Skip to content

Commit

Permalink
Migrate security-check to reusable Github Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
phavekes committed May 23, 2024
1 parent 9b2116f commit 6d801e5
Showing 1 changed file with 3 additions and 94 deletions.
97 changes: 3 additions & 94 deletions .github/workflows/daily-security-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,97 +6,6 @@ on:
workflow_dispatch:

jobs:
security:
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: Checkout repo
uses: actions/checkout@v2

# PHP checks
- name: Check for php composer project
id: check_composer
uses: andstor/file-existence-action@v2
with:
files: "composer.lock"
- name: Vulnerability check
run: php composer audit
if: steps.check_composer.outputs.files_exists == 'true'

# node-yarn checks
- name: Check for node-yarn project
id: check_node_yarn
uses: andstor/file-existence-action@v2
with:
files: "yarn.lock"
- name: Setup node
if: steps.check_node_yarn.outputs.files_exists == 'true'
uses: actions/setup-node@v3
with:
node-version: 14
- name: Yarn Audit
if: steps.check_node_yarn.outputs.files_exists == 'true'
run: yarn audit --level high --groups dependencies optionalDependencies

# node-npm checks
- name: Check for node-npm project
id: check_node_npm
uses: andstor/file-existence-action@v2
with:
files: "package.lock"
- name: Setup node
if: steps.check_node_npm.outputs.files_exists == 'true'
uses: actions/setup-node@v3
with:
node-version: 14
- name: npm audit
if: steps.check_node_npm.outputs.files_exists == 'true'
run: npm audit --audit-level=high

# python checks
- name: Check for python project
id: check_python
uses: andstor/file-existence-action@v2
with:
files: "requirements.txt"
- name: Safety checks Python dependencies
if: steps.check_python.outputs.files_exists == 'true'
uses: pyupio/[email protected]

# java checks
- name: Check for java maven project
id: check_maven
uses: andstor/file-existence-action@v2
with:
files: "pom.xml"
- name: Setup java if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/setup-java@v3
with:
java-version: 11
distribution: 'temurin'
cache: 'maven'
- name: Set up maven cache if needed
if: steps.check_maven.outputs.files_exists == 'true'
uses: actions/cache@v1
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
restore-keys: |
${{ runner.os }}-maven-
- name: Check java
if: steps.check_maven.outputs.files_exists == 'true'
run: mvn org.owasp:dependency-check-maven:check

# Send results
- name: Send to Slack if something failed
if: failure()
uses: rtCamp/action-slack-notify@v2
env:
SLACK_CHANNEL: surfconext-nightly-check
SLACK_COLOR: ${{ job.status }}
SLACK_ICON: https://static.surfconext.nl/logos/idp/surfnet.png
SLACK_MESSAGE: 'Dependency check failed :crying_cat_face:'
SLACK_TITLE: ${{ github.repository }} wants attention
SLACK_USERNAME: NightlySecurityCheck
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
call-workflow-passing-data:
name: Daily security check (Reusable Workflow)
uses: openconext/openconext-githubactions/.github/workflows/daily-security-check.yml@main

0 comments on commit 6d801e5

Please sign in to comment.