diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql-evidence-example.yml similarity index 76% rename from .github/workflows/codeql.yml rename to .github/workflows/codeql-evidence-example.yml index b00b48e..2dfbf57 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql-evidence-example.yml @@ -1,5 +1,4 @@ -name : "CodeQL Analysis Workflow" - +name : "Codeql Evidence Integration example" on: workflow_dispatch: @@ -8,11 +7,12 @@ permissions: contents: read actions: read - jobs: codeql: name: Analyse runs-on: ubuntu-latest + env: + ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true strategy: fail-fast: false matrix: @@ -23,46 +23,17 @@ jobs: queries_path: ./examples/codeql/queries/go steps: - - uses: actions/checkout@v4 - with: - sparse-checkout: | - examples/codeql/** - sparse-checkout-cone-mode: false - - - name: Set up CodeQL for ${{ matrix.language_details.name }} - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language_details.name }} - config-file: examples/codeql/codeql-config.yml - queries: ${{ matrix.language_details.queries_path }} - - - name: Setup Jfrog CLI for go + # Build and publish the packages to JFrog Artifactory + - name: Setup jfrog cli uses: jfrog/setup-jfrog-cli@v4 env: JF_URL: ${{ vars.ARTIFACTORY_URL }} JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - - - - name: Setup Go - if: matrix.language_details.name == 'go' - uses: actions/setup-go@v5 - with: - go-version: '1.24.3' - - - - name: Run CodeQL Analysis for ${{ matrix.language_details.name }} - uses: github/codeql-action/analyze@v3 + - uses: actions/checkout@v4 with: - category: "security-and-quality" - output: results-${{ matrix.language_details.name }} - upload: false - - - name: Convert SARIF to Markdown - run: | - python ./examples/codeql/sarif_to_markdown.py \ - results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ - results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md - + sparse-checkout: | + examples/codeql/** + sparse-checkout-cone-mode: false - name: Build and Publish ${{ matrix.language_details.name }} package env: GO_CODE_PATH: examples/codeql/go @@ -70,11 +41,9 @@ jobs: run: | if [ ${{ matrix.language_details.name }} == 'go' ]; then cd $GO_CODE_PATH - # Configure JFrog CLI for Go jf go-config --repo-resolve=go-remote --repo-deploy=go-local \ --server-id-deploy=setup-jfrog-cli-server \ - --server-id-resolve=setup-jfrog-cli-server - + --server-id-resolve=setup-jfrog-cli-server jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }} jf rt bp my-go-build ${{ github.run_number }} elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then @@ -82,14 +51,37 @@ jobs: jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \ --server-id-deploy=setup-jfrog-cli-server \ --server-id-resolve=setup-jfrog-cli-server - jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }} jf rt bp my-javascript-build ${{ github.run_number }} fi cd - continue-on-error: true - - name: Attach Evidence Using JFrog CLI + # Set up CodeQL and run analysis + - name: Set up CodeQL for ${{ matrix.language_details.name }} + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language_details.name }} + config-file: examples/codeql/codeql-config.yml + queries: ${{ matrix.language_details.queries_path }} + + - name: Run CodeQL Analysis for ${{ matrix.language_details.name }} + uses: github/codeql-action/analyze@v3 + with: + category: "security-and-quality" + output: results-${{ matrix.language_details.name }} + upload: false + + # This is an optional step to generate a custom markdown report + - name: Generate optional custom markdown report + if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' + run: | + python ./examples/codeql/sarif_to_markdown.py \ + results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \ + results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md + + # Attaching the evidence to associated package + - name: Attach Evidence using JFrog CLI run: | jf config show if [ ${{ matrix.language_details.name }} == 'go' ]; then @@ -98,20 +90,20 @@ jobs: --package-name "jfrog.com/mygobuild" \ --package-version $PACKAGE_VERSION \ --package-repo-name go-local \ - --key "${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ --predicate "results-go/go.sarif" \ --predicate-type "http://github.com/CodeQL/static-analysis" \ - --markdown "results-go/go-report.md" + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-go/go-report.md"' || '' }} elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then PACKAGE_VERSION="0.0.1" jf evd create \ --package-name my-javascript-build \ --package-version $PACKAGE_VERSION \ --package-repo-name javascript-local \ - --key "${{ secrets.CODEQL_SIGNING_KEY }}" \ - --key-alias ${{ vars.CODEQL_KEY_ALIAS }} \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ --predicate "results-javascript/javascript.sarif" \ --predicate-type "http://github.com/CodeQL/static-analysis" \ - --markdown "results-javascript/javascript-report.md" + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-javascript/javascript-report.md"' || '' }} fi diff --git a/.github/workflows/dependabot-evidence-example.yml b/.github/workflows/dependabot-evidence-example.yml index 978f666..56b3182 100644 --- a/.github/workflows/dependabot-evidence-example.yml +++ b/.github/workflows/dependabot-evidence-example.yml @@ -1,4 +1,4 @@ -name: dependabot-evidence-example +name: "Dependabot evidence integration example" on: workflow_dispatch: @@ -14,50 +14,28 @@ jobs: IMAGE_NAME: 'dependabot-docker-image' BUILD_NAME: 'dependabot-evidence-eg' VERSION: ${{ github.run_number }} - REGISTRY_DOMAIN: ${{ vars.REGISTRY_DOMAIN }} + REGISTRY_DOMAIN: ${{ vars.JF_URL }} + ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Setup JFrog CLI + # Build and publish the packages to JFrog Artifactory + - name: Setup jfrog cli uses: jfrog/setup-jfrog-cli@v4 env: JF_URL: ${{ vars.ARTIFACTORY_URL }} JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - - - name: Log in to Artifactory Docker Registry - uses: docker/login-action@v3 - with: - registry: ${{ vars.ARTIFACTORY_URL }} - username: ${{ secrets.JF_USER }} - password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - + - name: