nhcarrigan/security
2
0
Fork 0
generated from nhcarrigan/template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: why am I running an action when I can cron on the server

Browse Source
This commit is contained in:
Naomi Carrigan 2025-02-25 15:23:58 -08:00
parent 0c84a58e64
commit 4f880830e8
Signed by: naomi
SSH Key Fingerprint: SHA256:rca1iUI2OhAM6n4FIUaFcZcicmri0jgocqKiTTAfrt8
3 changed files with 51 additions and 169 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
.gitea/workflows/scan.yml
View File

@ -1,32 +0,0 @@
name: Security Scan
on:
workflow_dispatch:
schedule:
# Midnight every Monday
- cron: '0 0 * * 1'
jobs:
lint:
name: Scan Repositories
runs-on: [security-runner]
steps:
- name: Checkout Source Files
uses: actions/checkout@v4
- name: Install Binaries
run: |
sudo apt-get install gitleaks trivy
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sudo sh -s -- -b /usr/local/bin
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sudo sh -s -- -b /usr/local/bin
- name: PNPM
uses: pnpm/action-setup@v2
with:
version: 10
- name: Install Dependencies
run: pnpm i -g snyk
- name: Run scan
run: ./cron.sh

87
cron.sh
View File

@ -1,87 +0,0 @@
# Create the directories for the reports.
mkdir ./gitleaks;
mkdir ./trivy;
mkdir ./grype;
mkdir ./syft;
mkdir ./snyk;
mkdir ./deps;
# List of repositories to scan.
repositories=("typescript-config" "boost-monitor" "tingle-bot" "rig-task-bot" "blog" "mod-logs" "a4p-bot" "mod-bot" "rosalia-nightsong" "eslint-config" "logger" "aria-iuvo" "cordelia-taryne" "melody-iuvo" "nginx-configs" "website-headers" "discord-rpc" "portfolio" "forms" "static-pages" "ocean-breeze" "becca-lyria" "docs" "gwen-abalise" "nails" "maylin-taryne");
html=();
current_dir=$(pwd);
for directory in "${repositories[@]}"; do
echo "Scanning $directory";
git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
# Automated scanning tools
gitleaks detect --source ./_repos/$directory -r ./gitleaks/$directory.json --no-banner;
trivy repo --format json --output ./trivy/$directory.json ./_repos/$directory;
grype -o json --file ./grype/$directory.json ./_repos/$directory;
syft scan ./_repos/$directory -o json=./syft/$directory.json;
# Need to move directories for Snyk to track the target correctly.
cd ./_repos/$directory;
snyk test --dev --json --json-file-output=./_repos/security/snyk/$directory.json ./_repos/$directory;
cd $current_dir;
# Manual dependency version checks (no reliable package to do this for us :/ )
echo "No supported package manager found in this project." > ./_repos/security/deps/$directory.txt;
if [ -f ./_repos/$directory/package.json ]; then
cd ./_repos/$directory;
pnpm outdated | grep -v "^WARN" > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/Pipfile ]; then
cd ./_repos/$directory;
pip list --outdated > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/*.csproj ]; then
cd ./_repos/$directory;
dotnet list package --outdated > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/go.mod ]; then
cd ./_repos/$directory;
go list -m -u all > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/rockspec ]; then
cd ./_repos/$directory;
luarocks list --outdated > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/composer.json ]; then
cd ./_repos/$directory;
composer outdated --format=json > ./_repos/security/deps/$directory.json;
cd current_dir
fi;
if [ -f ./_repos/$directory/Gemfile ]; then
cd ./_repos/$directory;
bundle outdated > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
if [ -f ./_repos/$directory/Cargo.toml ]; then
cd ./_repos/$directory;
cargo outdated > ./_repos/security/deps/$directory.txt;
cd current_dir
fi;
html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
# Remove just to be sure - I THINK runner cleans up after itself.
rm -rf ./_repos/$directory;
done;
echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
# Deploy the reports
cp -r ./deps /home/nhcarrigan/security;
cp -r ./gitleaks /home/nhcarrigan/security;
cp -r ./trivy /home/nhcarrigan/security;
cp -r ./grype /home/nhcarrigan/security;
cp -r ./syft /home/nhcarrigan/security;
cp -r ./snyk /home/nhcarrigan/security;
cp ./index.html /home/nhcarrigan/security;

