	run: ./setup.sh

	- name: compile the codebase
	run: ./dev.sh compile

	- name: set up docker buildx
	uses: docker/setup-buildx-action@v2

	- name: build and compress image
	uses: docker/build-push-action@v4
	with:
	context: .
	file: build/linux/Dockerfile
	tags: portainer-agent:${{ github.sha }}
	outputs: type=docker,dest=/tmp/portainer-agent-image.tar

	- name: load docker image
	run: \|
	docker load --input /tmp/portainer-agent-image.tar

	- name: scan vulnerabilities by Trivy
	uses: docker://docker.io/aquasec/trivy:latest
	continue-on-error: true
	with:
	args: image --ignore-unfixed=true --vuln-type="os,library" --exit-code=1 --format="json" --output="image-trivy.json" --no-progress portainer-agent:${{ github.sha }}

	- name: upload image security scan result as artifact
	uses: actions/upload-artifact@v3
	with:
	name: image-security-scan-feature-result
	path: image-trivy.json

	- name: download artifacts from develop branch built by nightly scan
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	mv ./image-trivy.json ./image-trivy-feature.json
	(gh run download -n image-security-scan-develop-result -R ${{ github.repository }} 2>&1 >/dev/null) \|\| :
	if [[ -e ./image-trivy.json ]]; then
	mv ./image-trivy.json ./image-trivy-develop.json
	else
	echo "null" > ./image-trivy-develop.json
	fi

	- name: pr vs develop scan report comparison export to html
	run: \|
	$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=table --export --export-filename="/data/image-result")

	- name: upload html file as artifact
	uses: actions/upload-artifact@v3
	with:
	name: html-image-result-compare-to-develop-${{github.run_id}}
	path: image-result.html

	- name: analyse different vulnerabilities against develop branch
	id: set-diff-matrix
	run: \|
	result=$(docker run --rm -v ${{ github.workspace }}:/data portainerci/code-security-report:latest diff --report-type=trivy --path="/data/image-trivy-feature.json" --compare-to="/data/image-trivy-develop.json" --output-type=matrix)
	echo "image_diff_result=${result}" >> $GITHUB_OUTPUT

	result-analysis:
	name: Analyse Scan Result Against develop Branch
	needs: [server-dependencies, image-vulnerability]
	runs-on: ubuntu-latest
	if: >-
	github.event.pull_request &&
	github.event.review.body == '/scan'
	strategy:
	matrix:
	godiff: ${{fromJson(needs.server-dependencies.outputs.godiff)}}
	imagediff: ${{fromJson(needs.image-vulnerability.outputs.imagediff)}}
	steps:
	- name: check job status of diff result
	if: >-
	matrix.godiff.status == 'failure' \|\|
	matrix.imagediff.status == 'failure'
	run: \|
	echo "${{ matrix.godiff.status }}"
	echo "${{ matrix.imagediff.status }}"
	echo "${{ matrix.godiff.summary }}"
	echo "${{ matrix.imagediff.summary }}"
	exit 1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PR Code Security Scan #269

Workflow file

PR Code Security Scan #269

Jobs

Run details

Workflow file for this run