Skip to content

Commit ae7557c

Browse files
corneliusludmanncorneliusludmann
committed
vuln scan github summary
1 parent f8e8c69 commit ae7557c

File tree

1 file changed

+40
-3
lines changed

1 file changed

+40
-3
lines changed

.github/workflows/build.yml

Lines changed: 40 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,43 @@ jobs:
308308
) >> $GITHUB_STEP_SUMMARY
309309
fi
310310
311+
exit $RESULT
312+
- name: Scan for Vulnerabilities
313+
id: scan
314+
shell: bash
315+
env:
316+
NODE_OPTIONS: "--max_old_space_size=4096"
317+
JAVA_HOME: /home/gitpod/.sdkman/candidates/java/current
318+
VERSION: ${{needs.configuration.outputs.version}}
319+
PR_NO_CACHE: ${{needs.configuration.outputs.build_no_cache}}
320+
PR_NO_TEST: ${{needs.configuration.outputs.build_no_test}}
321+
NPM_AUTH_TOKEN: "${{ secrets.NPM_AUTH_TOKEN }}"
322+
PUBLISH_TO_NPM: ${{ needs.configuration.outputs.publish_to_npm == 'true' || needs.configuration.outputs.is_main_branch == 'true' }}
323+
JB_MARKETPLACE_PUBLISH_TOKEN: "${{ secrets.JB_MARKETPLACE_PUBLISH_TOKEN }}"
324+
PUBLISH_TO_JBPM: ${{ needs.configuration.outputs.publish_to_jbmp == 'true' || needs.configuration.outputs.is_main_branch == 'true' }}
325+
CODECOV_TOKEN: "${{ secrets.CODECOV_TOKEN }}"
326+
LEEWAY_REMOTE_CACHE_BUCKET: ${{needs.configuration.outputs.leeway_cache_bucket}}
327+
IMAGE_REPO_BASE: ${{needs.configuration.outputs.image_repo_base}}/build
328+
329+
# SCM tokens for integration tests
330+
GITPOD_TEST_TOKEN_BITBUCKET: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET }}"
331+
GITPOD_TEST_TOKEN_BITBUCKET_SERVER: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER }}"
332+
GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_WRITE }}"
333+
GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ: "${{ secrets.GITPOD_TEST_TOKEN_BITBUCKET_SERVER_READ }}"
334+
GITPOD_TEST_TOKEN_GITHUB: "${{ secrets.GITPOD_TEST_TOKEN_GITHUB }}"
335+
GITPOD_TEST_TOKEN_GITLAB: "${{ secrets.GITPOD_TEST_TOKEN_GITLAB }}"
336+
GITPOD_TEST_TOKEN_AZURE_DEVOPS: "${{ secrets.GITPOD_TEST_TOKEN_AZURE_DEVOPS }}"
337+
run: |
338+
[[ "$PR_NO_CACHE" = "true" ]] && CACHE="none" || CACHE="remote"
339+
[[ "$PR_NO_TEST" = "true" ]] && TEST="--dont-test" || TEST=""
340+
[[ "${PUBLISH_TO_NPM}" = 'true' ]] && NPM_PUBLISH_TRIGGER=$(date +%s%3N) || NPM_PUBLISH_TRIGGER="false"
341+
342+
# tmp: Update leeway from branch to make testing easier
343+
LEEWAY_BRANCH=clu/sbom-cve-2
344+
LEEWAY_REPO_DIR=$(mktemp -d -t leeway-repo-XXXXXXXXXX) && git clone https://github.com/gitpod-io/leeway "$LEEWAY_REPO_DIR" && cd "$LEEWAY_REPO_DIR" && git switch ${LEEWAY_BRANCH} && git pull && go build -ldflags="-X github.com/gitpod-io/leeway/pkg/leeway.Version=0.10.2.sbom" -o leeway && sudo install -m 755 leeway /usr/bin/ && cd - && rm -rf "$LEEWAY_REPO_DIR"
345+
346+
RESULT=0
347+
311348
sboms_dir=$(mktemp -d)
312349
CI= leeway -v sbom export --with-dependencies --output-dir "$sboms_dir" \
313350
-Dversion=$VERSION \
@@ -335,19 +372,19 @@ jobs:
335372
echo "leeway_vulnerability_reports_dir=$scans_dir"
336373
} >> $GITHUB_OUTPUT
337374
338-
exit $RESULT
375+
cat "$scans_dir/vulnerability-summary.md" >> $GITHUB_STEP_SUMMARY
339376
- name: Upload SBOMs
340377
uses: actions/upload-artifact@v4
341378
if: success()
342379
with:
343380
name: sboms
344-
path: ${{ steps.leeway.outputs.leeway_sboms_dir }}
381+
path: ${{ steps.scan.outputs.leeway_sboms_dir }}
345382
- name: Upload vulnerability reports
346383
uses: actions/upload-artifact@v4
347384
if: success()
348385
with:
349386
name: vulnerability-reports
350-
path: ${{ steps.leeway.outputs.leeway_vulnerability_reports_dir }}
387+
path: ${{ steps.scan.outputs.leeway_vulnerability_reports_dir }}
351388
- name: Tag the release
352389
if: github.ref == 'refs/heads/main'
353390
run: |

0 commit comments

Comments
 (0)