Skip to content

Commit 0112a75

Browse files
ezhang6811ezhang6811
committed
add codeql and daily scan workflows
1 parent 4004d5f commit 0112a75

File tree

2 files changed

+330
-0
lines changed

2 files changed

+330
-0
lines changed

.github/workflows/codeql.yml

Lines changed: 142 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,142 @@
1+
# For most projects, this workflow file will not need changing; you simply need
2+
# to commit it to your repository.
3+
#
4+
# You may wish to alter this file to override the set of languages analyzed,
5+
# or to provide custom queries or build logic.
6+
#
7+
# ******** NOTE ********
8+
# We have attempted to detect the languages in your repository. Please check
9+
# the `language` matrix defined below to confirm you have the correct set of
10+
# supported CodeQL languages.
11+
#
12+
name: "CodeQL Advanced"
13+
permissions:
14+
contents: read
15+
16+
on:
17+
push:
18+
branches: [ "master", "release/v*", "zhaez/scanner" ]
19+
pull_request:
20+
branches: [ "master", "release/v*" ]
21+
schedule:
22+
- cron: '45 4 * * 2'
23+
24+
jobs:
25+
analyze:
26+
name: Analyze (${{ matrix.language }})
27+
# Runner size impacts CodeQL analysis time. To learn more, please see:
28+
# - https://gh.io/recommended-hardware-resources-for-running-codeql
29+
# - https://gh.io/supported-runners-and-hardware-resources
30+
# - https://gh.io/using-larger-runners (GitHub.com only)
31+
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
32+
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
33+
permissions:
34+
# required for all workflows
35+
security-events: write
36+
37+
# required to fetch internal or private CodeQL packs
38+
packages: read
39+
40+
# only required for workflows in private repositories
41+
actions: read
42+
contents: read
43+
44+
strategy:
45+
fail-fast: false
46+
matrix:
47+
include:
48+
- language: go
49+
build-mode: manual
50+
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
51+
# Use `c-cpp` to analyze code written in C, C++ or both
52+
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
53+
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
54+
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
55+
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
56+
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
57+
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
58+
steps:
59+
- name: Checkout repository
60+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
61+
62+
# Add any setup steps before running the `github/codeql-action/init` action.
63+
# This includes steps like installing compilers or runtimes (`actions/setup-node`
64+
# or others). This is typically only required for manual builds.
65+
- name: Setup Go
66+
if: matrix.language == 'go'
67+
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
68+
with:
69+
go-version-file: go.mod
70+
71+
- name: Cache Go modules
72+
if: matrix.language == 'go'
73+
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
74+
with:
75+
path: ~/go/pkg/mod
76+
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
77+
restore-keys: |
78+
${{ runner.os }}-go-
79+
80+
# Initializes the CodeQL tools for scanning.
81+
- name: Initialize CodeQL
82+
uses: github/codeql-action/init@16df4fbc19aea13d921737861d6c622bf3cefe23 #v3.30.3
83+
with:
84+
languages: ${{ matrix.language }}
85+
build-mode: ${{ matrix.build-mode }}
86+
# If you wish to specify custom queries, you can do so here or in a config file.
87+
# By default, queries listed here will override any specified in a config file.
88+
# Prefix the list here with "+" to use these queries and those in the config file.
89+
90+
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
91+
# queries: security-extended,security-and-quality
92+
93+
# If the analyze step fails for one of the languages you are analyzing with
94+
# "We were unable to automatically build your code", modify the matrix above
95+
# to set the build mode to "manual" for that language. Then modify this step
96+
# to build your code.
97+
# ℹ️ Command-line programs to run using the OS shell.
98+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
99+
- if: matrix.build-mode == 'manual'
100+
shell: bash
101+
run: |
102+
make build
103+
104+
- name: Perform CodeQL Analysis
105+
uses: github/codeql-action/analyze@16df4fbc19aea13d921737861d6c622bf3cefe23 #v3.30.3
106+
with:
107+
category: "/language:${{matrix.language}}"
108+
109+
all-codeql-checks-pass:
110+
runs-on: ubuntu-latest
111+
needs: [analyze]
112+
if: always()
113+
steps:
114+
- name: Checkout to get workflow file
115+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
116+
117+
- name: Check all jobs succeeded and none missing
118+
run: |
119+
# Check if all needed jobs succeeded
120+
results='${{ toJSON(needs) }}'
121+
if echo "$results" | jq -r '.[] | .result' | grep -v success; then
122+
echo "Some jobs failed"
123+
exit 1
124+
fi
125+
126+
# Extract all job names from workflow (excluding this gate job)
127+
all_jobs=$(yq eval '.jobs | keys | .[]' .github/workflows/codeql.yml | grep -v "all-codeql-checks-pass" | sort)
128+
129+
# Extract job names from needs array
130+
needed_jobs='${{ toJSON(needs) }}'
131+
needs_list=$(echo "$needed_jobs" | jq -r 'keys[]' | sort)
132+
133+
# Check if any jobs are missing from needs
134+
missing_jobs=$(comm -23 <(echo "$all_jobs") <(echo "$needs_list"))
135+
if [ -n "$missing_jobs" ]; then
136+
echo "ERROR: Jobs missing from needs array in all-codeql-checks-pass:"
137+
echo "$missing_jobs"
138+
echo "Please add these jobs to the needs array of all-codeql-checks-pass"
139+
exit 1
140+
fi
141+
142+
echo "All CodeQL checks passed and no jobs missing from gate!"

