From 5038db9947046f392be2e3612a7d10ff08deb300 Mon Sep 17 00:00:00 2001
From: Naomi Carrigan <commits@nhcarrigan.com>
Date: Tue, 25 Feb 2025 14:54:01 -0800
Subject: [PATCH] feat: automated runner

---
 .gitea/workflows/scan.yml | 18 ++++++++
 cron.sh                   | 88 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 106 insertions(+)
 create mode 100644 .gitea/workflows/scan.yml
 create mode 100755 cron.sh

diff --git a/.gitea/workflows/scan.yml b/.gitea/workflows/scan.yml
new file mode 100644
index 0000000..cce9f30
--- /dev/null
+++ b/.gitea/workflows/scan.yml
@@ -0,0 +1,18 @@
+name: Security Scan
+on:
+  workflow_dispatch:
+  schedule:
+    # Midnight every Monday
+    - cron: '0 0 * * 1'
+
+jobs:
+  lint:
+    name: Scan Repositories
+    runs-on: [security-runner]
+
+    steps:
+      - name: Checkout Source Files
+        uses: actions/checkout@v4
+
+      - name: Run scan
+        run: ./cron.sh
diff --git a/cron.sh b/cron.sh
new file mode 100755
index 0000000..60e843c
--- /dev/null
+++ b/cron.sh
@@ -0,0 +1,88 @@
+# Create the directories for the reports.
+mkdir ./gitleaks;
+mkdir ./trivy;
+mkdir ./grype;
+mkdir ./syft;
+mkdir ./snyk;
+mkdir ./deps;
+
+# Parse directories for all of the projects we "own".
+repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
+html=();
+current_dir=$(pwd);
+
+for directory in "${repositories[@]}"; do
+  echo "Scanning $directory";
+
+  git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
+
+  # Automated scanning tools
+  gitleaks detect --source ./_repos/$directory -r ./gitleaks/$directory.json --no-banner;
+  trivy repo --format json --output ./trivy/$directory.json ./_repos/$directory;
+  grype -o json --file ./grype/$directory.json ./_repos/$directory;
+  syft scan ./_repos/$directory -o json=./syft/$directory.json;
+
+  # Need to move directories for Snyk to track the target correctly.
+  cd ./_repos/$directory;
+  snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) ./_repos/$directory;
+  snyk test --dev --json --json-file-output=./_repos/security/snyk/$directory.json ./_repos/$directory;
+  cd $current_dir;
+
+  # Manual dependency version checks (no reliable package to do this for us :/ )
+  echo "No supported package manager found in this project." > ./_repos/security/deps/$directory.txt;
+  if [ -f ./_repos/$directory/package.json ]; then
+    cd ./_repos/$directory;
+    pnpm outdated | grep -v "^WARN" > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/Pipfile ]; then
+    cd ./_repos/$directory;
+    pip list --outdated > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/*.csproj ]; then
+    cd ./_repos/$directory;
+    dotnet list package --outdated > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/go.mod ]; then
+    cd ./_repos/$directory;
+    go list -m -u all > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/rockspec ]; then
+    cd ./_repos/$directory;
+    luarocks list --outdated > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/composer.json ]; then
+    cd ./_repos/$directory;
+    composer outdated --format=json > ./_repos/security/deps/$directory.json;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/Gemfile ]; then
+    cd ./_repos/$directory;
+    bundle outdated > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  if [ -f ./_repos/$directory/Cargo.toml ]; then
+    cd ./_repos/$directory;
+    cargo outdated > ./_repos/security/deps/$directory.txt;
+    cd current_dir
+  fi;
+  html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
+
+  # Remove just to be sure - I THINK runner cleans up after itself.
+  rm -rf ./_repos/$directory;
+done;
+
+echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
+
+# Deploy the reports
+cp -r ./deps /home/nhcarrigan/security;
+cp -r ./gitleaks /home/nhcarrigan/security;
+cp -r ./trivy /home/nhcarrigan/security;
+cp -r ./grype /home/nhcarrigan/security;
+cp -r ./syft /home/nhcarrigan/security;
+cp -r ./snyk /home/nhcarrigan/security;
+cp ./index.html /home/nhcarrigan/security;