Skip to content

Commit 8b11471

Browse files
gooishingooishin
authored
Update scan.yml
1 parent ccf787a commit 8b11471

File tree

1 file changed

+125
-39
lines changed

1 file changed

+125
-39
lines changed

.github/workflows/scan.yml

Lines changed: 125 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -9,15 +9,48 @@ on:
99
workflow_dispatch:
1010

1111
jobs:
12+
precheck:
13+
runs-on: [self-hosted, scan]
14+
continue-on-error: true
15+
outputs:
16+
should_run: ${{ steps.set_condition.outputs.should_run }}
17+
steps:
18+
- name: Set condition for PR title or commit message
19+
id: set_condition
20+
run: |
21+
echo "Checking PR title or commit message..."
22+
TYPES_TO_SKIP=("ci" "docs")
23+
should_run=true
24+
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
25+
for type in "${TYPES_TO_SKIP[@]}"; do
26+
if [[ "${{ github.event.pull_request.title }}" == "$type:"* ]]; then
27+
echo "Skip because PR title starts with '$type:'"
28+
should_run=false
29+
break
30+
fi
31+
done
32+
elif [[ "${{ github.event_name }}" == "push" ]]; then
33+
for type in "${TYPES_TO_SKIP[@]}"; do
34+
if [[ "${{ github.head_commit.message }}" == "$type:"* ]]; then
35+
echo "Skip because commit message starts with '$type:'"
36+
should_run=false
37+
break
38+
fi
39+
done
40+
fi
41+
echo "should_run=$should_run" >> $GITHUB_OUTPUT
42+
1243
bandit:
1344
name: Bandit
45+
needs: precheck
46+
if: needs.precheck.outputs.should_run == 'true'
1447
runs-on: [self-hosted, scan]
1548
steps:
1649
- name: Checkout code
17-
uses: actions/checkout@v3
50+
uses: actions/checkout@v4
1851

1952
- name: Login to Harbor
20-
uses: docker/login-action@v2
53+
uses: docker/login-action@v3
2154
with:
2255
registry: amr-registry.caas.intel.com
2356
username: ${{ secrets.CI_USR }}
@@ -37,10 +70,12 @@ jobs:
3770

3871
virus-scan:
3972
name: Virus Scan
73+
needs: precheck
74+
if: needs.precheck.outputs.should_run == 'true'
4075
runs-on: [self-hosted, scan]
4176
steps:
4277
- name: Checkout code
43-
uses: actions/checkout@v3
78+
uses: actions/checkout@v4
4479

4580
# release package must be in the directory
4681
- name: Prepare release package
@@ -57,92 +92,141 @@ jobs:
5792

5893
shellcheck:
5994
name: ShellCheck
95+
needs: precheck
96+
if: needs.precheck.outputs.should_run == 'true'
6097
runs-on: [self-hosted, scan]
6198
env:
6299
SHELLCHECK_OPTS: ""
100+
# Notes:
101+
# - [optional] replace SHELLCHECK_EXIT_CODE value to 1 if you are enabling ShellCheck as a static code analysis tool
102+
SHELLCHECK_EXIT_CODE: 1
63103
steps:
64104
- name: Checkout code
65-
uses: actions/checkout@v3
105+
uses: actions/checkout@v4
106+
107+
- name: Find shell script files
108+
id: find_files
109+
run: |
110+
find . \
111+
-name .git -type d -prune -o \
112+
-type f -name \*.sh \
113+
-print0 > shell_files.txt
114+
tr '\0' '\n' < shell_files.txt > shell_files_readable.txt
115+
total_files=$(wc -l < shell_files_readable.txt)
116+
echo "Total number of shell script files to be scanned: $total_files"
117+
cat shell_files_readable.txt
66118
67119
- name: Execute ShellCheck
68120
run: |
69-
find . -name .git -type d -prune -o -type f -name \*.sh -print0 |
70-
xargs -0 -r -n1 shellcheck |
71-
tee shellcheck.log
121+
xargs -0 -r -n1 shellcheck < shell_files.txt 2>&1 | tee shellcheck.log
72122
if [ -s "shellcheck.log" ]; then
73-
exit 1
123+
grep -oP 'In \K[^\s:]+' shellcheck.log | sort -u > shellcheck_summary.txt
124+
total_issues=$(grep -c '^In ' shellcheck.log)
125+
echo "::error::Found $total_issues issues!"
126+
exit ${{ env.SHELLCHECK_EXIT_CODE }}
74127
else
75128
echo "No issues found by ShellCheck" > shellcheck.log
76129
fi
77130
131+
- name: Preview ShellCheck Summary
132+
if: always()
133+
run: |
134+
{
135+
echo "Total number of shell script files to be scanned: $(wc -l < shell_files_readable.txt)"
136+
echo "Files scanned:"
137+
cat shell_files_readable.txt
138+
echo ""
139+
if [ -f shellcheck_summary.txt ]; then
140+
echo "Files with issues:"
141+
cat shellcheck_summary.txt
142+
total_files_with_issues=$(wc -l < shellcheck_summary.txt)
143+
total_issues=$(grep -c '^In ' shellcheck.log)
144+
echo "Total number of files with issues: $total_files_with_issues"
145+
echo "Total number of issues: $total_issues"
146+
echo "Issue types and their counts:"
147+
grep -oP 'SC[0-9]+' shellcheck.log | sort | uniq -c | sort -nr
148+
else
149+
echo "No issues found by ShellCheck"
150+
fi
151+
} | tee shellcheck_summary.log
152+
78153
- name: Upload artifact
79-
uses: actions/upload-artifact@v3
154+
if: always()
155+
uses: actions/upload-artifact@v4
80156
with:
81157
name: Shellcheck Reports
82-
path: shellcheck.log
158+
path: |
159+
shellcheck.log
160+
shellcheck_summary.log
83161
84162
trivy:
85163
name: Trivy
164+
needs: precheck
165+
if: needs.precheck.outputs.should_run == 'true'
86166
runs-on: [self-hosted, scan]
87167
steps:
88168
- name: Checkout code
89-
uses: actions/checkout@v3
169+
uses: actions/checkout@v4
90170

