Add OpenSSF Score card (#207) #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: VCS Scanner CI | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| paths: | |
| - .github/workflows/vcs-scanner-ci.yaml | |
| - components/resc-vcs-scanner/** | |
| - '!**.md' | |
| - '!**.png' | |
| - '!**.gif' | |
| - .gitignore | |
| pull_request: | |
| branches: [ "main" ] | |
| paths: | |
| - .github/workflows/vcs-scanner-ci.yaml | |
| - components/resc-vcs-scanner/** | |
| - '!**.md' | |
| - '!**.png' | |
| - '!**.gif' | |
| - .gitignore | |
| workflow_dispatch: | |
| env: | |
| RESC_VCS_SCANNER_DIR: components/resc-vcs-scanner | |
| RESC_COMPONENTS: components | |
| CONTAINER_REGISTRY: rescabnamro | |
| IMAGE_NAME: resc-vcs-scanner | |
| jobs: | |
| python-basic-validation: | |
| name: Python Basic Validation | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.9"] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Install test dependencies | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| pip install -r test-requirements.txt | |
| - name: Test with pytest | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| tox -e pytest | |
| - name: Import sorting with isort | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| tox -e sort | |
| - name: Lint with flake8 | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| tox -e lint | |
| # This step will only execute if PR is created internally. | |
| - name: SonarCloud Scan | |
| if: ${{ (github.event.pull_request.head.repo.full_name == 'abnamro/repository-scanner') || (github.ref == 'refs/heads/main') }} | |
| uses: SonarSource/sonarcloud-github-action@master | |
| with: | |
| projectBaseDir: ${{ env.RESC_VCS_SCANNER_DIR }} | |
| args: > | |
| -Dsonar.organization=abnamro-resc | |
| -Dsonar.projectKey=abnamro-resc_resc-vcs-scanner | |
| -Dsonar.python.coverage.reportPaths=coverage.xml | |
| -Dsonar.sourceEncoding=UTF-8 | |
| -Dsonar.projectName=resc-vcs-scanner | |
| -Dsonar.groupid=resc | |
| -Dsonar.sources=src/ | |
| -Dsonar.inclusions=**/*.py | |
| -Dsonar.exclusions=**/*yml,**/*.xml,**/*.txt,**/*.html,**/*.js | |
| -Dsonar.tests=tests/ | |
| -Dsonar.cpd.exclusions=**/*yml,**/*.xml,**/*.txt,**/*.html,**/*.js | |
| -Dsonar.coverage.exclusions=**/*yml,**/*.xml,**/*.txt,**/*.html,**/*.js | |
| -Dsonar.pdf.skip=true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any | |
| SONAR_TOKEN: ${{ secrets.__SONAR_TOKEN_BACKEND__ }} | |
| - name: Get Branch Name | |
| id: extract_branch | |
| run: | | |
| if [[ ${GITHUB_EVENT_NAME} == 'pull_request' ]]; then | |
| export BRANCH_NAME="${GITHUB_HEAD_REF}" | |
| echo "::set-output name=branch_name::${BRANCH_NAME}" | |
| elif [[ ${GITHUB_EVENT_NAME} == 'push' ]]; then | |
| export BRANCH_NAME="${GITHUB_REF_NAME}" | |
| echo "::set-output name=branch_name::${BRANCH_NAME}" | |
| else | |
| echo "Event is neither pull_request nor push" | |
| fi | |
| outputs: | |
| branch_name: ${{ steps.extract_branch.outputs.branch_name }} | |
| python-build-and-publish: | |
| name: Python Build and Publish | |
| needs: python-basic-validation | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| python-version: ["3.9"] | |
| outputs: | |
| scanner_version: ${{ steps.getversion.outputs.scanner_version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python ${{ matrix.python-version }} | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: ${{ matrix.python-version }} | |
| - name: Building python package | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| python -m pip install --upgrade pip build | |
| python -m build | |
| - name: Publish python package to PyPI | |
| if: ${{ needs.python-basic-validation.outputs.branch_name == 'main' }} | |
| uses: pypa/gh-action-pypi-publish@release/v1 | |
| with: | |
| password: ${{ secrets.__PYPI_TOKEN__ }} | |
| packages_dir: ${{ env.RESC_VCS_SCANNER_DIR }}/dist | |
| skip_existing: true | |
| - id: getversion | |
| name: Get package version | |
| run: | | |
| cd ${{ env.RESC_VCS_SCANNER_DIR }} | |
| scanner_version=$(python ./setup.py --version) | |
| echo "scanner_version=$scanner_version" >> $GITHUB_OUTPUT | |
| dockerize: | |
| name: Build and Push Docker image | |
| needs: [python-basic-validation, python-build-and-publish] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v3 | |
| - name: Docker Lint | |
| uses: hadolint/hadolint-action@v2.0.0 | |
| with: | |
| dockerfile: ${{ env.RESC_VCS_SCANNER_DIR }}/Dockerfile | |
| failure-threshold: error | |
| - name: Build an image from Dockerfile | |
| run: | | |
| cd ${{ env.RESC_COMPONENTS }} | |
| docker build -t ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.python-build-and-publish.outputs.scanner_version}} -f ./resc-vcs-scanner/Dockerfile . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.python-build-and-publish.outputs.scanner_version}} | |
| format: 'table' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Get Branch Name | |
| run: | | |
| if [[ ${GITHUB_EVENT_NAME} == 'pull_request' ]]; then | |
| echo "BRANCH_NAME=$(echo ${GITHUB_HEAD_REF})" >> "$GITHUB_ENV" | |
| elif [[ ${GITHUB_EVENT_NAME} == 'push' ]]; then | |
| echo "BRANCH_NAME=$(echo ${GITHUB_REF_NAME})" >> "$GITHUB_ENV" | |
| else | |
| echo "Event is neither pull_request nor push" | |
| fi | |
| - name: Determine if image needs to be published | |
| run: | | |
| if [[ ${{ needs.python-basic-validation.outputs.branch_name }} == 'main' ]]; then | |
| echo "PUBLISH_IMAGE=true" >> "$GITHUB_ENV" | |
| echo "Going to publish image to registry" | |
| else | |
| echo "PUBLISH_IMAGE=false" >> "$GITHUB_ENV" | |
| echo "Skipping publishing of image to registry" | |
| fi | |
| - name: Log in to Container Registry | |
| if: ${{ env.PUBLISH_IMAGE == 'true' }} | |
| uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
| with: | |
| username: ${{ secrets.__DOCKER_HUB_USER__ }} | |
| password: ${{ secrets.__DOCKER_HUB_PASS__ }} | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc | |
| with: | |
| file: ${{ env.RESC_VCS_SCANNER_DIR }}/Dockerfile | |
| context: ${{ env.RESC_COMPONENTS }}/ | |
| push: ${{ env.PUBLISH_IMAGE }} | |
| tags: ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:latest, ${{ env.CONTAINER_REGISTRY }}/${{ env.IMAGE_NAME }}:${{needs.python-build-and-publish.outputs.scanner_version}} |