Skip to content

Standardize Github workflow structure #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jfrogdixit merged 1 commit into from
Jun 19, 2025
+92 −112
Merged

Standardize Github workflow structure #21

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 41 additions & 49 deletions .github/workflows/codeql.yml → ...hub/workflows/codeql-evidence-example.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
name : "CodeQL Analysis Workflow"

name : "Codeql Evidence Integration example"
on:
workflow_dispatch:

Expand All @@ -8,11 +7,12 @@ permissions:
contents: read
actions: read


jobs:
codeql:
name: Analyse
runs-on: ubuntu-latest
env:
ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true
strategy:
fail-fast: false
matrix:
Expand All @@ -23,73 +23,65 @@ jobs:
queries_path: ./examples/codeql/queries/go

steps:
- uses: actions/checkout@v4
with:
sparse-checkout: |
examples/codeql/**
sparse-checkout-cone-mode: false

- name: Set up CodeQL for ${{ matrix.language_details.name }}
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language_details.name }}
config-file: examples/codeql/codeql-config.yml
queries: ${{ matrix.language_details.queries_path }}

- name: Setup Jfrog CLI for go
# Build and publish the packages to JFrog Artifactory
- name: Setup jfrog cli
uses: jfrog/setup-jfrog-cli@v4
env:
JF_URL: ${{ vars.ARTIFACTORY_URL }}
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}


- name: Setup Go
if: matrix.language_details.name == 'go'
uses: actions/setup-go@v5
with:
go-version: '1.24.3'


- name: Run CodeQL Analysis for ${{ matrix.language_details.name }}
uses: github/codeql-action/analyze@v3
- uses: actions/checkout@v4
with:
category: "security-and-quality"
output: results-${{ matrix.language_details.name }}
upload: false

- name: Convert SARIF to Markdown
run: |
python ./examples/codeql/sarif_to_markdown.py \
results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \
results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md

sparse-checkout: |
examples/codeql/**
sparse-checkout-cone-mode: false
- name: Build and Publish ${{ matrix.language_details.name }} package
env:
GO_CODE_PATH: examples/codeql/go
JS_CODE_PATH: examples/codeql/js
run: |
if [ ${{ matrix.language_details.name }} == 'go' ]; then
cd $GO_CODE_PATH
# Configure JFrog CLI for Go
jf go-config --repo-resolve=go-remote --repo-deploy=go-local \
--server-id-deploy=setup-jfrog-cli-server \
--server-id-resolve=setup-jfrog-cli-server

--server-id-resolve=setup-jfrog-cli-server
jf gp --build-name=my-go-build --build-number=${{ github.run_number }} v0.0.${{ github.run_number }}
jf rt bp my-go-build ${{ github.run_number }}
elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
cd $JS_CODE_PATH
jf npm-config --repo-resolve=javascript-remote --repo-deploy=javascript-local \
--server-id-deploy=setup-jfrog-cli-server \
--server-id-resolve=setup-jfrog-cli-server

jf npm publish --build-name=my-javascript-build --build-number=${{ github.run_number }}
jf rt bp my-javascript-build ${{ github.run_number }}
fi
cd -
continue-on-error: true

- name: Attach Evidence Using JFrog CLI
# Set up CodeQL and run analysis
- name: Set up CodeQL for ${{ matrix.language_details.name }}
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language_details.name }}
config-file: examples/codeql/codeql-config.yml
queries: ${{ matrix.language_details.queries_path }}

- name: Run CodeQL Analysis for ${{ matrix.language_details.name }}
uses: github/codeql-action/analyze@v3
with:
category: "security-and-quality"
output: results-${{ matrix.language_details.name }}
upload: false

# This is an optional step to generate a custom markdown report
- name: Generate optional custom markdown report
if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
run: |
python ./examples/codeql/sarif_to_markdown.py \
results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}.sarif \
results-${{ matrix.language_details.name }}/${{ matrix.language_details.name }}-report.md

