Security Scans #232
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Scans | |
on: | |
repository_dispatch: | |
types: [security] | |
workflow_dispatch: | |
workflow_call: | |
env: | |
RUN_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}} | |
jobs: | |
codedx-scans: | |
name: Run CodeDx Scans | |
runs-on: [self-hosted, Linux] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Run Dependency Check Scans | |
uses: dependency-check/Dependency-Check_Action@1.1.0 | |
with: | |
project: "uikit" | |
path: "." | |
format: "XML" | |
- name: Upload Reports to CodeDX | |
run: .github/scripts/codedx-upload.sh | |
env: | |
CODE_DX_URL: "${{ secrets.CODE_DX_URL }}" | |
CODE_DX_API_KEY: ${{ secrets.CODE_DX_API_KEY }} | |
CODE_DX_PROJECT_ID: 120 | |
citadel-scan: | |
name: Request Citadel Scan | |
runs-on: [self-hosted, Linux] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
- name: Request Citadel scan | |
run: .github/scripts/citadel-request.mjs | |
black-duck-scans: | |
name: Run Black Duck Scans | |
runs-on: [self-hosted, Linux] | |
strategy: | |
fail-fast: false | |
matrix: | |
PACKAGE: | |
- "cli" | |
- "code-editor" | |
- "core" | |
- "icons" | |
- "lab" | |
- "shared" | |
- "styles" | |
- "uno-preset" | |
- "viz" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install Node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
# ========================== | |
# code-editor (npm package) | |
# ========================== | |
# Install dependencies inside each package so blackduck can scan them | |
# To do this we need to remove the package.json and package-lock.json from the root | |
- name: Prepare packages for Blackduck scan | |
uses: lumada-common-services/gh-composite-actions@1.9.0 | |
with: | |
command: | | |
rm -rf node_modules package.json package-lock.json && \ | |
cd packages/${{ matrix.PACKAGE }} && npm i | |
- name: Load BlackDuck variables | |
working-directory: packages/${{ matrix.PACKAGE }} | |
run: | | |
echo "PROJECT_NAME=$(npm pkg get name --workspaces=false | tr -d '""')" >> $GITHUB_ENV | |
echo "PROJECT_VERSION=$(npm pkg get version --workspaces=false | tr -d '"')" >> $GITHUB_ENV | |
- name: Load blackduck project properties | |
run: echo "BLACKDUCK_ARGS=$(.github/scripts/getBlackduckArgs.mjs ${{ matrix.PACKAGE }})" >> $GITHUB_ENV | |
- name: Blackduck Scan | |
uses: lumada-common-services/gh-composite-actions@1.9.0 | |
env: | |
BLACKDUCK_DOCKER_USERNAME: hvservices-service-cicd | |
BLACKDUCK_DOCKER_PASSWORD: ${{ secrets.ARTIFACTORY_HVSERVICES_CICD_TOKEN }} | |
BlackDuck_Project_Name: "${{ env.PROJECT_NAME }}" | |
BlackDuck_Source_Path: /workdir/packages | |
BlackDuck_Project_Version: "${{ env.PROJECT_VERSION }}" | |
BlackDuck_Api_Token: "${{ secrets.BLACKDUCK_TOKEN }}" | |
BlackDuck_Url: "${{ secrets.BLACKDUCK_URL }}" | |
ADDITIONAL_ARGS: "${{ env.BLACKDUCK_ARGS }}" | |
notify-fail: | |
name: Notify Fail | |
needs: [codedx-scans, citadel-scan, black-duck-scans] | |
if: failure() | |
runs-on: ubuntu-latest | |
steps: | |
- uses: technote-space/workflow-conclusion-action@v1 | |
- name: Notify Fail | |
uses: hbfernandes/slack-action@1.0 | |
env: | |
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} | |
CONCLUSION: ${{ env.WORKFLOW_CONCLUSION }} | |
COLOR: "#C62828" | |
with: | |
args: | | |
{ | |
"channel": "ui-kit-internal", | |
"attachments": [ | |
{ | |
"mrkdwn_in": ["text"], | |
"color": "${{env.COLOR}}", | |
"title": "Security Scans failed", | |
"title_link": "${{ env.RUN_URL }}" | |
} | |
] | |
} |