Skip to content
.github/workflows/composer-audit.yml

Add logic for handling VCS-type repos/dependencies #14

Sign in to view logs

Add logic for handling VCS-type repos/dependencies

Add logic for handling VCS-type repos/dependencies #14

Workflow file for this run

.github/workflows/composer-audit.yml at 33b7b78
name: Drupal - Security Review

Check failure on line 1 in .github/workflows/composer-audit.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/composer-audit.yml

Invalid workflow file 

(Line: 35, Col: 13): Unrecognized named-value: 'secrets'. Located at position 65 within expression: steps.check_private_deps.outputs.has_private_deps == 'true' && !secrets.COMPOSER_GITHUB_TOKEN
# Required Secrets (same across projects):
# EMAIL_USERNAME: Gmail address for sending notifications (i.e. security-bot@palantir.net)
# EMAIL_PASSWORD: Gmail App Password (no spaces)
# COMPOSER_GITHUB_TOKEN: (Conditional) GitHub Personal Access Token ("PAT") with 'repo' scope - only needed if composer.json has private VCS dependencies. A classic PAT is recommended. More info here: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens
# **Details are stored in the 1password vault named "Production".**
#
# Required Variables (unique per project):
# PALANTIR_NOTIFICATION_EMAIL: Email address to receive alerts; group email address recommended
# CLIENT_WEBSITE_URL: (Optional) Client's website URL
on:
schedule:
- cron: '0 21 * * 3' # Runs every Wednesday at 8:30PM UTC / 5:00 EDT / 4:00 EST.
- cron: '30 06 * * 4' # Runs every Thursday at 6:30AM UTC / 2:30 EDT / 1:30 EST.
jobs:
drupal-security-audit:
runs-on: ubuntu-latest
name: Drupal security audit
steps:
- name: "Checkout code"
uses: actions/checkout@v4
- name: Check if private composer dependencies exist
id: check_private_deps
run: |
if grep -q '"type"[[:space:]]*:[[:space:]]*"vcs"' composer.json; then
echo "has_private_deps=true" >> $GITHUB_OUTPUT
echo "⚠️ This project uses private VCS dependencies"
else
echo "has_private_deps=false" >> $GITHUB_OUTPUT
echo "✅ This project uses only public dependencies"
fi
- name: Validate composer authentication
if: steps.check_private_deps.outputs.has_private_deps == 'true' && !secrets.COMPOSER_GITHUB_TOKEN
run: |
echo "::error::This project requires private composer dependencies but COMPOSER_GITHUB_TOKEN secret is not set."
echo "::error::Please add COMPOSER_GITHUB_TOKEN secret with a GitHub Personal Access Token that has 'repo' scope."
echo "::error::Generate at: https://github.com/settings/tokens"
exit 1
- name: Install PHP with extensions
uses: shivammathur/setup-php@2.35.4
with:
coverage: "none"
php-version: 8.2
tools: composer:v2
- name: "Composer install"
env:
COMPOSER_AUTH: ${{ secrets.COMPOSER_GITHUB_TOKEN && format('{{"github-oauth":{{"github.com":"{0}"}}}}', secrets.COMPOSER_GITHUB_TOKEN) || '{}' }}
uses: "ramsey/composer-install@2.2.0"
with:
composer-options: "--prefer-dist"
- name: Run composer audit for Drupal packages
id: audit # Needed for email
run: |
echo "# Drupal Security Audit Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
# Run audit in JSON format for easier parsing
composer audit --locked --format=json > audit_results.json 2>&1 || AUDIT_EXIT_CODE=$?
# Check if we have any vulnerabilities at all
if [ -f "audit_results.json" ] && [ "${AUDIT_EXIT_CODE:-0}" != "0" ]; then
echo "Parsing JSON audit results..."
# Extract Drupal and non-Drupal vulnerabilities using jq
echo "Extracting Drupal vulnerabilities..."
jq '[.advisories | to_entries[] | select(.key | startswith("drupal/")) | .value | to_entries[] | .value]' audit_results.json > drupal_advisories.json 2>/dev/null || echo '[]' > drupal_advisories.json
echo "Extracting non-Drupal vulnerabilities..."
