Automated vulnerability scan with Prisma

SolaceDev · Feb 2, 2024 · 429325c · 429325c
1 parent 1e1e255
commit 429325c
Show file tree

Hide file tree

Showing 2 changed files with 131 additions and 9 deletions.
diff --git a/.github/workflows/internal-release-candidate.yml b/.github/workflows/internal-release-candidate.yml
@@ -13,6 +13,7 @@ jobs:
       contents: 'write'
       id-token: 'write'
     env:
+      IMAGE_NAME: pubsubplus-prometheus-exporter
       VAULT_ADDR: https://vault.maas-vault-prod.solace.cloud:8200
       GCLOUD_PROJECT_ID_DEV: stellar-arcadia-205014
       GCLOUD_PROJECT_ID_STAGING: gcp-maas-staging
@@ -32,8 +33,8 @@ jobs:
         with:
           wssURL: https://saas.whitesourcesoftware.com/agent
           apiKey: ${{ secrets.WSS_API_KEY }}
-          productName: 'pubsubplus-prometheus-exporter'
-          projectName: 'pubsubplus-prometheus-exporter'
+          productName: '${{ env.IMAGE_NAME }}'
+          projectName: '${{ env.IMAGE_NAME }}'
           configFile: 'ci/whitesource/whitesource-agent.config'
 
       - name: Generate Third Party License
@@ -55,7 +56,7 @@ jobs:
         with:
           context: ./
           tags: |
-            ghcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }}
+            ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
           push: true
 
 
@@ -99,13 +100,13 @@ jobs:
         with:
           context: ./
           tags: |
-            gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }}
+            gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
           push: true
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          image-ref: ghcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }}
+          image-ref: ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
           format: 'sarif'
           severity: 'CRITICAL,HIGH'
           output: 'trivy-results.sarif'
@@ -120,10 +121,10 @@ jobs:
       - name: Run Prisma Vulnerability Checker Action
         uses: ./maas-build-actions/.github/actions/prisma-vulnerability-checker
         with:
-          docker_image_to_check: gcr.io/solacedev/pubsubplus-prometheus-exporter:${{ github.event.inputs.release_tag }}
-          prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/pubsubplus-prometheus-exporter"
+          docker_image_to_check: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
+          prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}"
           project_squad: "mission-control"
-          prisma_jira_check: "True"
+          prisma_jira_check: "False"
 
       - name: Test image
         run: |
@@ -132,7 +133,7 @@ jobs:
           chmod +x preflight-linux-amd64
           popd
           export VERSION='${{ github.event.inputs.release_tag }}'
-          export CONTAINER_TO_TEST="ghcr.io/solacedev/pubsubplus-prometheus-exporter:$VERSION"
+          export CONTAINER_TO_TEST="ghcr.io/solacedev/${{ env.IMAGE_NAME }}:$VERSION"
           echo "Testing $CONTAINER_TO_TEST"
           /tmp/preflight-linux-amd64 check container $CONTAINER_TO_TEST --docker-config ~/.docker/config.json | grep "Preflight result: PASSED" || echo
 

diff --git a/.github/workflows/vulncheck_periodic.yml b/.github/workflows/vulncheck_periodic.yml
@@ -0,0 +1,121 @@
+name: Vuln check
+on:
+  schedule:
+    - cron: '0 */6 * * *'
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  vuln-check:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: 'write'
+      id-token: 'write'
+    env:
+      IMAGE_NAME: pubsubplus-prometheus-exporter
+      VERSION: v1.0.2-dev
+      VAULT_ADDR: https://vault.maas-vault-prod.solace.cloud:8200
+      GCLOUD_PROJECT_ID_DEV: stellar-arcadia-205014
+      GCLOUD_PROJECT_ID_STAGING: gcp-maas-staging
+      GCLOUD_PROJECT_ID_PROD: gcp-maas-prod
+
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+
+      - name: Check out code
+        uses: actions/checkout@v2
+
+      - name: Run Whitesource Action
+        uses: SolaceDev/[email protected]
+        with:
+          wssURL: https://saas.whitesourcesoftware.com/agent
+          apiKey: ${{ secrets.WSS_API_KEY }}
+          productName: '${{ env.IMAGE_NAME }}'
+          projectName: '${{ env.IMAGE_NAME }}'
+          configFile: 'ci/whitesource/whitesource-agent.config'
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Checkout SolaceDev/maas-build-actions
+        uses: actions/checkout@v2
+        with:
+          repository: SolaceDev/maas-build-actions
+          ref: refs/heads/master
+          token: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+          persist-credentials: false
+          path: maas-build-actions
+
+      - name: Retrieve google container registry secrets
+        id: docker_registry_secrets
+        uses: hashicorp/[email protected]
+        with:
+          url: "${{ env.VAULT_ADDR }}"
+          role: github-docker-secrets-read-role
+          method: jwt
+          path: jwt-github
+          jwtGithubAudience: https://github.com/SolaceDev
+          exportToken: true
+          secrets: |
+            secret/data/development/gcp-gcr GCP_SERVICE_ACCOUNT | GCP_DEV_SERVICE_ACCOUNT;
+            secret/data/staging/gcp-gcr GCP_SERVICE_ACCOUNT     | GCP_STAGE_SERVICE_ACCOUNT;
+            secret/data/production/gcp-gcr GCP_SERVICE_ACCOUNT  | GCP_PROD_SERVICE_ACCOUNT
+
+      - name: Log in to gcr development docker registry
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: gcr.io
+          username: _json_key
+          password: ${{ steps.docker_registry_secrets.outputs.GCP_DEV_SERVICE_ACCOUNT }}
+
+      - name: Build image and push Google Container Registry
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          tags: |
+            gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
+          push: true
+
+      - name: Run Prisma Vulnerability Checker Action
+        uses: ./maas-build-actions/.github/actions/prisma-vulnerability-checker
+        with:
+          docker_image_to_check: gcr.io/${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
+          prisma_repository_name: "${{ env.GCLOUD_PROJECT_ID_DEV }}/${{ env.IMAGE_NAME }}"
+          project_squad: "mission-control"
+          prisma_jira_check: "False"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
+          format: 'sarif'
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Uploads Trivy Scan Reports
+        if: ${{ !startsWith(github.ref_name, '1.') }}
+        uses: actions/upload-artifact@v2
+        with:
+          path: |
+            trivy-results.sarif
+
+      - name: Login to Github Packages
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+
+      - name: Build image and push GitHub Container Registry
+        uses: docker/build-push-action@v2
+        with:
+          context: ./
+          tags: |
+            ghcr.io/solacedev/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }}
+          push: true