forked from dotnet-architecture/eShopOnDapr
-
Notifications
You must be signed in to change notification settings - Fork 9
135 lines (114 loc) · 3.9 KB
/
dev-sec-ci.yml
File metadata and controls
135 lines (114 loc) · 3.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: DevSecOps CI
on:
workflow_call:
inputs:
imageName:
required: true
type: string
projectPath:
required: true
type: string
projectName:
required: true
type: string
secrets:
AZURE_CONTAINER_REGISTRY:
required: true
REGISTRY_USERNAME:
required: true
REGISTRY_PASSWORD:
required: true
SNYK_TOKEN:
required: true
AZ_APPINSIGHTS_CONNECTION_STRING:
required: true
AZ_SUBSCRIPTION_TOKEN:
required: true
env:
DOTNET_VERSION: 6.0.x
jobs:
code-dep-scan:
runs-on: self-hosted
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Install Snyk
uses: snyk/actions/setup@master
- name: Setup dotnet
uses: actions/setup-dotnet@v1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
- name: Build project
run: |
dotnet restore ${{ inputs.projectPath }}/${{ inputs.projectName }}
cd ${{ inputs.projectPath }}
dotnet build --no-restore
- name: Find security issues using static code analysis
run: |
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk code test --sarif-file-output=snykcode.sarif --severity-threshold=low ${{ inputs.projectPath }}
- name: Test a project for open source vulnerabilities and license issues.
if: always() # To be sure the sarif file is always uploaded
run: |
snyk auth ${{ secrets.SNYK_TOKEN }}
snyk test --sarif-file-output=snyktest.sarif --severity-threshold=low ${{ inputs.projectPath }}
- name: Upload result to GitHub Code Scanning Alerts for static code analysis
if: always() # To be sure the sarif file is always uploaded
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snykcode.sarif
- name: Upload result to GitHub Code Scanning Alerts for open source vulnerabilities
if: always() # To be sure the sarif file is always uploaded
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: snyktest.sarif
container-scan:
runs-on: self-hosted
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Build container image
run: |
docker build -f ${{ inputs.projectPath }}/Dockerfile -t ${{ secrets.AZURE_CONTAINER_REGISTRY }}/${{ inputs.imageName }}:${{ github.sha }} .
# Note: Once MS Defender for DevOps goes GA with Linux this task is redundant
- name: Run Trivy and Dockle container scan
uses: Azure/container-scan@v0
id: container-scan
continue-on-error: true # In real life scenarios you would have this set to false
with:
image-name: ${{ secrets.AZURE_CONTAINER_REGISTRY }}/${{ inputs.imageName }}:${{ github.sha }}
run-quality-checks: true
- uses: azure/docker-login@v1
with:
login-server: ${{ secrets.AZURE_CONTAINER_REGISTRY }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Deploy to container registry
run: |
docker push ${{ secrets.AZURE_CONTAINER_REGISTRY }}/${{ inputs.imageName }}:${{ github.sha }}
cred-scan:
runs-on: windows-latest
steps:
- name: Checkout repo
uses: actions/checkout@v2
- name: Setup dotnet
uses: actions/setup-dotnet@v1
with:
dotnet-version: |
5.0.x
6.0.x
3.1.x
- name: Run Microsoft Security DevOps Analysis
uses: microsoft/security-devops-action@preview
id: msdo
with:
policy: microsoft
- name: Upload result to GitHub Code Scanning Alerts
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.msdo.outputs.sarifFile }}
- name: Upload alerts file as workflow artifact
uses: actions/upload-artifact@v3
with:
name: alerts
path: ${{ steps.msdo.outputs.sarifFile }}