Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ODS-6479] Analyze Docker Images updated #1120

Merged
merged 17 commits into from
Sep 13, 2024
Merged

[ODS-6479] Analyze Docker Images updated #1120

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
fd1d5c8
Analyze Docker Images updated
semalaiappan Sep 10, 2024
99f4b20
severity Validation Check Added
semalaiappan Sep 10, 2024
5d0f1a6
Check for Critical and High vulnerabilities
semalaiappan Sep 10, 2024
1d99210
Check for Critical and High vulnerabilities
semalaiappan Sep 10, 2024
8da7f8c
Check for Critical and High vulnerabilities
semalaiappan Sep 10, 2024
763ac44
Check for Critical and High vulnerabilities
semalaiappan Sep 10, 2024
125a615
Analyze Docker Images Weekly Job
semalaiappan Sep 10, 2024
7a31b98
finalize job added
semalaiappan Sep 12, 2024
758523f
Set Initial Critical/High Vulnerabilities Count
semalaiappan Sep 12, 2024
55c9b5c
CRITICAL_HIGH_VULNERABILITIES variable set only once
semalaiappan Sep 12, 2024
e22beff
initialize job added
semalaiappan Sep 12, 2024
5a3512b
needs updated for analyze-docker job
semalaiappan Sep 12, 2024
c07bcc7
needs updated for analyze-docker job
semalaiappan Sep 12, 2024
54632fe
Download all vulnerability reports
semalaiappan Sep 12, 2024
3d25f50
Clean up
semalaiappan Sep 12, 2024
a3085f2
Download all vulnerability reports
semalaiappan Sep 12, 2024
91bdb02
Download all vulnerability reports
semalaiappan Sep 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
77 changes: 75 additions & 2 deletions .github/workflows/Analyze docker images.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@
name: Analyze Docker Images

on:
pull_request:
branches: [main, 'b-v*-patch*','feature-*']
schedule:
- cron: '0 0 * * 0'
workflow_dispatch:

permissions: read-all
Expand Down Expand Up @@ -54,6 +54,8 @@ jobs:
{ name: "ods-api-db-ods-sandbox", path: "ubuntu/mssql" }
]
name: ${{ matrix.dockerfile.name }}/${{ matrix.dockerfile.path }} Image for (Standard ${{ matrix.StandardVersion }} Extension ${{ matrix.ExtensionVersion }})
continue-on-error: true

steps:
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4
Expand Down Expand Up @@ -85,10 +87,81 @@ jobs:
sarif-file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json
summary: true
only-severities: "critical,high"

- name: Set Dockerfile Path with Hyphens
id: set-dockerfile-path
run: |
$newPath = "${{ matrix.dockerfile.path }}" -replace '/', '-'
echo "DockerFile-ModifiedPath=$newPath">> $env:GITHUB_ENV
shell: pwsh

- name: Upload vulnerabilities-${{ matrix.dockerfile.name }}.${{ env.DockerFile-ModifiedPath }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }} Report
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
with:
name: vulnerabilities-${{ matrix.dockerfile.name }}.${{ env.DockerFile-ModifiedPath }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}
path: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json

- name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request_target' }}
uses: github/codeql-action/upload-sarif@df32e399139a3050671466d7d9b3cbacc1cfd034 #codeql-bundle-v2.15.2
with:
sarif_file: sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json

- name: Check for Critical and High vulnerabilities
run: |
$sarifFile = "sarif-${{ matrix.dockerfile.name }}.${{ env.PACKAGE_VERSION }}.0-${{ matrix.StandardVersion }}.output.json"
$sarifContent = Get-Content -Path $sarifFile | ConvertFrom-Json
foreach ($result in $sarifContent.runs.results) {
$severity = ($result.message.text -match "Severity\s+:\s+(.*)\s*\n") | Out-Null
$severity = $matches[1].Trim()

if ($severity -ieq "critical" -or $severity -ieq "high") {
$criticalHighVulnerabilities++
Write-Host "Found $severity vulnerability: $($result.ruleId)"
}
}

if ($criticalHighVulnerabilities -gt 0) {
Write-Error "Found $criticalHighVulnerabilities critical or high vulnerabilities."
exit 1
} else {
Write-Host "No critical or high vulnerabilities found."
}
shell: pwsh
finalize:
needs: analyze-docker # Depends on the analyze-docker job
runs-on: ubuntu-latest
if: always()
steps:
- name: Checkout code
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4

- name: Download all vulnerability reports
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 #v4.1.1
with:
path: ./vulnerability-reports
- name: Determine if there were critical or high vulnerabilities
run: |
# Get all files in the directory
$files = Get-ChildItem -Path ./vulnerability-reports -Recurse -File
foreach ($file in $files) {
$sarifData = Get-Content $file.FullName | ConvertFrom-Json
foreach ($result in $sarifData.runs.results) {
$severity = ($result.message.text -match "Severity\s+:\s+(.*)\s*\n") | Out-Null
$severity = $matches[1].Trim()

if ($severity -ieq "critical" -or $severity -ieq "high") {
$criticalHighVulnerabilities++
Write-Host "Found $severity vulnerability: $($result.ruleId) in $file.FullName"
}
}
}

if ( $criticalHighVulnerabilities -gt 0) {
Write-Error "Critical or High vulnerabilities found in previous jobs."
exit 1
} else {
Write-Host "No critical or high vulnerabilities found."
}
shell: pwsh
Loading