From 6491d373694c3561ffa43e583c077283385637ed Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 14:44:56 +0530 Subject: [PATCH 1/6] [Security]: Image scanner update --- .github/workflows/security.yml | 71 ++++++++++++++-------------------- 1 file changed, 28 insertions(+), 43 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index b5865bdd..6688f053 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,49 +1,34 @@ name: SecurityChecks on: - pull_request: {} + workflow_dispatch: + pull_request: { } push: - branches: ["master"] + branches: [ "master" ] + schedule: + - cron: '30 20 * * *' jobs: - semgrep: - name: Scan - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: returntocorp/semgrep-action@v1 - with: - publishToken: ${{ secrets.SEMGREP_APP_TOKEN }} - publishDeployment: 339 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + security-sast: + uses: razorpay/security-action/.github/workflows/semgrep.yml@master + secrets: + SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} - workflow_status: - runs-on: ubuntu-latest - name: Update Status Check - needs: [ semgrep ] + security-imagescan-api: + uses: razorpay/security-action/.github/workflows/image_scan.yml@master + with: + TRIVY_IMAGE_REF: c.rzp.io/razorpay/metro:api + BU: payments + IMAGE_TYPE: api + secrets: + HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} + HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} + BHADRA_TOKEN: ${{ secrets.BHADRA_TOKEN }} + DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:api --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile + GIT_TOKEN: ${{ secrets.GIT_TOKEN }} + SLACK_HOOK: ${{ secrets.SLACK_HOOK }} + + security-statuscheck: + needs: [ security-sast ] if: always() - env: - githubCommit: ${{ github.event.pull_request.head.sha }} - steps: - - name: Set github commit id - run: | - if [ "${{ github.event_name }}" = "push" ]; then - echo "githubCommit=${{ github.sha }}" >> $GITHUB_ENV - fi - exit 0 - - name: Failed - id: failed - if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') - run: | - echo 'Failing the workflow for github security status check.' - curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ - -d '{ "state" : "failure" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ - https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} - exit 1 - - name: Success - if: steps.failed.conclusion == 'skipped' - run: | - echo 'Status check has passed!' - curl -X POST -H "Content-Type: application/json" -H "Authorization: token ${{ github.token }}" \ - -d '{ "state" : "success" , "context" : "github/security-status-check" , "description" : "github/security-status-check", "target_url" : "https://github.com/${{ github.repository }}" }' \ - https://api.github.com/repos/${{ github.repository }}/statuses/${{ env.githubCommit }} - exit 0 + uses: razorpay/security-action/.github/workflows/status_check.yml@master + with: + WORKFLOW_RESULT: ${{ needs.security-sast.result == 'success' && needs.security-sast.result != 'cancelled' || 'false' }} From 7149ce6deefce7b6245f8aa2598762736ce6d1a1 Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 14:48:36 +0530 Subject: [PATCH 2/6] changed image type --- .github/workflows/security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6688f053..0469712a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,12 +17,12 @@ jobs: with: TRIVY_IMAGE_REF: c.rzp.io/razorpay/metro:api BU: payments - IMAGE_TYPE: api + IMAGE_TYPE: ${{ github.sha }} secrets: HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} BHADRA_TOKEN: ${{ secrets.BHADRA_TOKEN }} - DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:api --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile + DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:${{ github.sha }} --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile GIT_TOKEN: ${{ secrets.GIT_TOKEN }} SLACK_HOOK: ${{ secrets.SLACK_HOOK }} From 5a58a51953d94aa1111ed1515864dc6b055272cc Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 14:57:18 +0530 Subject: [PATCH 3/6] changed ref to image --- .github/workflows/security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0469712a..285ab3d6 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,12 +17,12 @@ jobs: with: TRIVY_IMAGE_REF: c.rzp.io/razorpay/metro:api BU: payments - IMAGE_TYPE: ${{ github.sha }} + IMAGE_TYPE: image secrets: HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} BHADRA_TOKEN: ${{ secrets.BHADRA_TOKEN }} - DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:${{ github.sha }} --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile + DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:image --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile GIT_TOKEN: ${{ secrets.GIT_TOKEN }} SLACK_HOOK: ${{ secrets.SLACK_HOOK }} From db6f687e05d0e49a1f1b95dc7cdf1f766d259a11 Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 15:14:01 +0530 Subject: [PATCH 4/6] changed ref --- .github/workflows/security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 285ab3d6..0469712a 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,12 +17,12 @@ jobs: with: TRIVY_IMAGE_REF: c.rzp.io/razorpay/metro:api BU: payments - IMAGE_TYPE: image + IMAGE_TYPE: ${{ github.sha }} secrets: HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} BHADRA_TOKEN: ${{ secrets.BHADRA_TOKEN }} - DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:image --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile + DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:${{ github.sha }} --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile GIT_TOKEN: ${{ secrets.GIT_TOKEN }} SLACK_HOOK: ${{ secrets.SLACK_HOOK }} From 66d08cb0cf9fd5335c2fe442fc3c94404c4b30e5 Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 15:17:07 +0530 Subject: [PATCH 5/6] changed file --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0469712a..7e673606 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -17,7 +17,7 @@ jobs: with: TRIVY_IMAGE_REF: c.rzp.io/razorpay/metro:api BU: payments - IMAGE_TYPE: ${{ github.sha }} + IMAGE_TYPE: api secrets: HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} From b6e486e34a82c1ea1fed19ac711948587fb137af Mon Sep 17 00:00:00 2001 From: Chaitanya-019 Date: Wed, 13 Jul 2022 15:18:18 +0530 Subject: [PATCH 6/6] changed file-1 --- .github/workflows/security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 7e673606..6688f053 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -22,7 +22,7 @@ jobs: HARBOR_DOCKER_USERNAME: ${{ secrets.HARBOR_DOCKER_USERNAME }} HARBOR_DOCKER_PASSWORD: ${{ secrets.HARBOR_DOCKER_PASSWORD }} BHADRA_TOKEN: ${{ secrets.BHADRA_TOKEN }} - DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:${{ github.sha }} --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile + DOCKER_IMAGE_INIT_COMMAND: c.rzp.io/razorpay/metro:api --build-arg GIT_COMMIT_HASH=${{ github.sha }} --build-arg GIT_TOKEN=${{ secrets.GIT_TOKEN }} --build-arg GIT_USERNAME=rzp -f build/docker/Dockerfile GIT_TOKEN: ${{ secrets.GIT_TOKEN }} SLACK_HOOK: ${{ secrets.SLACK_HOOK }}