This repository has been archived by the owner on Aug 14, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 4
137 lines (116 loc) · 4.1 KB
/
security-pipeline.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
#Version : 0.1
name: Security Pipeline
on:
push:
branches: [ main, master, qa ]
pull_request:
branches: [ main, master, qa ]
jobs:
sast:
name: SAST - Static application security testing
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@master
- name: Setup Snyk
uses: snyk/actions/setup@master
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Installing Python Dependencies
run: find . -maxdepth 5 -type f -not -path '*/\.*' -name 'requirements.txt' -exec pip install -r '{}' ';'
- name: Setup Node
uses: actions/setup-node@v1
- name: Installing Node Dependencies
run: |
find . -maxdepth 5 -type f -not -path '*/\.*' -name 'package.json' -exec sh -c 'echo $0 | sed -e "s/\<package.json\>//g"|xargs -n 3 npm install -g' '{}' \;
- name: Setup Java
uses: actions/setup-java@v2
with:
java-version: '11'
distribution: 'adopt'
- name: Create path report
run: mkdir -p reports
- name: Check file existence
id: check_files
uses: andstor/file-existence-action@v1
with:
files: ".gitignore"
- name: Running Snyk
id: step_snyk
if: steps.check_files.outputs.files_exists == 'true'
continue-on-error: true
run: |
snyk test --all-projects --json > reports/snyk.json
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
- name: Running Horus Security
id: step_horusec
if: steps.check_files.outputs.files_exists == 'true'
continue-on-error: true
run: |
curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/main/deployments/scripts/install.sh | bash -s latest
horusec start -p ./ -o json -O "reports/horusec.json"
- uses: actions/upload-artifact@master
with:
name: reports
path: reports
import_snyk:
name: Snyk import report
needs: sast
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@master
with:
name: reports
path: reports
- name: Check exist report
id: check_files
uses: andstor/file-existence-action@v1
with:
files: "reports/snyk.json"
- name: Get report tools
id: vars
continue-on-error: true
run: |
echo ::set-output name=snyk_report::$(cat reports/snyk.json)
- name: Import report
id: step_snyk
if: steps.check_files.outputs.files_exists == 'true'
continue-on-error: true
run: |
curl -X POST "https://api.appsec.orangestack.com/report?tool=snyk&env=${{github.ref_name}}&repo=${{github.repository_owner}}/${{github.event.repository.name}}" \
-H 'Accept: */*' \
-H 'x-api-key: ${{ secrets.INTEGRATION_DEFECTDOJO }}' \
-H 'Content-Type: application/json' \
-d '${{ steps.vars.outputs.snyk_report }}'
import_horusec:
name: Horusec import report
needs: sast
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@master
with:
name: reports
path: reports
- name: Check exist report
id: check_files
uses: andstor/file-existence-action@v1
with:
files: "reports/horusec.json"
- name: Get report tools
id: vars
continue-on-error: true
run: |
echo ::set-output name=horusec_report::$(cat reports/horusec.json)
- name: Import report
id: step_horusec
if: steps.check_files.outputs.files_exists == 'true'
continue-on-error: true
run: |
curl -X POST "https://api.appsec.orangestack.com/report?tool=horusec&env=${{github.ref_name}}&repo=${{github.repository_owner}}/${{github.event.repository.name}}" \
-H 'Accept: */*' \
-H 'x-api-key: ${{ secrets.INTEGRATION_DEFECTDOJO }}' \
-H 'Content-Type: application/json' \
-d '${{ steps.vars.outputs.horusec_report }}'