From 7e0c05cb3bedcf3c012b34ab58128b9f757272ea Mon Sep 17 00:00:00 2001 From: Abhilash Reddy Date: Fri, 6 Jun 2025 13:45:30 -0400 Subject: [PATCH 1/4] Add shift-left --- .github/workflows/codeql.yml | 69 ++++++++++++++++++++++++++++ .github/workflows/snyk.yml | 87 ++++++++++++++++++++++++++++++++++++ 2 files changed, 156 insertions(+) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/snyk.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..da80c5b --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,69 @@ +# Define the name of the workflow +name: "CodeQL-Advanced" + +# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] +# schedule: +# - cron: '29 11 * * 5' + +# Define the jobs that will be executed as part of the workflow +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + runs-on: + group: ncats-awsci-runners + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: python + build-mode: none + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + + # Step 3: Autobuild the code. + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # Step 4: Analyzes the code using CodeQL, with the analysis category based on the matrix language. + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + + # Step 5: Generate Security Report + - name: Generate Security Report + uses: rsdmike/github-security-report-action@v3.0.4 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + # Step 6: Uploads artifacts (PDF reports) generated during the workflow to download. + - name: Upload Artifacts + uses: actions/upload-artifact@v4 + with: + name: codeql-reports-${{ matrix.language }} + path: ./*.pdf \ No newline at end of file diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml new file mode 100644 index 0000000..e4a08db --- /dev/null +++ b/.github/workflows/snyk.yml @@ -0,0 +1,87 @@ +# Define the name of the workflow +name: snyk + +# Define variables +env: + DOCKER_REGISTRY: registry.ncats.nih.gov:5000 + IMAGE_NAME: DocumentMetadataAPI + +# Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) +on: + push: + branches: + - main + pull_request: + branches: + - main + +# Define the jobs that will be executed as part of the workflow +jobs: + # Job to build and push the ZAP Docker image to Docker Hub + Snyk-Docker-Image: + runs-on: + group: ncats-awsci-runners + + permissions: + actions: read + contents: read + security-events: write + issues: write + + steps: + # Step 1: Checkout repository + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Generate Build Version Number + - name: Generate Build Version Number + id: GET_BUILD_VERSION + run: | + # Get the last recorded date from the environment variable + LAST_DATE=$(date -d "$LAST_BUILD_DATE" +'%Y-%m-%d' 2>/dev/null || echo "") + + # Get the current date + CURRENT_DATE=$(date +'%Y-%m-%d') + echo "Last recorded date: $LAST_DATE" + echo "Current date: $CURRENT_DATE" + + # Check if it's a new day + if [ "$LAST_DATE" != "$CURRENT_DATE" ]; then + # Reset BUILDS_TODAY to 0 for the new day + BUILDS_TODAY=0 + echo "Resetting BUILDS_TODAY to 0 for the new day" + else + # Calculate the number of builds today + BUILDS_TODAY=$(seq -f v$GITHUB_RUN_NUMBER.%g $(($GITHUB_RUN_NUMBER - 1)) | wc -l) + echo "Incrementing BUILDS_TODAY" + fi + + # Store the current date for the next run + echo "LAST_BUILD_DATE=$CURRENT_DATE" >> $GITHUB_ENV + + # Generate the build version with the number of builds today + BUILD_VERSION_GENERATED=$(date +v%Y.%m%d.$BUILDS_TODAY) + echo "Generated Build Version: $BUILD_VERSION_GENERATED" + echo "BUILD_VERSION=$BUILD_VERSION_GENERATED" >> $GITHUB_ENV + echo "BUILD=true" >> $GITHUB_ENV + echo "::set-output name=build_version::$BUILD_VERSION_GENERATED" + + # Step 3: Login to Dockerhub + - name: Login to Dockerhub + run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" + + # # Step 4: Build a Docker image + - name: Build a Docker image + run: docker build --no-cache -f ./Dockerfile --build-arg BUILD_VERSION=${BUILD_VERSION} -t $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION . + + # # Step 5: Run Snyk to check Docker image for vulnerabilities + - name: Run Snyk to check Docker image for vulnerabilities + continue-on-error: true + uses: snyk/actions/docker@master + id: documentMetadataApi + env: + SNYK_TOKEN: ${{ secrets.SNYK_CLI }} + with: + command: monitor + image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION + args: "--file=deploy-ncats/Dockerfile" \ No newline at end of file From 9236baf013bed17c661f8b78868bce7348c4c3df Mon Sep 17 00:00:00 2001 From: Abhilash Reddy Date: Fri, 6 Jun 2025 15:01:50 -0400 Subject: [PATCH 2/4] update snyk --- .github/workflows/snyk.