Merge pull request #2 from NHSDigital/add_cdk

wildjames · web-flow · commit 95c0db77a11e · 2024-10-09T10:46:36.000+01:00
New: [AEA-0000] - add cdk checks
diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml
@@ -58,10 +58,65 @@ jobs:
         id: check_poetry
         run: |
           if [ -f pyproject.toml ] && grep -q '\[tool.poetry\]' pyproject.toml; then
+            echo "****************"
+            echo "Project uses poetry"
+            echo "****************"
             echo "uses_poetry=true" >> $GITHUB_OUTPUT
           else
+            echo "****************"
+            echo "Project does not use poetry"
+            echo "****************"
             echo "uses_poetry=false" >> $GITHUB_OUTPUT
           fi
+  
+      - name: Check for SAM templates
+        id: check_sam_templates
+        run: |
+          if [ -d "SAMtemplates" ]; then
+            echo "****************"
+            echo "Project has SAM templates"
+            echo "****************"
+            echo "sam_exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "****************"
+            echo "Project does not have SAM templates"
+            echo "****************"
+            echo "sam_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for cloudformation templates
+        id: check_cf_templates
+        run: |
+          if [ -d "cloudformation" ]; then
+            echo "****************"
+            echo "Project has cloudformation templates"
+            echo "****************"
+            echo "cf_exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "****************"
+            echo "Project does not have cloudformation templates"
+            echo "****************"
+            echo "cf_exists=false" >> $GITHUB_OUTPUT
+          fi
+  
+      - name: Check for cdk
+        id: check_cdk
+        run: |
+          if [ -d "packages/cdk" ]; then
+            echo "****************"
+            echo "Project has cdk"
+            echo "****************"
+            echo "cdk_exists=true" >> $GITHUB_OUTPUT
+          else
+            echo "****************"
+            echo "Project does not have cdk"
+            echo "****************"
+            echo "cdk_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check licenses (Makefile)
+        run: |
+          make check-licenses
 
       - name: Check licenses (Python)
         if: steps.check_poetry.outputs.uses_poetry == 'true'
@@ -87,20 +142,6 @@ jobs:
               exit 1
           fi
   
-      - name: Generate and check SBOMs
-        uses: NHSDigital/eps-action-sbom@v1
-        with:
-          node_version: ${{ inputs.node_version }}
-
-      - name: Upload SBOMs
-        uses: actions/upload-artifact@v3
-        with:
-          name: SBOMS
-          path: '**/*sbom*.json'
-
-      - name: Run linting for TypeScript and Python
-        run: make lint
-
       - name: actionlint
         uses: raven-actions/actionlint@v2
 
@@ -113,35 +154,27 @@ jobs:
             node_modules
             .git
 
-      - name: Check for CloudFormation templates
-        id: check_cfn_templates
-        run: |
-          if [ -d "cloudformation" ] || [ -d "SAMtemplates" ]; then
-            echo "exists=true" >> $GITHUB_OUTPUT
-          else
-            echo "exists=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Install cfn-lint
-        if: steps.check_cfn_templates.outputs.exists == 'true'
-        run: pip install cfn-lint
-
       - name: Run cfn-lint
-        if: steps.check_cfn_templates.outputs.exists == 'true'
+        if: steps.check_sam_templates.outputs.sam_exists == 'true' || steps.check_cf_templates.outputs.cf_exists == 'true'
         run: |
+          pip install cfn-lint
           cfn-lint -I "cloudformation/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
           cfn-lint -I "SAMtemplates/**/*.y*ml" 2>&1 | awk '/Run scan/ { print } /^[EW][0-9]/ { print; getline; print }'
 
       - name: Run unit tests
         run: make test
-
+  
+      - name: Run cdk-synth
+        if: steps.check_cdk.outputs.cdk_exists == 'true'
+        run: |
+          make cdk-synth
+  
       - name: Install AWS SAM CLI
-        if: steps.check_cfn_templates.outputs.exists == 'true'
+        if: steps.check_sam_templates.outputs.sam_exists == 'true'
         run: |
           pip install aws-sam-cli
 
