diff --git a/.github/workflows/engine.yml b/.github/workflows/engine.yml index 08e22cdb..9a8a9326 100644 --- a/.github/workflows/engine.yml +++ b/.github/workflows/engine.yml @@ -2,6 +2,7 @@ name: "Engine CI/CD" on: push: + branches: ['main', 'staging', 'dev'] pull_request: branches: ['main', 'staging', 'dev'] schedule: @@ -12,9 +13,7 @@ jobs: name: Allocating Push Filter runs-on: ubuntu-latest if: github.event_name == 'push' - # Only run this job for push events permissions: - # Required if adapting for pull requests later pull-requests: read outputs: engine: ${{ steps.filter.outputs.engine }} @@ -26,95 +25,45 @@ jobs: filters: | engine: - 'engine/**' - base: ${{ github.ref }} - # Detect changes against the most recent commit on the same branch + base: ${{ github.ref }} analyze: name: Security Analysis on (${{ matrix.language }}) needs: changes - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push - runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' + runs-on: ubuntu-latest permissions: - # required for all workflows security-events: write - - # required to fetch internal or private CodeQL packs packages: read - - # only required for workflows in private repositories actions: read contents: read - strategy: fail-fast: false matrix: - language: [ 'python' ] - # 'actions' 'c-cpp' 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' - # Use `c-cpp` to analyze code written in C, C++ or both - # Use 'java-kotlin' to analyze code written in Java, Kotlin or both - # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both - # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, - # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. - # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how - # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + language: ['python'] steps: - - name: Checkout repository - uses: actions/checkout@v4 - - # Add any setup steps before running the `github/codeql-action/init` action. - # This includes steps like installing compilers or runtimes (`actions/setup-node` - # or others). This is typically only required for manual builds. - # - name: Setup runtime (example) - # uses: actions/setup-example@v1 - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - build-mode: ${{ matrix.build-mode }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. + - name: Checkout repository + uses: actions/checkout@v4 - # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs - # queries: security-extended,security-and-quality + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} - # If the analyze step fails for one of the languages you are analyzing with - # "We were unable to automatically build your code", modify the matrix above - # to set the build mode to "manual" for that language. Then modify this step - # to build your code. - # ā„¹ļø Command-line programs to run using the OS shell. - # šŸ“š See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun - - if: matrix.build-mode == 'manual' - shell: bash - run: | - echo 'If you are using a "manual" build mode for one or more of the' \ - 'languages you are analyzing, replace this with the commands to build' \ - 'your code, for example:' - echo ' make bootstrap' - echo ' make release' - exit 1 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:${{matrix.language}}" - run-lint: name: Linting Code runs-on: ubuntu-latest needs: [changes, analyze] - # Depend on changes job - if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' - # Run always for non-push events, or if engine changed on push + if: github.event_name != 'push' || needs.changes.outputs.engine == 'true' steps: - name: Checkout code uses: actions/checkout@v4 with: - # Full git history is needed to get a proper list of changed files within `super-linter` fetch-depth: 0 - name: Lint Code Base @@ -125,48 +74,42 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_YAML: false VALIDATE_GITHUB_ACTIONS: false - # Disable Black linter for Python VALIDATE_PYTHON_BLACK: false VALIDATE_PYTHON_FLAKE8: false - build-and-deploy: - # Dynamically select