Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Issue #2496] Run vuln scans on a cron job #2785

Merged
merged 28 commits into from
Nov 12, 2024
Merged
Show file tree
Hide file tree
Changes from 27 commits
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
467084c
WIP cron vulns
coilysiren Nov 8, 2024
01cca36
checkpoint-kai-1731027301
coilysiren Nov 8, 2024
d221769
needs
coilysiren Nov 8, 2024
f698b50
fix run URL
coilysiren Nov 8, 2024
a5a3e5f
test slack
coilysiren Nov 8, 2024
7a074fb
charset
coilysiren Nov 8, 2024
7934697
fix json hopefully
coilysiren Nov 8, 2024
e4ad088
fix secrets
coilysiren Nov 8, 2024
9d79c1e
simple channel
coilysiren Nov 8, 2024
941530b
channel, again
coilysiren Nov 8, 2024
cca4797
Merge remote-tracking branch 'origin' into kai/cron-vulns
coilysiren Nov 8, 2024
bf79cdb
Update ci-cron-vulnerability-scans.yml
coilysiren Nov 8, 2024
f1c82ea
Update ci-cron-vulnerability-scans.yml
coilysiren Nov 8, 2024
1637dfe
checkpoint-kai-1731084175
coilysiren Nov 8, 2024
951ea31
run frontend scans on correct file change
coilysiren Nov 8, 2024
272abfd
post actually useful stuff
coilysiren Nov 8, 2024
1930dc3
remove useless stuff
coilysiren Nov 8, 2024
56cf2b6
make it real
coilysiren Nov 8, 2024
1eceee7
Update ci-cron-vulnerability-scans.yml
coilysiren Nov 8, 2024
3326a10
fix ci hopefully
coilysiren Nov 8, 2024
3c346a9
Merge branch 'main' into kai/cron-vulns
coilysiren Nov 8, 2024
2fe3a9b
try again
coilysiren Nov 8, 2024
222ed01
Merge branch 'main' into kai/cron-vulns
coilysiren Nov 8, 2024
d1fe5c0
try again again
coilysiren Nov 8, 2024
3aa260e
full path... duh
coilysiren Nov 9, 2024
5c7bd94
Update actionlint.yml
coilysiren Nov 12, 2024
525c5d7
Merge branch 'main' into kai/cron-vulns
coilysiren Nov 12, 2024
440b508
Update .github/workflows/vulnerability-scans.yml
coilysiren Nov 12, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .github/actionlint.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
paths:
# actionlint doesn't know how to handle the json inside of this file
.github/workflows/ci-cron-vulnerability-scans.yml:
ignore:
- ".*SC2046.*"
2 changes: 1 addition & 1 deletion .github/workflows/ci-analytics-vulnerability-scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
- .github/workflows/vulnerability-scans.yml
- analytics/Dockerfile
- analytics/pyproject.toml
- analytics/poetry.lock
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-api-vulnerability-scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
- .github/workflows/vulnerability-scans.yml
- api/Dockerfile
- api/pyproject.toml
- api/poetry.lock
Expand Down
50 changes: 50 additions & 0 deletions .github/workflows/ci-cron-vulnerability-scans.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.

name: CI Vulnerability Scans

on:
workflow_dispatch:
schedule:
# Run every day at (8am ET, 11am PT) right before the start of the workday
- cron: "0 12 * * *"

jobs:
vulnerability-scans:
name: Vulnerability Scans
strategy:
matrix:
app_name: ["frontend", "api", "analytics"]
uses: ./.github/workflows/vulnerability-scans.yml
with:
app_name: ${{ matrix.app_name }}

send-slack-notification:
name: Send Slack notification on failure
needs: vulnerability-scans
runs-on: ubuntu-latest
# if: failure()
steps:
- name: Send Slack notification
run: |
curl -X POST -H "Authorization: Bearer ${{ secrets.ALERTS_SLACK_BOT_TOKEN }}" \
-H "Content-Type: application/json; charset=utf-8" \
--data '{
"channel": "${{ secrets.SLACK_ALERTS_CHANNEL_ID }}",
"text": ":x: *GitHub Actions Failure Alert*",
"attachments": [
{
"color": "#ff0000",
"title": "Workflow *'"${{ github.workflow }}"'* failed",
"fields": [
{
"title": "Workflow URL",
"value": "'"${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"'"
}
],
"footer": "GitHub Actions",
"footer_icon": "https://github.githubassets.com/images/modules/logos_page/GitHub-Mark.png",
"ts": '$(date +%s)'
}
]
}' https://slack.com/api/chat.postMessage
2 changes: 1 addition & 1 deletion .github/workflows/ci-frontend-vulnerability-scans.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
- .github/workflows/vulnerability-scans.yml
- frontend/Dockerfile
- frontendpi/package.json
- frontend/package-lock.json
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/vulnerability-scans.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.

# RUN A TEST

coilysiren marked this conversation as resolved.
Show resolved Hide resolved
name: Vulnerability Scans

on:
Expand Down