shiftleft_Github-Actions/.github/workflows/main.yml at main · smcloud65/shiftleft_Github-Actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
name: Prisma Cloud Shift Left demo
on: [ push,pull_request ]

jobs:
  prisma_cloud_job:
    runs-on: ubuntu-latest
    name: Run Prisma Cloud steps
    env:
          TL_USER: ${{ secrets.TL_USER }}
          TL_PASS: ${{ secrets.TL_PASS }}
          TL_CONSOLE: ${{ secrets.TL_CONSOLE }}
          BYPASS_REPOSCAN: 1
          BYPASS_OSS_LICENSE: 1
          BYPASS_IMAGESCAN: 0
          BYPASS_WF: 1
    steps:

      - name: Checkout
        uses: actions/checkout@v2

      #- name: Check image Git dependencies has no vulnerabilities
      #  run: bash ./files/checkGit.sh
      - name: twistcli download
        run: curl -s -k -u $TL_USER:$TL_PASS "https://$TL_CONSOLE/api/v1/util/twistcli" -v -o twistcli;chmod +x twistcli

      - name: Repo Vulnerability scan
        run: bash ./files/repoScan.sh

      - name: OSS License Check
        run: bash ./files/licenseCheck.sh

      - name: Apply security policies (Policy-as-Code) for evilpetclinic
        run: bash ./files/addPolicies.sh

      - name: Scan Image for vulnerabilities
        run: bash ./files/scanImage.sh


    #  - name: IaC scan of files in the repository
    #    uses: prisma-cloud-shiftleft/iac-scan-action@v1
    #    id: iac-scan
    #    with:
    #      prisma_api_url: 'https://api.prismacloud.io'
    #      access_key: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
    #      secret_key: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
    #      asset_name: 'shiftleft-github-actions'
    #      template_type: 'K8S'
    #      failure_criteria: High:3,Medium:3,Low:10,Operator:or
    #      scan_path: ./files

    #  - name: Upload scan result artifact
    #    uses: actions/upload-artifact@v2
    #    if: success() || failure()
    #    with:
    #      name: iac_scan_result
    #      path: ${{ steps.iac-scan.outputs.iac_scan_result_path }}

      - name: Scan Image for Malware using Wildfire
        run: bash ./files/malwareCheck.sh


      - name: Run Checkov action
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: ./files
          soft_fail: true # optional: do not return an error code if there are failed checks
          framework: kubernetes # optional: run only on a specific infrastructure {cloudformation,terraform,kubernetes,all}
          quiet: true
          output_format: github_failed_only # optional: the output format, one of: cli, json, junitxml, github_failed_only
          log_level: WARNING # optional: set log level. Default WARNING

      - name: Deploy evilpetclinic app
        run: bash files/exec.sh deploy.sh

      - name: Runtime attacks
        run: bash files/exec.sh runtime_attacks.sh

      - name: WAAS attacks
        run: bash files/exec.sh waas_attacks.sh