Checkout code + uses: actions/checkout@v4 - name: Build and Push Docker Image to Artifactory run: | docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION - - name: Get Artifact Details - run: | - ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" - echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV - - IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME") - echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV - - IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}') - echo "IMAGE_SIZE=$IMAGE_SIZE" >> $GITHUB_ENV - - echo "SCAN_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"" >> $GITHUB_ENV - + # Fetch Dependabot Vulnerability Snapshot + # Github token with 'security_events: read' permission has to be provided - name: Fetch Dependabot Vulnerability Snapshot - id: dependabot_snapshot env: - GH_TOKEN: ${{ secrets.TOKEN_GIT }} # GitHub Token with 'security_events: read' permission is required + GH_TOKEN: ${{ secrets.GH_PAT }} OWNER: ${{ github.repository_owner }} REPO: ${{ github.event.repository.name }} run: | @@ -76,27 +54,33 @@ jobs: detectedAt: .created_at } ]' > result.json - jq -n --argjson data "$(cat result.json)" '{ data: $data }' > dependabot.json - - name: Generate and Save Dependabot Markdown Report + # This is an optional step to generate a custom markdown report + - name: Generate optional custom markdown report + if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' run: | + ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" + IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME") + IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}') + SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") python ./examples/dependabot-alerts-example/markdown_helper.py \ "dependabot.json" \ "dependabot_report.md" \ - "$ARTIFACT_NAME" \ + "$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" \ "$SCAN_DATE" \ "$IMAGE_ID" \ "$IMAGE_SIZE" - - name: Create Dependabot Evidence + # Attaching the evidence to associated package + - name: Attach Evidence using JFrog CLI run: | jf evd create \ --package-name $IMAGE_NAME \ --package-version $VERSION \ --package-repo-name $REPO_NAME \ - --key "${{ secrets.TEST_PRVT_KEY }}" \ - --key-alias ${{ vars.TEST_PUB_KEY_ALIAS }} \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ --predicate ./dependabot.json \ --predicate-type http://Github.com/Dependabot/static-analysis \ - --markdown dependabot_report.md \ No newline at end of file + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "dependabot_report.md"' || '' }} \ No newline at end of file diff --git a/.github/workflows/trivy-evidence-example.yml b/.github/workflows/trivy-evidence-example.yml index 866fd12..93aab12 100644 --- a/.github/workflows/trivy-evidence-example.yml +++ b/.github/workflows/trivy-evidence-example.yml @@ -1,5 +1,4 @@ -name: trivy-evidence-example - +name: "Trivy evidence integration example" on: workflow_dispatch: @@ -11,52 +10,56 @@ jobs: package-docker-image-with-trivy-evidence: runs-on: ubuntu-latest env: - REGISTRY_URL: ${{ vars.REGISTRY_DOMAIN }} + REGISTRY_DOMAIN: ${{ vars.JF_URL }} REPO_NAME: 'docker-trivy-repo' IMAGE_NAME: 'docker-trivy-image' VERSION: ${{ github.run_number }} BUILD_NAME: 'trivy-docker-build' + ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true steps: - - name: Install jfrog cli + # Build and publish the packages to JFrog Artifactory + - name: Setup jfrog cli uses: jfrog/setup-jfrog-cli@v4 env: JF_URL: ${{ vars.ARTIFACTORY_URL }} JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} - - name: Checkout repository uses: actions/checkout@v4 - - - name: Build Docker Image + - name: Build and publish Docker Image to Artifactory run: | - docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION + docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + echo "Pushing Docker Image to Artifactory" + jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} + echo "Pushing Docker Image to Artifactory completed" + echo "publishing build info" + jf rt build-publish $BUILD_NAME ${{ github.run_number }} + + # Fetch Trivy Vulnerability Snapshot - name: Run Trivy uses: aquasecurity/trivy-action@master with: - image-ref: ${{ env.REGISTRY_URL }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} + image-ref: ${{ env.REGISTRY_DOMAIN }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} severity: HIGH,CRITICAL format: json output: trivy-results.json - - name: Convert Trivy JSON Output to Markdown - run: python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json - - - name: Push Docker Image to Artifactory - run: | - echo "Pushing Docker image to Artifactory..." - jf rt docker-push $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }} - - name: Publish Build Info + # This is an optional step to generate a custom markdown report + - name: Generate optional custom markdown report + if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' run: | - jf rt build-publish $BUILD_NAME ${{ github.run_number }} - - name: Attach Evidence Using JFrog CLI + python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json + + # Attaching the evidence to associated package + - name: Attach evidence using jfrog cli run: | + ls -al jf evd create \ --package-name $IMAGE_NAME \ --package-version $VERSION \ --package-repo-name $REPO_NAME \ - --key "${{ secrets.TRIVY_TEST_PKEY }}" \ - --key-alias ${{ vars.TRIVY_TEST_KEY }} \ + --key "${{ secrets.PRIVATE_KEY }}" \ + --key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \ --predicate ./trivy-results.json \ --predicate-type http://aquasec.com/trivy/security-scan \ - --markdown trivy-results.md - echo "Trivy evidence attached to package" \ No newline at end of file + ${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "trivy-results.md"' || '' }} \ No newline at end of file diff --git a/.gitignore b/.gitignore index b85059b..a1d2a25 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ /examples/sonar-scan-example/sonar-scanner-4.6.2.2472-linux/* /examples/sonar-scan-example/bin/* -/examples/jira-transition-example/bin/* \ No newline at end of file +/examples/jira-transition-example/bin/* +*.pem \ No newline at end of file