environment by branch - environment: ${{ github.ref_name == 'main' && 'prod' || github.ref_name }} - + build-and-scan: + name: Build and Scan Engine runs-on: ubuntu-latest - + needs: [changes] steps: - name: Checkout source code uses: actions/checkout@v4 with: ref: ${{ github.ref }} - - name: Set environment name - id: set-env - run: | - if [ "${{ github.ref_name }}" == "main" ]; then - echo "ENV_NAME=production" >> $GITHUB_OUTPUT - else - echo "ENV_NAME=${{ github.ref_name }}" >> $GITHUB_OUTPUT - fi + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 - - name: Login to Docker Hub - uses: docker/login-action@v3 + - name: Build Docker image (local only) + uses: docker/build-push-action@v4 with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Build and tag Docker image - run: | - docker build -t ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} \ - --build-arg ENV=${{ steps.set-env.outputs.ENV_NAME }} \ - -f engine/docker/engine.Dockerfile . - - - name: Push Docker image - run: | - docker push ${{ secrets.DOCKER_USERNAME }}/engine:${{ steps.set-env.outputs.ENV_NAME }} - -# - name: Deploy to environment (azure?) + context: ./engine + file: ./engine/docker/engine.Dockerfile + tags: localbuild/engine:${{ github.ref_name }} + push: false + load: true + + - name: Scan image with Anchore/Grype + uses: anchore/scan-action@v6 + with: + image: localbuild/engine:${{ github.ref_name }} + fail-build: false + output-format: json + output-file: grype-report.json -# run: | + - name: Upload vulnerability report + uses: actions/upload-artifact@v4 + with: + name: grype-report + path: grype-report.json diff --git a/engine/cloudbuild-engine-docker.yml b/engine/cloudbuild-engine-docker.yml new file mode 100644 index 00000000..c6c29df4 --- /dev/null +++ b/engine/cloudbuild-engine-docker.yml @@ -0,0 +1,22 @@ +#GCP Engine Docker Build +#References sourced: +# https://cloud.google.com/build/docs/securing-builds/store-manage-build-logs?hl=pt-br#yaml_1 +# https://discuss.google.dev/t/cloudbuild-error-failed-to-trigger-build/106701 + +#Build engine/docker/engine.Dockerfile +steps: + - name: 'gcr.io/cloud-builders/docker' #gcp docker step + args: [ + 'build', + '--file', 'engine/docker/engine.Dockerfile', #specified file location in github struct + '-t', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev', #build engine dev container using GCP container registry, added image name as 'my-engine-image' with ':dev' tag + '.' #build all directroy components in engine + ] + + - name: 'gcr.io/cloud-builders/docker' #repeat for push + args: ['push', 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev'] +images: +- 'australia-southeast2-docker.pkg.dev/dynamic-fulcrum-470401-e8/engine/my-engine-image:dev' + +options: + logging: CLOUD_LOGGING_ONLY #syntax to bypass 'build.service_account' diff --git a/engine/docker/engine.Dockerfile b/engine/docker/engine.Dockerfile index bd312b23..56e08bda 100644 --- a/engine/docker/engine.Dockerfile +++ b/engine/docker/engine.Dockerfile @@ -2,8 +2,8 @@ FROM python:3.11-slim WORKDIR /app -COPY engine/engine/ ./engine/ -COPY engine/rules/ ./rules/ -COPY engine/test-configs/ ./test-configs/ +COPY engine/ ./engine/ +COPY rules/ ./rules/ +COPY test-configs/ ./test-configs/ CMD ["python", "engine/main.py"] diff --git a/engine/engine/.trigger b/engine/engine/.trigger index 6183eec9..a52674c4 100644 --- a/engine/engine/.trigger +++ b/engine/engine/.trigger @@ -1 +1 @@ -abcdaas +abcdaass diff --git a/engine/engine/main.py b/engine/engine/main.py index 7faee936..15c3201b 100644 --- a/engine/engine/main.py +++ b/engine/engine/main.py @@ -88,7 +88,7 @@ def main(): # Summary output print("\nšŸ“Š Summary:") print(f" Total Rules: {len(rules)}") - print(f" āœ… Passeds: {passed}") + print(f" āœ… PassedzZzZz: {passed}") print(f" āŒ Failed: {failed}") if __name__ == "__main__": diff --git a/engine/py_test.py b/engine/py_test.py index 3bd6db52..fffedcde 100644 --- a/engine/py_test.py +++ b/engine/py_test.py @@ -6,4 +6,4 @@ def subtract(a, b): return a + b -print(add(5, 1100)) +print(add(5, 12222))