.github/workflows/daily-scan.yml

Lines changed: 188 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,188 @@
1+
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
2+
## SPDX-License-Identifier: Apache-2.0
3+
# Performs a daily scan of:
4+
# * The latest released X-Ray daemon image, using Trivy
5+
# * Project dependencies, using DependencyCheck
6+
#
7+
# Publishes results to CloudWatch Metrics.
8+
name: Daily scan
9+
10+
on:
11+
schedule: # scheduled to run every 6 hours
12+
- cron: '10 */6 * * *' # "At minute 10 past every 6th hour."
13+
workflow_dispatch: # be able to run the workflow on demand
14+
push:
15+
branches:
16+
- zhaez/scanner
17+
18+
env:
19+
AWS_DEFAULT_REGION: us-east-1
20+
21+
permissions:
22+
id-token: write
23+
contents: read
24+
25+
jobs:
26+
scan_and_report:
27+
runs-on: ubuntu-latest
28+
steps:
29+
- name: Checkout repo for dependency scan
30+
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
31+
with:
32+
fetch-depth: 0
33+
34+
- name: Set up Go for dependency scan
35+
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
36+
with:
37+
go-version-file: go.mod
38+
39+
- name: Configure AWS credentials for dependency scan
40+
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
41+
with:
42+
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
43+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
44+
45+
- name: Get NVD API key for dependency scan
46+
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
47+
id: nvd_api_key
48+
with:
49+
secret-ids: ${{ secrets.NVD_API_KEY_SECRET_ARN }}
50+
parse-json-secrets: true
51+
52+
- name: Cache Go modules
53+
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
54+
with:
55+
path: ~/go/pkg/mod
56+
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
57+
restore-keys: |
58+
${{ runner.os }}-go-
59+
60+
- name: Build binary
61+
run: make build
62+
env:
63+
VERSION: 0.${{ github.sha }}
64+
65+
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
66+
- name: Install and run dependency scan
67+
id: dep_scan
68+
if: always()
69+
run: |
70+
# Install dependency-check
71+
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
72+
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
73+
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
74+
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
75+
gpg --verify dependency-check.zip.asc
76+
unzip dependency-check.zip
77+
78+
# Run dependency check on Go modules
79+
./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} -s "." --enableExperimental
80+
continue-on-error: true
81+
82+
- name: Print dependency scan results on failure
83+
if: ${{ steps.dep_scan.outcome != 'success' }}
84+
run: |
85+
if [ -f dependency-check-report.html ]; then
86+
echo "Dependency scan report found, displaying summary:"
87+
grep -A 10 -B 10 "vulnerabilities found" dependency-check-report.html || echo "No vulnerability summary found"
88+
else
89+
echo "No dependency scan report found"
90+
fi
91+
92+
- name: Configure AWS credentials for image scan
93+
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
94+
with:
95+
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
96+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