jq '[.advisories | to_entries[] | select(.key | startswith("drupal/") | not) | .value[]]' audit_results.json > non_drupal_advisories.json 2>/dev/null || echo '[]' > non_drupal_advisories.json
# Check what we found
DRUPAL_COUNT=$(jq length drupal_advisories.json 2>/dev/null || echo 0)
NON_DRUPAL_COUNT=$(jq length non_drupal_advisories.json 2>/dev/null || echo 0)
HAS_DRUPAL=$([ "$DRUPAL_COUNT" -gt 0 ] && echo "true" || echo "false")
HAS_NON_DRUPAL=$([ "$NON_DRUPAL_COUNT" -gt 0 ] && echo "true" || echo "false")
echo "Found $DRUPAL_COUNT Drupal vulnerabilities"
echo "Found $NON_DRUPAL_COUNT non-Drupal vulnerabilities"
# Save counts for email
echo "drupal_count=$DRUPAL_COUNT" >> $GITHUB_OUTPUT
echo "non_drupal_count=$NON_DRUPAL_COUNT" >> $GITHUB_OUTPUT
# Function to create a table from JSON advisories (for GitHub step summary)
create_table() {
local json_file=$1
local output_file=$2
if [ -f "$json_file" ] && [ "$(jq length "$json_file")" -gt 0 ]; then
# Create table header
echo "+-------------------+----------------------------------------------------------------------------------+" > "$output_file"
echo "| Package | Details |" >> "$output_file"
echo "+-------------------+----------------------------------------------------------------------------------+" >> "$output_file"
# Process each advisory using a YAML-safe approach
jq -r '.[] | ["| " + .packageName + " | " + .packageName + " |", "| Severity | " + (.severity // "") + " |", "| CVE | " + (.cve // "") + " |", "| Title | " + .title + " |", "| URL | " + .link + " |", "| Affected versions | " + .affectedVersions + " |", "| Reported at | " + .reportedAt + " |", "+-------------------+----------------------------------------------------------------------------------+"] | .[]' "$json_file" >> "$output_file"
fi
}
# Function to create simplified format for email
create_simple_format() {
local json_file=$1
local output_file=$2
if [ -f "$json_file" ] && [ "$(jq length "$json_file")" -gt 0 ]; then
jq -r '.[] | "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━\n<strong>Package:</strong> " + .packageName + "\n<strong>Severity:</strong> " + (.severity // "") + (if .cve then " | " + .cve else "" end) + "\n<strong>Title:</strong> " + .title + "\n<strong>URL:</strong> <a href=\"" + .link + "\" style=\"color: #0366d6;\">" + .link + "</a>\n<strong>Affected:</strong> " + .affectedVersions + "\n<strong>Reported:</strong> " + .reportedAt + "\n"' "$json_file" > "$output_file"
fi
}
# Create tables for Drupal and non-Drupal vulnerabilities (for GitHub)
if [ "$HAS_DRUPAL" = "true" ]; then
create_table drupal_advisories.json drupal_table.txt
fi
if [ "$HAS_NON_DRUPAL" = "true" ]; then
create_table non_drupal_advisories.json non_drupal_table.txt
fi
# Create simplified format for email
if [ "$HAS_DRUPAL" = "true" ]; then
create_simple_format drupal_advisories.json drupal_simple.txt
fi
if [ "$HAS_NON_DRUPAL" = "true" ]; then
create_simple_format non_drupal_advisories.json non_drupal_simple.txt
fi
# Show Drupal vulnerabilities if any
if [ "$HAS_DRUPAL" = "true" ]; then
echo "⚠️ **Security vulnerabilities detected in Drupal packages!**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
cat drupal_table.txt >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
fi
# Save Drupal vulnerabilities for email
if [ "$HAS_DRUPAL" = "true" ]; then
DRUPAL_SIMPLE=$(cat drupal_simple.txt)
echo "drupal_simple<<EOF" >> $GITHUB_OUTPUT
echo "$DRUPAL_SIMPLE" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
# Show non-Drupal vulnerabilities if any
if [ "$HAS_NON_DRUPAL" = "true" ]; then
if [ "$HAS_DRUPAL" = "true" ]; then
echo "ℹ️ **Security vulnerabilities also found in non-Drupal packages:**" >> $GITHUB_STEP_SUMMARY
else
echo "✅ **No security vulnerabilities found in Drupal packages!**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "ℹ️ **Security vulnerabilities detected in non-Drupal packages:**" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