# Attaching the evidence to associated package
- name: Attach Evidence using JFrog CLI
run: |
jf config show
if [ ${{ matrix.language_details.name }} == 'go' ]; then
Expand All @@ -98,20 +90,20 @@ jobs:
--package-name "jfrog.com/mygobuild" \
--package-version $PACKAGE_VERSION \
--package-repo-name go-local \
--key "${{ secrets.CODEQL_SIGNING_KEY }}" \
--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
--predicate "results-go/go.sarif" \
--predicate-type "http://github.com/CodeQL/static-analysis" \
--markdown "results-go/go-report.md"
${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-go/go-report.md"' || '' }}
elif [ ${{ matrix.language_details.name }} == 'javascript' ]; then
PACKAGE_VERSION="0.0.1"
jf evd create \
--package-name my-javascript-build \
--package-version $PACKAGE_VERSION \
--package-repo-name javascript-local \
--key "${{ secrets.CODEQL_SIGNING_KEY }}" \
--key-alias ${{ vars.CODEQL_KEY_ALIAS }} \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
--predicate "results-javascript/javascript.sarif" \
--predicate-type "http://github.com/CodeQL/static-analysis" \
--markdown "results-javascript/javascript-report.md"
${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "results-javascript/javascript-report.md"' || '' }}
fi
62 changes: 23 additions & 39 deletions .github/workflows/dependabot-evidence-example.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: dependabot-evidence-example
name: "Dependabot evidence integration example"
on:
workflow_dispatch:

Expand All @@ -14,50 +14,28 @@ jobs:
IMAGE_NAME: 'dependabot-docker-image'
BUILD_NAME: 'dependabot-evidence-eg'
VERSION: ${{ github.run_number }}
REGISTRY_DOMAIN: ${{ vars.REGISTRY_DOMAIN }}
REGISTRY_DOMAIN: ${{ vars.JF_URL }}
ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup JFrog CLI
# Build and publish the packages to JFrog Artifactory
- name: Setup jfrog cli
uses: jfrog/setup-jfrog-cli@v4
env:
JF_URL: ${{ vars.ARTIFACTORY_URL }}
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

- name: Log in to Artifactory Docker Registry
uses: docker/login-action@v3
with:
registry: ${{ vars.ARTIFACTORY_URL }}
username: ${{ secrets.JF_USER }}
password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Checkout code
uses: actions/checkout@v4
- name: Build and Push Docker Image to Artifactory
run: |
docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION
jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION

- name: Get Artifact Details
run: |
ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION"
echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV

IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME")
echo "IMAGE_ID=$IMAGE_ID" >> $GITHUB_ENV

IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}')
echo "IMAGE_SIZE=$IMAGE_SIZE" >> $GITHUB_ENV

echo "SCAN_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")"" >> $GITHUB_ENV

# Fetch Dependabot Vulnerability Snapshot
# Github token with 'security_events: read' permission has to be provided
- name: Fetch Dependabot Vulnerability Snapshot
id: dependabot_snapshot
env:
GH_TOKEN: ${{ secrets.TOKEN_GIT }} # GitHub Token with 'security_events: read' permission is required
GH_TOKEN: ${{ secrets.GH_PAT }}
OWNER: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
run: |
Expand All @@ -76,27 +54,33 @@ jobs:
detectedAt: .created_at
}
]' > result.json

jq -n --argjson data "$(cat result.json)" '{ data: $data }' > dependabot.json

- name: Generate and Save Dependabot Markdown Report
# This is an optional step to generate a custom markdown report
- name: Generate optional custom markdown report
if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
run: |
ARTIFACT_NAME="$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION"
IMAGE_ID=$(docker images --format "{{.ID}}" "$ARTIFACT_NAME")
IMAGE_SIZE=$(docker images --format "{{.Size}}" "$ARTIFACT_NAME" | sed 's/MB//' | awk '{print $1 * 1024 * 1024}')
SCAN_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
python ./examples/dependabot-alerts-example/markdown_helper.py \
"dependabot.json" \
"dependabot_report.md" \
"$ARTIFACT_NAME" \
"$REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION" \
"$SCAN_DATE" \
"$IMAGE_ID" \
"$IMAGE_SIZE"