101
scan.sh
View File

@ -1,10 +1,11 @@
# Clean existing reports. # Clean any existing reports.
rm -r ./gitleaks; rm -r ./gitleaks;
rm -r ./trivy; rm -r ./trivy;
rm -r ./grype; rm -r ./grype;
rm -r ./syft; rm -r ./syft;
rm -r ./snyk; rm -r ./snyk;
rm -r ./deps; rm -r ./deps;
rm ./index.html;
# Create the directories for the reports. # Create the directories for the reports.
mkdir ./gitleaks; mkdir ./gitleaks;
@ -14,74 +15,74 @@ mkdir ./syft;
mkdir ./snyk; mkdir ./snyk;
mkdir ./deps; mkdir ./deps;
# Parse directories for all of the projects we "own". # List of repositories to scan.
repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort)); repositories=("typescript-config" "boost-monitor" "tingle-bot" "rig-task-bot" "blog" "mod-logs" "a4p-bot" "mod-bot" "rosalia-nightsong" "eslint-config" "logger" "aria-iuvo" "cordelia-taryne" "melody-iuvo" "nginx-configs" "website-headers" "discord-rpc" "portfolio" "forms" "static-pages" "ocean-breeze" "becca-lyria" "docs" "gwen-abalise" "nails" "maylin-taryne");
html=(); html=();
current_dir=$(pwd);
for directory in "${repositories[@]}"; do for directory in "${repositories[@]}"; do
if [ $directory == "naomi" ] || [ $directory == "security" ]; then
continue;
fi;
echo "Scanning $directory"; echo "Scanning $directory";
git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
# Automated scanning tools # Automated scanning tools
gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner; gitleaks detect --source ./_repos/$directory -r ./gitleaks/$directory.json --no-banner;
trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory; trivy repo --format json --output ./trivy/$directory.json ./_repos/$directory;
grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory; grype -o json --file ./grype/$directory.json ./_repos/$directory;
syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json; syft scan ./_repos/$directory -o json=./syft/$directory.json;
# Need to move directories for Snyk to track the target correctly. # Need to move directories for Snyk to track the target correctly.
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory; snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) $current_dir/$directory;
snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory; snyk test --dev --json --json-file-output=./_repos/security/snyk/$directory.json $current_dir/$directory;
cd /home/naomi/code/naomi/security; cd $current_dir;
# Manual dependency version checks (no reliable package to do this for us :/ ) # Manual dependency version checks (no reliable package to do this for us :/ )
echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt; echo "No supported package manager found in this project." > $current_dir/deps/$directory.txt;
if [ -f /home/naomi/code/naomi/$directory/package.json ]; then if [ -f ./_repos/$directory/package.json ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
pnpm outdated | grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt; pnpm outdated | grep -v "^WARN" > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then if [ -f ./_repos/$directory/Pipfile ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt; pip list --outdated > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then if [ -f ./_repos/$directory/*.csproj ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt; dotnet list package --outdated > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then if [ -f ./_repos/$directory/go.mod ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt; go list -m -u all > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then if [ -f ./_repos/$directory/rockspec ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt; luarocks list --outdated > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then if [ -f ./_repos/$directory/composer.json ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json; composer outdated --format=json > $current_dir/deps/$directory.json;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then if [ -f ./_repos/$directory/Gemfile ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt; bundle outdated > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then if [ -f ./_repos/$directory/Cargo.toml ]; then
cd /home/naomi/code/naomi/$directory; cd ./_repos/$directory;
cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt; cargo outdated > $current_dir/deps/$directory.txt;
cd /home/naomi/code/naomi/security; cd current_dir
fi; fi;
html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>"); html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
done; done;
echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html; rm -rf ./_repos;
# Deploy the reports to the production server. echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</p><p>Updated: ${date}</section><section>${html[*]}</section></main></body></html>" > ./index.html;
GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security