[Issue #2496] Run vuln scans on a cron job (#2785)

## Summary Solves 50% of #2496 ### Time to review: __2.5 mins__ ## Changes proposed - Sets up vuln scans on a cron job - Posts it to slack ## Context for reviewers I setup a highlight word on "CI Vulnerability Scans" so this bothers me specifically ## Testing see `#internal-alerts-infra` --------- Co-authored-by: Michael Chouinard <[email protected]>
HHS · Nov 12, 2024 · b9b8ff8 · b9b8ff8
1 parent 88cb722
commit b9b8ff8
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 3 deletions.
diff --git a/.github/actionlint.yml b/.github/actionlint.yml
@@ -0,0 +1,5 @@
+paths:
+  # actionlint doesn't know how to handle the json inside of this file
+  .github/workflows/ci-cron-vulnerability-scans.yml:
+    ignore:
+      - ".*SC2046.*"
diff --git a/.github/workflows/ci-analytics-vulnerability-scans.yml b/.github/workflows/ci-analytics-vulnerability-scans.yml
@@ -9,7 +9,7 @@ on:
       - .grype.yml
       - .hadolint.yaml
       - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
+      - .github/workflows/vulnerability-scans.yml
       - analytics/Dockerfile
       - analytics/pyproject.toml
       - analytics/poetry.lock

diff --git a/.github/workflows/ci-api-vulnerability-scans.yml b/.github/workflows/ci-api-vulnerability-scans.yml
@@ -9,7 +9,7 @@ on:
       - .grype.yml
       - .hadolint.yaml
       - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
+      - .github/workflows/vulnerability-scans.yml
       - api/Dockerfile
       - api/pyproject.toml
       - api/poetry.lock

diff --git a/.github/workflows/ci-cron-vulnerability-scans.yml b/.github/workflows/ci-cron-vulnerability-scans.yml
@@ -0,0 +1,50 @@
+# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
+# to ensure images built are secure before they are deployed.
+
+name: CI Vulnerability Scans
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every day at (8am ET, 11am PT) right before the start of the workday
+    - cron: "0 12 * * *"
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    strategy:
+      matrix:
+        app_name: ["frontend", "api", "analytics"]
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: ${{ matrix.app_name }}
+
+  send-slack-notification:
+    name: Send Slack notification on failure
+    needs: vulnerability-scans
+    runs-on: ubuntu-latest
+    # if: failure()
+    steps:
+      - name: Send Slack notification
+        run: |
+          curl -X POST -H "Authorization: Bearer ${{ secrets.ALERTS_SLACK_BOT_TOKEN }}" \
+          -H "Content-Type: application/json; charset=utf-8" \
+          --data '{
+            "channel": "${{ secrets.SLACK_ALERTS_CHANNEL_ID }}",
+            "text": ":x: *GitHub Actions Failure Alert*",
+            "attachments": [
+            {
+              "color": "#ff0000",
+              "title": "Workflow *'"${{ github.workflow }}"'* failed",
+              "fields": [
+              {
+                "title": "Workflow URL",
+                "value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'"
+              }
+              ],
+              "footer": "GitHub Actions",
+              "footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png",
+              "ts": '$(date +%s)'
+            }
+            ]
+          }' https://slack.com/api/chat.postMessage
diff --git a/.github/workflows/ci-frontend-vulnerability-scans.yml b/.github/workflows/ci-frontend-vulnerability-scans.yml
@@ -9,7 +9,7 @@ on:
       - .grype.yml
       - .hadolint.yaml
       - .trivyignore
-      - .github/workflows/ci-vulnerability-scans.yml
+      - .github/workflows/vulnerability-scans.yml
       - frontend/Dockerfile
       - frontendpi/package.json
       - frontend/package-lock.json