Skip to content

Commit

Permalink
adds both workflows again
Browse files Browse the repository at this point in the history
  • Loading branch information
Guilherme Resende Freitas authored and Guilherme Resende Freitas committed Apr 16, 2024
1 parent 8028cc2 commit 70778d8
Show file tree
Hide file tree
Showing 3 changed files with 164 additions and 0 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/blackbox-workflow.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
name: Blackbox

on:
repository_dispatch:
types: [event-trigger]
workflow_dispatch: ~

# .github/workflows/blackbox-workflow.yml
jobs:
run-blackbox-action:
runs-on: [self-hosted, tech-radar]
steps:
- uses: actions/checkout@v3
with:
ref: '${{ github.event.repository.default_branch }}'
fetch-depth: 0
- id: blackbox
uses: olxbr/blackbox-action@v1
with:
config: ${{ secrets.BLACK_BOX_CONFIG }}
env:
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
REPO_NAME: ${{ github.event.repository.name }}
DOCKER_ECR_PASSWORD: ${{ secrets.DOCKER_ECR_PASSWORD }}
DOCKER_REGISTRY: ${{ secrets.CONTAINER_REGISTRY_HOST }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_CROSS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_CROSS_SECRET_ACCESS_KEY }}
LOGLEVEL: 'INFO'
135 changes: 135 additions & 0 deletions .github/workflows/security-workflow.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
name: Security Workflow

on: [push, pull_request, workflow_dispatch]

jobs:

get-teams:
name: "Get repository team names"
runs-on: ubuntu-latest
outputs:
teams: ${{ steps.teams.outputs.teams }}

if: |
github.actor != 'dependabot[bot]' &&
((github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) ||
github.event_name == 'pull_request' ||
github.event_name == 'workflow_dispatch')
steps:
- name: Export team names
id: teams
run: |
TEAMS=$( \
curl -s -H "Authorization: token ${{ secrets.SECURITY_WORKFLOW_GH_PAT }}" \
-H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$GITHUB_REPOSITORY/teams | \
jq -c '. | [.[]? | .name ]' \
)
echo "::set-output name=teams::$TEAMS"
static-analysis:
name: "Static Analysis"
runs-on: ubuntu-latest
needs: get-teams

if: |
github.actor != 'dependabot[bot]' &&
((github.event_name == 'push' && github.ref_name == github.event.repository.default_branch) ||
github.event_name == 'pull_request' ||
github.event_name == 'workflow_dispatch')
steps:
- name: Run checkout - push
if: github.event_name == 'push'
uses: actions/checkout@v2
with:
fetch-depth: 100

- name: Run checkout - pull_request / workflow_dispatch
if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
uses: actions/checkout@v2
with:
fetch-depth: 0

- name: Run Gitleaks
id: gitleaks
uses: olxbr/gitleaks-action@main

- name: Submit Gitleaks metrics
run: |
ENDPOINT=$(echo "${{ secrets.GH_METRICS_SERVER_ENDPOINT }}" | awk -F/ '{print $3}')
DATA=$( \
jq -n \
--arg GITHUB_WORKFLOW "$GITHUB_WORKFLOW" \
--arg GITHUB_JOB "$GITHUB_JOB" \
--arg GITHUB_RUN_ID "$GITHUB_RUN_ID" \
--arg GITHUB_SHA "$GITHUB_SHA" \
--arg GITHUB_REPOSITORY "$GITHUB_REPOSITORY" \
--arg GITLEAKS_EXIT_CODE "${{ steps.gitleaks.outputs.exit_code }}" \
--argjson GITLEAKS_RESULT '${{ steps.gitleaks.outputs.result }}' \
--argjson TEAMS '${{ needs.get-teams.outputs.teams }}' \
'{
"workflow_job": {
"name": $GITHUB_WORKFLOW,
"id": $GITHUB_JOB,
"run_id": $GITHUB_RUN_ID,
"head_sha": $GITHUB_SHA
},
"repository": {
"full_name": $GITHUB_REPOSITORY
},
"custom_metrics": {
"outputs.exit_code": $GITLEAKS_EXIT_CODE,
"outputs.result": $GITLEAKS_RESULT,
"outputs.repository_teams": $TEAMS
}
}' \
)
curl -sv "https://${ENDPOINT}/gitleaks" -d "$DATA" -H "Content-Type: application/json" --connect-timeout 15 --max-time 30
- name: Notify bad Gitleaks exit code
if: steps.gitleaks.outputs.exit_code != 0
run: |
TEAMS=$(echo '${{ needs.get-teams.outputs.teams }}' | jq '.[]' | tr -d '\\"')
MESSAGE=$(printf "Summary report for <https://github.com/$GITHUB_REPOSITORY|$GITHUB_REPOSITORY> is ready for review.\nAssociated teams in this repository:\n\`\`\`$TEAMS\`\`\`")
REPOSITORY_RUN="https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
DATA=$( \
jq -n \
--arg CHANNEL "${{ secrets.SECURITY_WORKFLOW_SLACK_CHANNEL_ID }}" \
--arg REPOSITORY_RUN "$REPOSITORY_RUN" \
--arg MESSAGE "$MESSAGE" \
'{
"channel": $CHANNEL,
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Gitleaks raised issues"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": $MESSAGE
},
"accessory": {
"type": "button",
"text": {
"type": "plain_text",
"text": "See report"
},
"url": $REPOSITORY_RUN
}
}
]
}' \
)
curl -sv \
-d "$DATA" \
-H "Content-type: application/json" \
-H "Authorization: Bearer ${{ secrets.SEC_BOT_SLACK_TOKEN }}" \
-X POST https://slack.com/api/chat.postMessage
- name: Evaluate Gitleaks exit code
if: steps.gitleaks.outputs.exit_code != 0
uses: actions/github-script@v5
with:
script: |
core.setFailed("Gitleaks encountered leaks. Please fix it in order to keep a safe work.")
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
node_modules
.DS_Store
!.github/*

0 comments on commit 70778d8

Please sign in to comment.