Skip to content

Commit

Permalink
chore: update based comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@cvaskinn
cvaskinn committed Oct 15, 2024
1 parent 351510b commit f207ced
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 14 deletions.
15 changes: 9 additions & 6 deletions .github/workflows/code-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ on:
default: false
required: false
type: boolean
secrets:
external_repository_token:
description: 'Token to access the external repository mentioned in the codescan.yml file. Must have read access to the repository.'
required: false
env:
GITHUB_REPOSITORY: ${{ github.repository }}

Expand Down Expand Up @@ -339,7 +343,7 @@ jobs:
'Authorization': f'token {external_token}'
}
for file_name in 'code_scan_config.yml', 'code_scan_config.yaml':
for file_name in _config_file_names:
response = requests.get(f'https://api.github.com/repos/entur/{external_repository}/contents/{_file_location}/{file_name}', headers=headers)
if response.status_code != 404 and response.status_code != 200:
print(f'::error ::Could not get external allowlist file ({response.status_code} - {response.reason})')
Expand All @@ -351,7 +355,7 @@ jobs:
print(f'::notice ::External allowlist file not found')
if external_allowlist:
with open(os.path.join(_file_location, 'external_code_scan_config.yml'), 'w') as f:
with open(os.path.join(_file_location, 'external_codescan.yml'), 'w') as f:
f.write(base64.b64decode(response.json().get('content','')).decode('utf-8'))
with open(env_file, 'a') as f:
Expand All @@ -374,7 +378,7 @@ jobs:
_file_location = '.entur/security'
schema = {
'apiVersion': {'type': 'string', 'required': True},
'apiVersion': {'type': 'string', 'required': True, 'allowed': 'entur.io/securitytools/v1'},
'kind': {'type': 'string', 'required': True, 'allowed': ['CodeScanConfig']},
'metadata': {
'type': 'dict',
Expand All @@ -393,7 +397,6 @@ jobs:
'allowlist': {
'required' : False,
'type': 'list',
'minlength': 1,
'schema': {
'type': 'dict',
'schema': {
Expand Down Expand Up @@ -430,7 +433,7 @@ jobs:
if os.getenv('GHA_SECURITY_CODE_SCAN_EXTERNAL_ALLOWLIST') == 'True':
data = ''
try:
with open(os.path.join(_file_location, 'external_code_scan_config.yml'), 'r') as f:
with open(os.path.join(_file_location, 'external_codescan.yml'), 'r') as f:
data = yaml.safe_load(f)
except IOError:
print('::error ::External allowlist file not found')
Expand Down Expand Up @@ -472,7 +475,7 @@ jobs:
}

try:
with open(os.path.join(_file_location, 'external_code_scan_config.yml'), 'r') as f:
with open(os.path.join(_file_location, 'external_codescan.yml'), 'r') as f:
remote_config = yaml.safe_load(f)

for element in remote_config.get('spec', {}).get('allowlist', []):
Expand Down
13 changes: 6 additions & 7 deletions .github/workflows/docker-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ on:
required: true
secrets:
external_repository_token:
description: 'Token to access the external repository mentioned in the docker_scan_config.yml file. Must have read access to the repository.'
description: 'Token to access the external repository mentioned in the dockerscan.yml file. Must have read access to the repository.'
required: false

env:
Expand Down Expand Up @@ -60,7 +60,7 @@ jobs:
_config_file_names = ('dockerscan.yml', 'dockerscan.yaml')
_file_location = '.entur/security'
for file_name in :
for file_name in _config_file_names:
try:
with open(os.path.join(_file_location, file_name), 'r') as f:
external_repository = yaml.safe_load(f).get('spec', {}).get('inherit','')
Expand Down Expand Up @@ -92,7 +92,7 @@ jobs:
print(f'::notice ::External allowlist file not found')
if external_allowlist:
with open(os.path.join(_file_location, 'external_docker_scan_config.yml'), 'w') as f:
with open(os.path.join(_file_location, 'external_dockerscan.yml'), 'w') as f:
f.write(base64.b64decode(response.json().get('content','')).decode())
with open(env_file, 'a') as f:
Expand All @@ -115,7 +115,7 @@ jobs:
_file_location = '.entur/security'
schema = {
'apiVersion': {'type': 'string', 'required': True},
'apiVersion': {'type': 'string', 'required': True, 'allowed': 'entur.io/securitytools/v1'},
'kind': {'type': 'string', 'required': True, 'allowed': ['DockerScanConfig']},
'metadata': {
'type': 'dict',
Expand All @@ -134,7 +134,6 @@ jobs:
'allowlist': {
'required': False,
'type': 'list',
'minlength': 1,
'schema': {
'type': 'dict',
'schema': {
Expand Down Expand Up @@ -170,7 +169,7 @@ jobs:
if os.getenv('GHA_SECURITY_DOCKER_SCAN_EXTERNAL_ALLOWLIST') == 'True':
data = ''
try:
with open(os.path.join(_file_location, 'external_docker_scan_config.yml'), 'r') as f:
with open(os.path.join(_file_location, 'external_dockerscan.yml'), 'r') as f:
data = yaml.safe_load(f)
except IOError:
print('::error ::External allowlist file not found')
Expand All @@ -196,7 +195,7 @@ jobs:
allowlist = {}

try:
with open(os.path.join(_file_location, 'external_docker_scan_config'), 'r') as f:
with open(os.path.join(_file_location, 'external_dockerscan'), 'r') as f:
remote_config = yaml.safe_load(f)

for element in remote_config.get('spec', {}).get('allowlist', []):
Expand Down
2 changes: 1 addition & 1 deletion README-code-scan.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ spec:

Some potential pitfalls and solutions with CodeQL

### Autobuild fails for Gradle projects because of JVM versions
### Autobuild fails for Gradle projects because of JVM version mismatch

This can happen if Autobuild detects the wrong version of the JVM to run Gradle with. This can be solved by statically setting the JVM version in the Gradle toolchain:

Expand Down

0 comments on commit f207ced

Please sign in to comment.