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index e4a08db..e16c13f 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -1,19 +1,18 @@ # Define the name of the workflow -name: snyk +name: snyk-zap # Define variables env: - DOCKER_REGISTRY: registry.ncats.nih.gov:5000 + DOCKER_REGISTRY: 853771734544.dkr.ecr.us-east-1.amazonaws.com IMAGE_NAME: DocumentMetadataAPI # Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) on: push: - branches: - - main + branches: [ "main" ] pull_request: - branches: - - main + branches: [ "main" ] + workflow_dispatch: # Define the jobs that will be executed as part of the workflow jobs: @@ -21,12 +20,15 @@ jobs: Snyk-Docker-Image: runs-on: group: ncats-awsci-runners - permissions: actions: read contents: read security-events: write issues: write + + outputs: + build_version: ${{ steps.get_build_version.outputs.build_version }} + RUNNER: ${{ runner.name }} steps: # Step 1: Checkout repository @@ -65,16 +67,12 @@ jobs: echo "BUILD_VERSION=$BUILD_VERSION_GENERATED" >> $GITHUB_ENV echo "BUILD=true" >> $GITHUB_ENV echo "::set-output name=build_version::$BUILD_VERSION_GENERATED" - - # Step 3: Login to Dockerhub - - name: Login to Dockerhub - run: docker login -u "${{ secrets.DKRHUB_NCATSSVCDVOPS_USERNAME }}" -p "${{ secrets.DKRHUB_NCATSSVCDVOPS_TOKEN_WRITE }}" - - # # Step 4: Build a Docker image + + # Step 4: Build a Docker image - name: Build a Docker image - run: docker build --no-cache -f ./Dockerfile --build-arg BUILD_VERSION=${BUILD_VERSION} -t $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION . - - # # Step 5: Run Snyk to check Docker image for vulnerabilities + run: docker build --no-cache -f ./Dockerfile --build-arg BUILD_VERSION=$BUILD_VERSION -t $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION . + + # Step 5: Run Snyk to check Docker image for vulnerabilities - name: Run Snyk to check Docker image for vulnerabilities continue-on-error: true uses: snyk/actions/docker@master @@ -84,4 +82,6 @@ jobs: with: command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION - args: "--file=deploy-ncats/Dockerfile" \ No newline at end of file + args: "--file=deploy-ncats/Dockerfile" + + \ No newline at end of file From 2a0ea0ad79f7fb0c01bf92726494cfd23d04ffd6 Mon Sep 17 00:00:00 2001 From: Abhilash Reddy Date: Fri, 6 Jun 2025 15:03:24 -0400 Subject: [PATCH 3/4] update snyk woekflow --- .github/workflows/snyk.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index e16c13f..20d9a53 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -4,7 +4,7 @@ name: snyk-zap # Define variables env: DOCKER_REGISTRY: 853771734544.dkr.ecr.us-east-1.amazonaws.com - IMAGE_NAME: DocumentMetadataAPI + IMAGE_NAME: documentmetadataapi # Define when the workflow should be triggered (on push to a specific branch and pull requests to the master branch) on: @@ -76,7 +76,7 @@ jobs: - name: Run Snyk to check Docker image for vulnerabilities continue-on-error: true uses: snyk/actions/docker@master - id: documentMetadataApi + id: documentmetadataapi env: SNYK_TOKEN: ${{ secrets.SNYK_CLI }} with: From 3a347836ae8baa87f6294fe1480ce833d1a98204 Mon Sep 17 00:00:00 2001 From: Abhilash Reddy Date: Fri, 6 Jun 2025 15:08:26 -0400 Subject: [PATCH 4/4] update snyk workflow file with var --- .github/workflows/snyk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml index 20d9a53..71017ea 100644 --- a/.github/workflows/snyk.yml +++ b/.github/workflows/snyk.yml @@ -82,6 +82,6 @@ jobs: with: command: monitor image: $DOCKER_REGISTRY/$IMAGE_NAME:$BUILD_VERSION - args: "--file=deploy-ncats/Dockerfile" + args: "--file=Dockerfile" \ No newline at end of file