91171
- name: Execute Trivy - csv
92-
uses: intel-innersource/frameworks.actions.trivy@main
93-
with:
94-
TRIVY_DEBUG: 'true'
95-
TRIVY_EXIT_CODE: '1'
96-
TRIVY_IGNORES: ''
97-
TRIVY_LIST_ALL: 'true'
98-
TRIVY_OUTPUT_FILE: 'trivy_fs_report.csv'
99-
TRIVY_REPORT_FORMAT: 'template'
100-
TRIVY_SCAN_TYPE: 'fs'
101-
TRIVY_SCAN_PATH: '.'
102-
TRIVY_SEVERITY: 'UNKNOWN,LOW,MEDIUM,CRITICAL,HIGH'
103-
TRIVY_TEMPLATE: '@/templates/csv.tmpl'
104-
TRIVY_VULN_TYPE: 'os,library'
172+
run: |
173+
trivy fs \
174+
--format template --template @/home/user/.ci/csv.tpl \
175+
--exit-code 1 \
176+
--vuln-type os,library \
177+
--severity UNKNOWN,LOW,MEDIUM,CRITICAL,HIGH \
178+
--output trivy_fs_report.csv \
179+
--list-all-pkgs .
180+
181+
- name: Preview Trivy report
182+
if: always()
183+
run: |
184+
if [ -f "trivy_fs_report.csv" ]; then
185+
cat trivy_fs_report.csv
186+
else
187+
echo "Trivy report file not found."
188+
fi
105189
106190
- name: Upload artifact - csv
107191
if: always()
108-
uses: actions/upload-artifact@v3
192+
uses: actions/upload-artifact@v4
109193
with:
110194
name: Trivy Reports
111195
path: "trivy_fs_report.csv"
112196

113197
trivy-sbom:
114198
name: Trivy SBOM
199+
needs: precheck
200+
if: needs.precheck.outputs.should_run == 'true'
115201
runs-on: [self-hosted, scan]
116202
steps:
117203
- name: Checkout code
118-
uses: actions/checkout@v3
204+
uses: actions/checkout@v4
119205

120206
- name: Execute Trivy
121-
uses: intel-innersource/frameworks.actions.trivy@main
122-
with:
123-
TRIVY_DEBUG: 'true'
124-
TRIVY_OUTPUT_FILE: 'trivy_fs_report.spdx'
125-
TRIVY_REPORT_FORMAT: 'spdx'
126-
TRIVY_SCAN_TYPE: 'fs'
127-
TRIVY_SCAN_PATH: '.'
128-
TRIVY_SEVERITY: 'UNKNOWN,LOW,MEDIUM,CRITICAL,HIGH'
129-
TRIVY_VULN_TYPE: 'os,library'
207+
run: |
208+
ls -l ~/.ci/csv.tpl
209+
trivy fs \
210+
--format spdx-json \
211+
--output trivy_fs_sbom_report.json .
130212
131213
- name: Upload artifact
132214
if: always()
133-
uses: actions/upload-artifact@v3
215+
uses: actions/upload-artifact@v4
134216
with:
135217
name: Trivy SBOM Reports
136-
path: "trivy_fs_report.spdx"
218+
path: "trivy_fs_sbom_report.json"
137219

138220
bdba:
139221
name: BDBA
222+
needs: precheck
223+
if: needs.precheck.outputs.should_run == 'true'
140224
runs-on: [self-hosted, scan]
141225
env:
142226
STEP_GROUP_ID: '32'
143227
steps:
144228
- name: Checkout code
145-
uses: actions/checkout@v3
229+
uses: actions/checkout@v4
146230

147231
# release package must .zip file
148232
- name: Prepare release package
@@ -162,10 +246,12 @@ jobs:
162246

163247
protex:
164248
name: Protex
249+
needs: precheck
250+
if: needs.precheck.outputs.should_run == 'true'
165251
runs-on: [self-hosted, scan]
166252
steps:
167253
- name: Checkout code
168-
uses: actions/checkout@v3
254+
uses: actions/checkout@v4
169255

170256
# release package must be in the directory
171257
- name: Prepare release package

0 commit comments

Comments
 (0)