- name: Create Dependabot Evidence
# Attaching the evidence to associated package
- name: Attach Evidence using JFrog CLI
run: |
jf evd create \
--package-name $IMAGE_NAME \
--package-version $VERSION \
--package-repo-name $REPO_NAME \
--key "${{ secrets.TEST_PRVT_KEY }}" \
--key-alias ${{ vars.TEST_PUB_KEY_ALIAS }} \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
--predicate ./dependabot.json \
--predicate-type http://Github.com/Dependabot/static-analysis \
--markdown dependabot_report.md
${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "dependabot_report.md"' || '' }}
49 changes: 26 additions & 23 deletions .github/workflows/trivy-evidence-example.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
name: trivy-evidence-example

name: "Trivy evidence integration example"
on:
workflow_dispatch:

Expand All @@ -11,52 +10,56 @@ jobs:
package-docker-image-with-trivy-evidence:
runs-on: ubuntu-latest
env:
REGISTRY_URL: ${{ vars.REGISTRY_DOMAIN }}
REGISTRY_DOMAIN: ${{ vars.JF_URL }}
REPO_NAME: 'docker-trivy-repo'
IMAGE_NAME: 'docker-trivy-image'
VERSION: ${{ github.run_number }}
BUILD_NAME: 'trivy-docker-build'
ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE: true

steps:
- name: Install jfrog cli
# Build and publish the packages to JFrog Artifactory
- name: Setup jfrog cli
uses: jfrog/setup-jfrog-cli@v4
env:
JF_URL: ${{ vars.ARTIFACTORY_URL }}
JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}

- name: Checkout repository
uses: actions/checkout@v4

- name: Build Docker Image
- name: Build and publish Docker Image to Artifactory
run: |
docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION
docker build . --file ./examples/trivy-verify-example/Dockerfile --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION
echo "Pushing Docker Image to Artifactory"
jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }}
echo "Pushing Docker Image to Artifactory completed"
echo "publishing build info"
jf rt build-publish $BUILD_NAME ${{ github.run_number }}

# Fetch Trivy Vulnerability Snapshot
- name: Run Trivy
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY_URL }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
image-ref: ${{ env.REGISTRY_DOMAIN }}/${{ env.REPO_NAME }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
severity: HIGH,CRITICAL
format: json
output: trivy-results.json

- name: Convert Trivy JSON Output to Markdown
run: python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json

- name: Push Docker Image to Artifactory
run: |
echo "Pushing Docker image to Artifactory..."
jf rt docker-push $REGISTRY_URL/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=${{ github.run_number }}
- name: Publish Build Info
# This is an optional step to generate a custom markdown report
- name: Generate optional custom markdown report
if: env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true'
run: |
jf rt build-publish $BUILD_NAME ${{ github.run_number }}
- name: Attach Evidence Using JFrog CLI
python ./examples/trivy-verify-example/trivy_json_to_markdown_helper.py trivy-results.json

# Attaching the evidence to associated package
- name: Attach evidence using jfrog cli
run: |
ls -al
jf evd create \
--package-name $IMAGE_NAME \
--package-version $VERSION \
--package-repo-name $REPO_NAME \
--key "${{ secrets.TRIVY_TEST_PKEY }}" \
--key-alias ${{ vars.TRIVY_TEST_KEY }} \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias "${{ vars.EVIDENCE_KEY_ALIAS }}" \
--predicate ./trivy-results.json \
--predicate-type http://aquasec.com/trivy/security-scan \
--markdown trivy-results.md
echo "Trivy evidence attached to package"
${{ env.ATTACH_OPTIONAL_CUSTOM_MARKDOWN_TO_EVIDENCE == 'true' && '--markdown "trivy-results.md"' || '' }}
3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
/examples/sonar-scan-example/sonar-scanner-4.6.2.2472-linux/*
/examples/sonar-scan-example/bin/*
/examples/jira-transition-example/bin/*
/examples/jira-transition-example/bin/*
*.pem