test: add CI for security checks (#143)

* test: add security checks Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * fix: downgrade golicenses per google/go-licenses#128 Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * fix: debug bulwark Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * fix: add org flag for bulwark Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * fix: use dev image for gitleaks Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * fix: apply all gosec rules Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> * chore: switch back to public bulwark images Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com> --------- Signed-off-by: Tyler Gillson <tyler.gillson@gmail.com>
validator-labs · Nov 9, 2023 · c187273 · c187273
1 parent b162292
commit c187273
Show file tree

Hide file tree

Showing 4 changed files with 137 additions and 0 deletions.
diff --git a/.github/workflows/bulwark-gitleaks.yaml b/.github/workflows/bulwark-gitleaks.yaml
@@ -0,0 +1,37 @@
+name: BulwarkGitLeaks
+
+on: [pull_request]
+
+concurrency:
+  group: gitleaks-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gitleaks-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gitleaks:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GITLEAKS_CONFIG: /workspace/config.toml
+    steps:
+
+      - name: run-bulwark-gitleaks-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+        run: /workspace/bulwark -name CodeSASTGitLeaks -organization spectrocloud-labs -target $REPO -tags "branch:$BRANCH,options:--log-opts origin..HEAD"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=./$REPO/gitleaks.json
+          cat $resultPath | grep -v \"Match\"\: | grep -v \"Secret\"\:
+          total_failed_tests=`cat $resultPath | grep \"Fingerprint\"\: | wc -l`
+          if [ "$total_failed_tests" -gt 0 ]; then
+            echo "GitLeaks validation check failed with above findings..."
+            exit 1
+          else 
+            echo "GitLeaks validation check passed"
+          fi
diff --git a/.github/workflows/bulwark-golicences.yaml b/.github/workflows/bulwark-golicences.yaml
@@ -0,0 +1,29 @@
+name: GoLicenses
+
+on: [pull_request]
+
+concurrency:
+  group: golicenses-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  golicense-pr-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: install-git
+        run: sudo apt-get install -y git
+
+      - name: install-golicenses
+        run: GOBIN=/usr/local/bin go install github.com/google/go-licenses@v1.0.0
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: golicense-scan
+        run: |
+          go-licenses check ./...
diff --git a/.github/workflows/bulwark-gosec.yaml b/.github/workflows/bulwark-gosec.yaml
@@ -0,0 +1,47 @@
+name: BulwarkGoSec
+
+on: [pull_request]
+
+concurrency:
+  group: gosec-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  gosec-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-dev-public/bulwark/gosec:latest
+      env:
+        REPO: ${{ github.event.repository.name }}
+    steps:
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: '1.21'
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: run-gosec-scan
+        shell: sh
+        env:
+          BRANCH: ${{ github.head_ref || github.ref_name }}
+          GO111MODULE: on
+        run: /workspace/bulwark -name CodeSASTGoSec -verbose -organization spectrocloud-labs -target $REPO -tags "branch:$BRANCH"
+
+      - name: check-result
+        shell: sh
+        run: |
+          resultPath=$REPO-result.json
+          issues=$(cat $resultPath | jq -r '.Stats.found')
+          echo "Found ${issues} issues"
+          echo "Issues by Rule ID"
+          jq -r '.Issues | group_by (.rule_id)[] | {rule: .[0].rule_id, count: length}' $resultPath
+          if [ "$issues" -gt 0 ]; then
+            echo "GoSec SAST scan failed with below findings..."
+            cat $resultPath
+            exit 1
+          else 
+            echo "GoSec SAST scan passed"
+          fi 
diff --git a/.github/workflows/bulwark-govulncheck.yaml b/.github/workflows/bulwark-govulncheck.yaml
@@ -0,0 +1,24 @@
+name: GoVulnCheck
+
+on: [pull_request]
+
+concurrency:
+  group: govulncheck-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  govulncheck-pr-scan:
+    runs-on: ubuntu-latest
+    container:
+      image: gcr.io/spectro-images-public/golang:1.21-alpine
+    steps:
+      - name: install-govulncheck
+        run: GOBIN=/usr/local/bin go install golang.org/x/vuln/cmd/govulncheck@latest
+
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: govulncheck-scan
+        run: |
+          go version
+          govulncheck -mode source ./...