nhcarrigan/amari
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 2 Pull Requests 6 Actions Releases 1 Activity

fix: log the curl results, pipx for semgrep #1

Merged
naomi merged 2 commits from ci/security into main 2025-12-17 17:28:22 -08:00
Conversation 0 Commits 2 Files Changed 1
+84 -16
1 changed files with 84 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security.yml
+84 -16
View File
@@ -23,16 +23,27 @@ jobs:
- name: Ensure DefectDojo Product Exists - name: Ensure DefectDojo Product Exists
env: env:
DD_URL: ${{ secrets.DD_URL }} DD_URL: ${{ secrets.DD_URL }}
# UPDATED: Using DD_TOKEN now
DD_TOKEN: ${{ secrets.DD_TOKEN }} DD_TOKEN: ${{ secrets.DD_TOKEN }}
PRODUCT_NAME: ${{ github.repository }} PRODUCT_NAME: ${{ github.repository }}
PRODUCT_TYPE_ID: 1 PRODUCT_TYPE_ID: 1
run: | run: |
sudo apt-get install jq -y > /dev/null sudo apt-get install jq -y > /dev/null
# Check if product exists echo "Checking connection to $DD_URL..."
RESPONSE=$(curl -s -H "Authorization: Token $DD_TOKEN" "$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
COUNT=$(echo "$RESPONSE" | jq -r '.count') # Check if product exists - capture HTTP code to debug connection issues
RESPONSE=$(curl --write-out "%{http_code}" --silent --output /tmp/response.json \
-H "Authorization: Token $DD_TOKEN" \
"$DD_URL/api/v2/products/?name=$PRODUCT_NAME")
# If response is not 200, print error
if [ "$RESPONSE" != "200" ]; then
echo "::error::Failed to query DefectDojo. HTTP Code: $RESPONSE"
cat /tmp/response.json
exit 1
fi
COUNT=$(cat /tmp/response.json | jq -r '.count')
if [ "$COUNT" = "0" ]; then if [ "$COUNT" = "0" ]; then
echo "Creating product '$PRODUCT_NAME'..." echo "Creating product '$PRODUCT_NAME'..."
@@ -57,15 +68,34 @@ jobs:
trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0 trivy fs . --scanners vuln,misconfig --format json --output trivy-results.json --exit-code 0
- name: Upload Trivy to DefectDojo - name: Upload Trivy to DefectDojo
env:
DD_URL: ${{ secrets.DD_URL }}
DD_TOKEN: ${{ secrets.DD_TOKEN }}
run: | run: |
curl -X POST "${{ secrets.DD_URL }}/api/v2/import-scan/" \ echo "Uploading Trivy results..."
-H "Authorization: Token ${{ secrets.DD_TOKEN }}" \ # Generate today's date in YYYY-MM-DD format
TODAY=$(date +%Y-%m-%d)
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
-H "Authorization: Token $DD_TOKEN" \
-F "active=true" \ -F "active=true" \
-F "verified=true" \ -F "verified=true" \
-F "scan_type=Trivy Scan" \ -F "scan_type=Trivy Scan" \
-F "engagement_name=CI/CD Pipeline" \ -F "engagement_name=CI/CD Pipeline" \
-F "product_name=${{ github.repository }}" \ -F "product_name=${{ github.repository }}" \
-F "file=@trivy-results.json" -F "scan_date=$TODAY" \
-F "auto_create_context=true" \
-F "file=@trivy-results.json")
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
echo "::error::Upload Failed with HTTP $HTTP_CODE"
echo "--- SERVER RESPONSE ---"
cat response.txt
echo "-----------------------"
exit 1
else
echo "Upload Success!"
fi
# --- 2. GITLEAKS (Secrets) --- # --- 2. GITLEAKS (Secrets) ---
- name: Install Gitleaks - name: Install Gitleaks
@@ -78,32 +108,70 @@ jobs:
run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true run: gitleaks detect --source . -v --report-path gitleaks-results.json --report-format json --no-git || true
- name: Upload Gitleaks to DefectDojo - name: Upload Gitleaks to DefectDojo
env:
DD_URL: ${{ secrets.DD_URL }}
DD_TOKEN: ${{ secrets.DD_TOKEN }}
run: | run: |
curl -X POST "${{ secrets.DD_URL }}/api/v2/import-scan/" \ echo "Uploading Gitleaks results..."
-H "Authorization: Token ${{ secrets.DD_TOKEN }}" \ TODAY=$(date +%Y-%m-%d)
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
-H "Authorization: Token $DD_TOKEN" \
-F "active=true" \ -F "active=true" \
-F "verified=true" \ -F "verified=true" \
-F "scan_type=Gitleaks Scan" \ -F "scan_type=Gitleaks Scan" \
-F "engagement_name=CI/CD Pipeline" \ -F "engagement_name=CI/CD Pipeline" \
-F "product_name=${{ github.repository }}" \ -F "product_name=${{ github.repository }}" \
-F "file=@gitleaks-results.json" -F "scan_date=$TODAY" \
-F "auto_create_context=true" \
-F "file=@gitleaks-results.json")
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
echo "::error::Upload Failed with HTTP $HTTP_CODE"
echo "--- SERVER RESPONSE ---"
cat response.txt
echo "-----------------------"
exit 1
else
echo "Upload Success!"
fi
# --- 3. SEMGREP (SAST) --- # --- 3. SEMGREP (SAST) ---
- name: Install Semgrep - name: Install Semgrep (via pipx)
run: | run: |
sudo apt-get install python3-pip -y sudo apt-get install pipx -y
pip install semgrep pipx install semgrep
# Add pipx binary path to GITHUB_PATH so next steps can see 'semgrep'
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run Semgrep - name: Run Semgrep
run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true run: semgrep scan --config=p/security-audit --config=p/owasp-top-ten --json --output semgrep-results.json . || true
- name: Upload Semgrep to DefectDojo - name: Upload Semgrep to DefectDojo
env:
DD_URL: ${{ secrets.DD_URL }}
DD_TOKEN: ${{ secrets.DD_TOKEN }}
run: | run: |
curl -X POST "${{ secrets.DD_URL }}/api/v2/import-scan/" \ echo "Uploading Semgrep results..."
-H "Authorization: Token ${{ secrets.DD_TOKEN }}" \ TODAY=$(date +%Y-%m-%d)
HTTP_CODE=$(curl --write-out "%{http_code}" --output response.txt --silent -X POST "$DD_URL/api/v2/import-scan/" \
-H "Authorization: Token $DD_TOKEN" \
-F "active=true" \ -F "active=true" \
-F "verified=true" \ -F "verified=true" \
-F "scan_type=Semgrep JSON Report" \ -F "scan_type=Semgrep JSON Report" \
-F "engagement_name=CI/CD Pipeline" \ -F "engagement_name=CI/CD Pipeline" \
-F "product_name=${{ github.repository }}" \ -F "product_name=${{ github.repository }}" \
-F "file=@semgrep-results.json" -F "scan_date=$TODAY" \
-F "auto_create_context=true" \
-F "file=@semgrep-results.json")
if [[ "$HTTP_CODE" != "200" && "$HTTP_CODE" != "201" ]]; then
echo "::error::Upload Failed with HTTP $HTTP_CODE"
echo "--- SERVER RESPONSE ---"
cat response.txt
echo "-----------------------"
exit 1
else
echo "Upload Success!"
fi