-      - name: Run cfn-guard script
-        if: steps.check_cfn_templates.outputs.exists == 'true'
+      - name: Init cfn-guard
         run: |
           #!/usr/bin/env bash
           set -eou pipefail
@@ -156,6 +189,12 @@ jobs:
 
           mkdir -p cfn_guard_output
 
+      - name: Run cfn-guard script for sam templates
+        if: steps.check_sam_templates.outputs.sam_exists == 'true'
+        run: |
+          #!/usr/bin/env bash
+          set -eou pipefail
+
           declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
           for ruleset in "${rulesets[@]}"
           do
@@ -175,7 +214,39 @@ jobs:
             done < <(find ./SAMtemplates -name '*.y*ml' -print0)
           done
 
-          rm -rf /tmp/ruleset
+      - name: Run cfn-guard script for cloudformation templates
+        if: steps.check_cf_templates.outputs.cf_exists == 'true'
+        run: |
+          #!/usr/bin/env bash
+
+          declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+          for ruleset in "${rulesets[@]}"
+          do
+            echo "Checking all templates in cloudformation folder with ruleest $ruleset"
+
+            ~/.guard/bin/cfn-guard validate \
+                --data cloudformation \
+                    --rules "/tmp/ruleset/output/$ruleset.guard" \
+                --show-summary fail \
+                > "cfn_guard_output/cloudformation_$ruleset.txt"
+          done
+
+      - name: Run cfn-guard script for cdk templates
+        if: steps.check_cdk.outputs.cdk_exists == 'true'
+        run: |
+          #!/usr/bin/env bash
+
+          declare -a rulesets=("ncsc" "ncsc-cafv3" "wa-Reliability-Pillar" "wa-Security-Pillar")
+          for ruleset in "${rulesets[@]}"
+          do
+            echo "Checking all templates in cdk.out folder with ruleest $ruleset"
+
+            ~/.guard/bin/cfn-guard validate \
+                --data cdk.out \
+                    --rules "/tmp/ruleset/output/$ruleset.guard" \
+                --show-summary fail \
+                > "cfn_guard_output/cdk.out_$ruleset.txt"
+          done
 
       - name: Show cfn-guard output
         if: failure()
@@ -193,3 +264,58 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  sbom_checks:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+          fetch-depth: 0
+  
+      # using git commit sha for version of action to ensure we have stable version
+      - name: Install asdf
+        uses: asdf-vm/actions/setup@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
+        with:
+          asdf_branch: v0.14.1
+
+      - name: Cache asdf
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf dependencies in .tool-versions
+        uses: asdf-vm/actions/install@05e0d2ed97b598bfce82fd30daf324ae0c4570e6
+        with:
+          asdf_branch: v0.14.1
+        env:
+          PYTHON_CONFIGURE_OPTS: --enable-shared
+
+      - name: Setting up .npmrc
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
+          echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc
+
+      - name: make install
+        run: |
+          make install
+
+      - name: Generate and check SBOMs
+        uses: NHSDigital/eps-action-sbom@v1.1
+        with:
+          node_version: ${{ inputs.node_version }}
+
+      - name: Upload SBOMs
+        uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: SBOMS
+          path: '**/*sbom*.json'
+
diff --git a/README.md b/README.md
@@ -6,7 +6,9 @@ A workflow to run the quality checks for EPS repositories. The steps executed by
 - **Run Linting**
 - **Run Unit Tests**
 - **SonarCloud Scan**: Performs code analysis using SonarCloud to detect quality issues and vulnerabilities.
-- **Validate CloudFormation Templates** (*Conditional*): If CloudFormation or AWS SAM templates are present, runs `cfn-lint` and `cfn-guard` to validate templates against AWS best practices and security rules.
+- **Validate CloudFormation Templates** (*Conditional*): If CloudFormation, AWS SAM templates or CDK are present, runs `cfn-lint` (SAM and cloudformation only) and `cfn-guard` to validate templates against AWS best practices and security rules.
+- **CDK Synth** (*Conditional*): Runs `make cdk-synth` if packages/cdk folder exists
+- **Check Licenses**: Runs `make check-licenses`.
 - **Check Python Licenses** (*Conditional*): If the project uses Poetry, scans Python dependencies for incompatible licenses.
 
 # Usage
@@ -24,6 +26,8 @@ In order to run, these `make` commands must be present. They may be mocked, if t
 - `install`
 - `lint`
 - `test`
+- `check-licenses`
+- `cdk-synth` - only needed if packages/cdk folder exists
 
 ## Environment variables
 
