Skip to content

Commit

Permalink
Run vulnerability scan on latest release version (#762)
Browse files Browse the repository at this point in the history 
Previously the scan ran on the current state of the codebase. This fails
to identify vulnerabilities in dependencies for the latest release
version if those dependencies have already been updated in the
development codebase. The gating factor for whether a new release is
required should be whether the previous release contains
vulnerabilities.

This change runs the scheduled vulnerability scan on the latest release
tag. It also adds vulnerability scanning to pull request builds. This is
purely informational. A scan failure does not fail the pull request
build.

Signed-off-by: Mark S. Lewis <[email protected]>
  • Loading branch information
@bestbeforetoday
bestbeforetoday authored Oct 21, 2024
1 parent 315fe5c commit c9ad8a6
Show file tree
Hide file tree
Showing 3 changed files with 125 additions and 84 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/pull_request.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,9 @@ jobs:
build:
uses: ./.github/workflows/test.yml

scan:
uses: ./.github/workflows/scan.yml

pull-request:
needs: build
name: Pull request success
Expand Down
110 changes: 110 additions & 0 deletions .github/workflows/scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
name: "Security vulnerability scan"

on:
workflow_call:
inputs:
ref:
description: Branch, tag or SHA to scan.
type: string
required: false
default: ""

permissions:
contents: read

jobs:
go:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- govulncheck
- nancy
- osv-scanner
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
check-latest: true
- name: Scan
run: make scan-go-${{ matrix.target }}

node:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- npm-audit
- osv-scanner
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: "lts/*"
- name: Set up Go
if: ${{ matrix.target == 'osv-scanner' }}
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan-node-${{ matrix.target }}

java_osv_scanner:
name: "java (osv-scanner)"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan-java-osv-scanner

java_dependency_check:
name: "java (dependency-check)"
runs-on: ubuntu-latest
defaults:
run:
working-directory: java
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- name: Set up Java
uses: actions/setup-java@v4
with:
java-version: 21
distribution: temurin
cache: maven
- name: Download dependencies
run: mvn dependency:copy-dependencies -DincludeScope=runtime
- name: Scan
env:
JAVA_HOME: /opt/jdk
uses: dependency-check/Dependency-Check_Action@main
with:
project: fabric-gateway
path: java/target/dependency
format: HTML
out: reports
args: >
--suppression java/dependency-suppression.xml
--failOnCVSS 4
- name: Archive dependency-check report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: reports
96 changes: 12 additions & 84 deletions .github/workflows/vulnerability-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,90 +9,18 @@ permissions:
contents: read

jobs:
go:
latest-release-version:
name: Get latest release tag
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- govulncheck
- nancy
- osv-scanner
outputs:
tag_name: ${{ steps.tag-name.outputs.value }}
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
check-latest: true
- name: Scan
run: make scan-go-${{ matrix.target }}
- id: tag-name
run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"

node:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
target:
- npm-audit
- osv-scanner
steps:
- uses: actions/checkout@v4
- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: "lts/*"
- name: Set up Go
if: ${{ matrix.target == 'osv-scanner' }}
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan-node-${{ matrix.target }}

java_osv_scanner:
name: "java (osv-scanner)"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan-java-osv-scanner

java_dependency_check:
name: "java (dependency-check)"
runs-on: ubuntu-latest
defaults:
run:
working-directory: java
steps:
- uses: actions/checkout@v4
- name: Set up Java
uses: actions/setup-java@v4
with:
java-version: 21
distribution: temurin
cache: maven
- name: Download dependencies
run: mvn dependency:copy-dependencies -DincludeScope=runtime
- name: Scan
env:
JAVA_HOME: /opt/jdk
uses: dependency-check/Dependency-Check_Action@main
with:
project: fabric-gateway
path: java/target/dependency
format: HTML
out: reports
args: >
--suppression java/dependency-suppression.xml
--failOnCVSS 4
- name: Archive dependency-check report
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: reports
scan:
name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
needs: latest-release-version
uses: ./.github/workflows/scan.yml
with:
ref: ${{ needs.latest-release-version.outputs.tag_name }}

0 comments on commit c9ad8a6

Please sign in to comment.