97+
98+
- name: Login to Public ECR
99+
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0
100+
with:
101+
registry: public.ecr.aws
102+
103+
- name: Install Trivy
104+
run: |
105+
sudo apt-get update
106+
sudo apt-get install wget apt-transport-https gnupg lsb-release
107+
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
108+
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
109+
sudo apt-get update
110+
sudo apt-get install trivy
111+
112+
- name: Perform high image scan on latest
113+
if: always()
114+
id: high_scan_latest
115+
run: |
116+
trivy image --severity CRITICAL,HIGH --exit-code 1 public.ecr.aws/xray/aws-xray-daemon:latest
117+
continue-on-error: true
118+
119+
- name: Perform low image scan on latest
120+
if: always()
121+
id: low_scan_latest
122+
run: |
123+
trivy image --severity MEDIUM,LOW,UNKNOWN --exit-code 1 public.ecr.aws/xray/aws-xray-daemon:latest
124+
continue-on-error: true
125+
126+
- name: Perform high image scan on alpha
127+
if: always()
128+
id: high_scan_alpha
129+
run: |
130+
trivy image --severity CRITICAL,HIGH --exit-code 1 public.ecr.aws/xray/aws-xray-daemon:alpha
131+
continue-on-error: true
132+
133+
- name: Perform low image scan on alpha
134+
if: always()
135+
id: low_scan_alpha
136+
run: |
137+
trivy image --severity MEDIUM,LOW,UNKNOWN --exit-code 1 public.ecr.aws/xray/aws-xray-daemon:alpha
138+
continue-on-error: true
139+
140+
- name: Configure AWS Credentials for emitting metrics
141+
if: always()
142+
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
143+
with:
144+
role-to-assume: ${{ secrets.METRICS_ROLE_ARN }}
145+
aws-region: ${{ env.AWS_DEFAULT_REGION }}
146+
147+
- name: Publish high scan status on latest
148+
if: always()
149+
run: |
150+
value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
151+
aws cloudwatch put-metric-data --namespace 'XRAY/GitHubActions' \
152+
--metric-name Success \
153+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
154+
--value $value
155+
156+
- name: Publish high scan status on alpha
157+
if: always()
158+
run: |
159+
value="${{ steps.high_scan_alpha.outcome == 'success' && '1.0' || '0.0' }}"
160+
aws cloudwatch put-metric-data --namespace 'XRAY/GitHubActions' \
161+
--metric-name Success \
162+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
163+
--value $value
164+
165+
- name: Publish low scan status on latest
166+
if: always()
167+
run: |
168+
value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
169+
aws cloudwatch put-metric-data --namespace 'XRAY/GitHubActions' \
170+
--metric-name Success \
171+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
172+
--value $value
173+
174+
- name: Publish low scan status on alpha
175+
if: always()
176+
run: |
177+
value="${{ steps.low_scan_alpha.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0'}}"
178+
aws cloudwatch put-metric-data --namespace 'XRAY/GitHubActions' \
179+
--metric-name Success \
180+
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
181+
--value $value
182+
183+
- name: Cleanup
184+
if: always()
185+
run: |
186+
rm -f ./dependency-check.zip
187+
rm -f ./dependency-check.zip.asc
188+
rm -rf ./dependency-check || true

0 commit comments

Comments
 (0)