EventGate/.github/workflows/aquasec_repository_scan.yml at 0d3ff0e6a9c7813d7efb7361b7adad99b3d2cff1 · AbsaOSS/EventGate · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: AquaSec Full Repository Scan

on:
  workflow_dispatch:
  pull_request:
    types: [ opened, synchronize ]

permissions:
  contents: read
  issues: write
  pull-requests: write
  security-events: write

jobs:
  aquasec:
    name: AquaSec Full Repository Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6
        with:
          persist-credentials: false
          fetch-depth: 0

      - name: Retrieve AquaSec Scan Results
        env:
          AQUA_KEY: ${{ secrets.AQUA_KEY }}
          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
        run: |
          set -euo pipefail

          echo "=== Authenticating with AquaSec ==="

          METHOD="POST"
          AUTH_ENDPOINT="https://eu-1.api.cloudsploit.com/v2/tokens"
          TIMESTAMP=$(date -u +%s)
          POST_BODY='{
            "group_id": 1155,
            "allowed_endpoints": ["GET", "POST"],
            "validity": 240,
            "csp_roles": ["developer", "devops"]
          }'
          STRING_TO_SIGN="${TIMESTAMP}${METHOD}/v2/tokens${POST_BODY}"
          SIGNATURE=$(echo -n "$STRING_TO_SIGN" | openssl dgst -sha256 -hmac "$AQUA_SECRET" -hex | sed 's/.*= //g')


          AUTH_RESPONSE=$(curl -s -X "$METHOD" "$AUTH_ENDPOINT" \
            -H "Content-Type: application/json" \
            -H "X-API-Key: $AQUA_KEY" \
            -H "X-Signature: $SIGNATURE" \
            -H "X-Timestamp: $TIMESTAMP" \
            -d "$POST_BODY")

          RESPONSE_STATUS=$(echo "$AUTH_RESPONSE" | jq -r '.status')

          if [ "$RESPONSE_STATUS" = "200" ]; then
            echo "Login successful."
            BEARER_TOKEN=$(echo "$AUTH_RESPONSE" | jq -r '.data')
            echo "::add-mask::$BEARER_TOKEN"
          else
            echo "Login failed"
            exit 1
          fi

          echo "=== Receiving AquaSec Scan Results ==="

          SCAN_RESULTS_ENDPOINT="https://eu-central-1.edge.cloud.aquasec.com/codesec/api/v1/scans/results"
          SCAN_RESULTS=$(curl -s -X GET \
            "$SCAN_RESULTS_ENDPOINT?repositoryIds=${{ github.repository_id }} \
            -H "Authorization: Bearer $BEARER_TOKEN" \
            -H "Accept: application/json")

          if [ -z "$SCAN_RESULTS" ]; then
            echo "Failed to retrieve scan results"
            exit 1
          fi

          echo "=== Scan Results ==="
          echo "$SCAN_RESULTS" | jq '.'