Skip to content

Commit

Permalink
fix: update pr comment format and print to job summary on schedule ev…
Browse files Browse the repository at this point in the history 
…ent for code & docker scan. (#64)

* fix: update scan workflows to use gh-cli pr command and update comment to markdown

* fix: print to job summary for docker and code scan
  • Loading branch information
@LillieEntur
LillieEntur authored Jan 3, 2025
1 parent ec81474 commit 5e26acc
Show file tree
Hide file tree
Showing 2 changed files with 50 additions and 30 deletions.
41 changes: 26 additions & 15 deletions .github/workflows/code-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -644,13 +644,10 @@ jobs:

url = links[link_next_i + 1:link_next_j]
"
# NOTE:
# This should also post findings to the action summary.
# Currently it only posts findings to pull_requests -> Scheduled scans go unnoticed!
check-for-critical-alerts:
runs-on: ubuntu-24.04
if: ${{ always() && github.event_name == 'pull_request' }}
if: ${{ always() }}
needs: [allowlist-code-scan-alerts]
permissions:
security-events: read # required to read code scan alerts
Expand All @@ -668,20 +665,34 @@ jobs:
/repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
-F severity='critical' -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name='CodeQL' --paginate)"
if [ "$alerts" == "[]" ]; then
echo 'GHA_SECURITY_CODE_SCAN_CREATE_PR_COMMENT='False >> $GITHUB_ENV
echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
else
echo 'GHA_SECURITY_CODE_SCAN_CREATE_PR_COMMENT='True >> $GITHUB_ENV
echo 'GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
fi
- name: "Print to job summary if critical alerts are found"
if: ${{ env.GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT == 'True' }}
env:
REPOSITORY: ${{ github.repository }}
GIT_REF: ${{ github.ref }}
run: |
echo '## ⛔ Code Scan - Critical Vulnerabilities ⛔
**Code scan detected critical vulnerabilities in the code that needs to be addressed.**
### Results
The scan results can be found [here](https://github.com/'"$REPOSITORY"'/security/code-scanning?query=is%3Aopen+ref%3A'"$GIT_REF"')
### Allowlist
Use the allowlist if you want to ignore vulnerabilities that do not affect the repository.
See the [Code Scan documentation](https://github.com/entur/gha-security/blob/main/README-code-scan.md#allow-lists) on how to use allowlist.' >> $GITHUB_STEP_SUMMARY
- name: "Create comment on pull request if critical alerts are found"
if: ${{ env.GHA_SECURITY_CODE_SCAN_CREATE_PR_COMMENT == 'True' }}
if: ${{ env.GHA_SECURITY_CODE_SCAN_CREATE_ALERT_COMMENT == 'True' && github.event_name == 'pull_request' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api /repos/${GITHUB_REPOSITORY}/issues/${{ github.event.pull_request.number }}/comments \
-H "Accept: application/vnd.github.v3+json" \
--field "body=:no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry:
Code scan detected critical vulnerabilities in the code. Please address these vulnerabilities as soon as possible.
The scan results can be found [here](https://github.com/${GITHUB_REPOSITORY}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }}).
If you believe one or more of the reported vulnerabilities are false positives/cannot be fixed/can be ignored, please see the [Code Scan documentation](https://github.com/entur/gha-security/blob/main/README-code_scan.md#allow-lists) on how to use allowlist.
:no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry:"
gh pr comment ${{ github.event.pull_request.number }} --repo $GITHUB_REPOSITORY -b "## ⛔ Code Scan - Critical Vulnerabilities ⛔
**Code scan found critical vulnerabilities in the code that needs to be addressed.**
### Results
The scan results can be found [here](https://github.com/${GITHUB_REPOSITORY}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }})
### Allowlist
Use the allowlist if you want to ignore vulnerabilities that do not affect the repository.
See the [Code Scan documentation](https://github.com/entur/gha-security/blob/main/README-code-scan.md#allow-lists) on how to use allowlist."
39 changes: 24 additions & 15 deletions .github/workflows/docker-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -238,13 +238,9 @@ jobs:
with:
sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
category: 'anchore-grype-scan'

# NOTE:
# This should also post findings to the action summary.
# Currently it only posts findings to pull_requests -> Scheduled scans go unnoticed!
check-for-critical-alerts:
runs-on: ubuntu-24.04
if: ${{ always() && github.event_name == 'pull_request' }}
if: ${{ always() }}
needs: [docker-scan]
permissions:
security-events: read # required to read code scan alerts
Expand All @@ -262,19 +258,32 @@ jobs:
/repos/${GITHUB_REPOSITORY}/code-scanning/alerts \
-F severity='critical' -F state='open' -F ref='${{ github.ref }}' -F per_page='100' -F tool_name='Grype' --paginate)"
if [ "$alerts" == "[]" ]; then
echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_PR_COMMENT='False >> $GITHUB_ENV
echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='False >> $GITHUB_ENV
else
echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_PR_COMMENT='True >> $GITHUB_ENV
echo 'GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT='True >> $GITHUB_ENV
fi
- name: "Print to job summary if critical alerts are found"
if: ${{ env.GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT == 'True' }}
env:
REPOSITORY: ${{ github.repository }}
GIT_REF: ${{ github.ref }}
run: |
echo '## ⛔ Docker Image Scan - Critical Vulnerabilities ⛔
**Docker Image scan found critical vulnerabilities in the image artifact that needs to be addressed.**
### Results
The scan results can be found [here](https://github.com/'"$REPOSITORY"'/security/code-scanning?query=is%3Aopen+ref%3A'"$GIT_REF"')
### Allowlist
Use the allowlist if you want to ignore vulnerabilities that do not affect the repository.
See the [Docker Scan documentation](https://github.com/entur/gha-security/blob/main/README-docker-scan.md#allowlisting-vulnerabilities) on how to use allowlist.' >> $GITHUB_STEP_SUMMARY
- name: "Create comment on pull request if critical alerts are found"
if: ${{ env.GHA_SECURITY_DOCKER_SCAN_CREATE_PR_COMMENT == 'True' }}
if: ${{ env.GHA_SECURITY_DOCKER_SCAN_CREATE_ALERT_COMMENT == 'True' && github.event.name == 'pull_request' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api /repos/${GITHUB_REPOSITORY}/issues/${{ github.event.pull_request.number }}/comments \
-H "Accept: application/vnd.github.v3+json" \
--field "body=:no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry:
Anchore Grype scan found critical vulnerabilities in the image artifact. Please address these vulnerabilities.
The scan results can be found [here](https://github.com/${GITHUB_REPOSITORY}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }})
:no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry: :no_entry:"
gh pr comment ${{ github.event.pull_request.number }} --repo $GITHUB_REPOSITORY -b "## ⛔ Docker Image Scan - Critical Vulnerabilities ⛔
**Docker Image scan found critical vulnerabilities in the image artifact that needs to be addressed.**
### Results
The scan results can be found [here](https://github.com/${GITHUB_REPOSITORY}/security/code-scanning?query=is%3Aopen+pr%3A${{ github.event.pull_request.number }})
### Allowlist
Use the allowlist if you want to ignore vulnerabilities that do not affect the repository.
See the [Docker Scan documentation](https://github.com/entur/gha-security/blob/main/README-docker-scan.md#allowlisting-vulnerabilities) on how to use allowlist."

0 comments on commit 5e26acc

Please sign in to comment.