cat non_drupal_table.txt >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
fi
# Save non-Drupal vulnerabilities for email
if [ "$HAS_NON_DRUPAL" = "true" ]; then
NON_DRUPAL_SIMPLE=$(cat non_drupal_simple.txt)
echo "non_drupal_simple<<EOF" >> $GITHUB_OUTPUT
echo "$NON_DRUPAL_SIMPLE" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
fi
# Console output
if [ "$HAS_DRUPAL" = "true" ]; then
echo "❌ Drupal security audit failed - vulnerabilities found in Drupal packages"
echo "Drupal security vulnerabilities:"
cat drupal_table.txt
exit 1
else
echo "✅ Drupal security audit passed - no vulnerabilities detected in Drupal packages"
if [ "$HAS_NON_DRUPAL" = "true" ]; then
echo "ℹ️ Non-Drupal packages have vulnerabilities (shown in summary)"
fi
fi
else
echo "✅ **No security vulnerabilities found in any packages!**" >> $GITHUB_STEP_SUMMARY
echo "✅ Drupal security audit passed - no vulnerabilities detected in any packages"
echo "drupal_count=0" >> $GITHUB_OUTPUT
echo "non_drupal_count=0" >> $GITHUB_OUTPUT
fi
- name: Send email notification on failure
if: failure()
uses: dawidd6/action-send-mail@v6
with:
server_address: smtp.gmail.com
server_port: 465
secure: true
username: ${{ secrets.EMAIL_USERNAME }}
password: ${{ secrets.EMAIL_PASSWORD }}
subject: "🚨 Drupal Security Vulnerabilities - ${{ github.repository }}"
to: ${{ vars.PALANTIR_NOTIFICATION_EMAIL }}
from: "Palantir Security Bot <${{ secrets.EMAIL_USERNAME }}>"
html_body: |
<html>
<body style="font-family: Arial, sans-serif; line-height: 1.6; color: #333;">
<h2 style="color: #d73a49;">🚨 Drupal Security Alert</h2>
<p>One or more Drupal security vulnerabilities need to be addressed for a client's website${{ vars.CLIENT_WEBSITE_URL && format(':<br><a href="{0}">{0}</a>', vars.CLIENT_WEBSITE_URL) || '.' }}</p>
<p>A summary is shown below. Click here to see the full results:<br>
<a href="${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}">${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}</a></p>
<div style="background-color: #f8f9fa; padding: 15px; border-left: 4px solid #d73a49; margin: 20px 0;">
<strong>Repository:</strong> ${{ github.repository }}<br>
<strong>Scan Date:</strong> ${{ github.event.repository.updated_at }}<br>
<strong>Drupal Vulnerabilities:</strong> ${{ steps.audit.outputs.drupal_count }}<br>
<strong>Non-Drupal Vulnerabilities:</strong> ${{ steps.audit.outputs.non_drupal_count }}
</div>
${{ steps.audit.outputs.drupal_count > 0 && '<h3 style="color: #d73a49;">🎯 Drupal Package Vulnerabilities (PRIORITY)</h3><pre style="background-color: #f6f8fa; padding: 15px; border-radius: 5px; font-family: monospace; font-size: 13px; line-height: 1.6; white-space: pre-wrap; word-wrap: break-word; margin: 0;">' || '' }}${{ steps.audit.outputs.drupal_simple }}${{ steps.audit.outputs.drupal_count > 0 && '</pre>' || '' }}
${{ steps.audit.outputs.non_drupal_count > 0 && '<h3 style="color: #f66a0a;">ℹ️ Non-Drupal Package Vulnerabilities</h3><pre style="background-color: #f6f8fa; padding: 15px; border-radius: 5px; font-family: monospace; font-size: 13px; line-height: 1.6; white-space: pre-wrap; word-wrap: break-word; margin: 0;">' || '' }}${{ steps.audit.outputs.non_drupal_simple }}${{ steps.audit.outputs.non_drupal_count > 0 && '</pre>' || '' }}
<div style="margin-top: 30px; padding: 15px; background-color: #e3f2fd; border-radius: 5px;">
<strong>Next Steps:</strong>
<ol>
<li>Review the vulnerabilities above</li>
<li>Assess impact on client's custom code</li>
<li>Contact client with next steps and timeline:
<ul>
<li>Highly Critical / Critical: Same-day</li>
<li>Moderately Critical: Next Day</li>
</ul>
</li>
<li>Alert teammates and request assistance</li>
</ol>
</div>
</body>
</html>