Skip to content
Daily scan

Daily scan #198

Sign in to view logs

Daily scan

Daily scan #198

Workflow file for this run

.github/workflows/daily-scan.yml at 6bcfc41
## Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
## SPDX-License-Identifier: Apache-2.0
# Performs a daily scan of:
# * Project dependencies, using DependencyCheck
# * The published artifact and its dependencies, using Trivy
#
# Publishes results to CloudWatch Metrics.
name: Daily scan
on:
schedule: # scheduled to run every 6 hours
- cron: '10 */6 * * *' # "At minute 10 past every 6th hour."
workflow_dispatch: # be able to run the workflow on demand
env:
AWS_DEFAULT_REGION: us-east-1
permissions:
id-token: write
contents: read
jobs:
scan_and_report:
runs-on: ubuntu-latest
steps:
- name: Checkout repo for dependency scan
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
with:
fetch-depth: 0
- name: Setup Java for dependency scan
uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 #v5.0.0
with:
java-version: 17
distribution: 'temurin'
- name: Configure AWS credentials for dependency scan
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
with:
role-to-assume: ${{ secrets.SECRET_MANAGER_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Get secrets for dependency scan
uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
id: nvd_api_key
with:
secret-ids: |
${{ secrets.NVD_API_KEY_SECRET_ARN }}
OSS_INDEX, ${{ secrets.OSS_INDEX_SECRET_ARN }}
parse-json-secrets: true
- name: Download published artifact for scanning
run: |
mkdir -p scan-target
XRAY_VERSION=$(curl -s "https://repo1.maven.org/maven2/com/amazonaws/aws-xray-recorder-sdk-core/maven-metadata.xml" | grep '<release>' | sed 's/.*<release>\(.*\)<\/release>.*/\1/')
echo "Latest version: $XRAY_VERSION"
ARTIFACTS=(
aws-xray-recorder-sdk-core
aws-xray-recorder-sdk-apache-http
aws-xray-recorder-sdk-aws-sdk
aws-xray-recorder-sdk-aws-sdk-core
aws-xray-recorder-sdk-aws-sdk-instrumentor
aws-xray-recorder-sdk-aws-sdk-v2
aws-xray-recorder-sdk-aws-sdk-v2-instrumentor
aws-xray-recorder-sdk-lambda
aws-xray-recorder-sdk-log4j
aws-xray-recorder-sdk-metrics
aws-xray-recorder-sdk-slf4j
aws-xray-recorder-sdk-spring
aws-xray-recorder-sdk-sql
aws-xray-recorder-sdk-sql-mysql
aws-xray-recorder-sdk-sql-postgres
)
DEPS=""
for a in "${ARTIFACTS[@]}"; do
DEPS+="<dependency><groupId>com.amazonaws</groupId><artifactId>$a</artifactId><version>$XRAY_VERSION</version></dependency>"
done
printf '<project>\n <modelVersion>4.0.0</modelVersion>\n <groupId>scan</groupId><artifactId>scan</artifactId><version>1</version>\n <dependencies>\n %s\n </dependencies>\n</project>\n' "$DEPS" > /tmp/scan-pom.xml
mvn -f /tmp/scan-pom.xml dependency:copy-dependencies -DoutputDirectory=$(pwd)/scan-target/
# See http://jeremylong.github.io/DependencyCheck/dependency-check-cli/ for installation explanation
- name: Install and run dependency scan
id: dep_scan
if: always()
run: |
gpg --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 259A55407DD6C00299E6607EFFDE55BE73A2D1ED
VERSION=$(curl -s https://jeremylong.github.io/DependencyCheck/current.txt | head -n1 | cut -d" " -f1)
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip" --output dependency-check.zip
curl -Ls "https://github.com/dependency-check/DependencyCheck/releases/download/v$VERSION/dependency-check-$VERSION-release.zip.asc" --output dependency-check.zip.asc
gpg --verify dependency-check.zip.asc
unzip dependency-check.zip
./dependency-check/bin/dependency-check.sh --failOnCVSS 0 --nvdApiKey ${{ env.NVD_API_KEY_NVD_API_KEY }} --ossIndexUsername ${{ env.OSS_INDEX_USERNAME }} --ossIndexPassword ${{ env.OSS_INDEX_PASSWORD }} --suppression .github/dependency-check-suppressions.xml -s "scan-target/"
- name: Print dependency scan results on failure
if: ${{ steps.dep_scan.outcome != 'success' }}
run: less dependency-check-report.html
- name: Extract JARs for Trivy scanning
if: always()
run: |
mkdir -p released-artifact
for jar in scan-target/*.jar; do
unzip -q -o "$jar" -d released-artifact/
done
- name: Perform high severity scan on published artifact dependencies
if: always()
id: high_scan_latest
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
with:
scan-type: 'fs'
scan-ref: 'released-artifact/'
severity: 'CRITICAL,HIGH'
exit-code: '1'
env:
TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml
- name: Perform low severity scan on published artifact dependencies
if: always()
id: low_scan_latest
uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # v0.34.2
with:
scan-type: 'fs'
scan-ref: 'released-artifact/'
severity: 'MEDIUM,LOW,UNKNOWN'
exit-code: '1'
env:
TRIVY_IGNOREFILE: .github/trivy/daily-scan.trivyignore.yaml
- name: Configure AWS Credentials for emitting metrics
if: always()
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #5.0.0
with:
role-to-assume: ${{ secrets.AWS_INTEG_TEST_ROLE_ARN }}
aws-region: ${{ env.AWS_DEFAULT_REGION }}
- name: Publish high scan status
if: always()
run: |
value="${{ steps.high_scan_latest.outcome == 'success' && '1.0' || '0.0' }}"
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_high \
--value $value
- name: Publish low scan status
if: always()
run: |
value="${{ steps.low_scan_latest.outcome == 'success' && steps.dep_scan.outcome == 'success' && '1.0' || '0.0' }}"
aws cloudwatch put-metric-data --namespace 'MonitorSDK' \
--metric-name Success \
--dimensions repository=${{ github.repository }},branch=${{ github.ref_name }},workflow=daily_scan_low \
--value $value