generated from nhcarrigan/template
feat: automated runner
This commit is contained in:
parent
31c2c3da64
commit
5038db9947
SSH Key Fingerprint:
SHA256:rca1iUI2OhAM6n4FIUaFcZcicmri0jgocqKiTTAfrt8
18
.gitea/workflows/scan.yml
Normal file
18
.gitea/workflows/scan.yml
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
name: Security Scan
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
# Midnight every Monday
|
||||||
|
- cron: '0 0 * * 1'
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
lint:
|
||||||
|
name: Scan Repositories
|
||||||
|
runs-on: [security-runner]
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: Checkout Source Files
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Run scan
|
||||||
|
run: ./cron.sh
|
||||||
88
cron.sh
Executable file
88
cron.sh
Executable file
@ -0,0 +1,88 @@
|
|||||||
|
# Create the directories for the reports.
|
||||||
|
mkdir ./gitleaks;
|
||||||
|
mkdir ./trivy;
|
||||||
|
mkdir ./grype;
|
||||||
|
mkdir ./syft;
|
||||||
|
mkdir ./snyk;
|
||||||
|
mkdir ./deps;
|
||||||
|
|
||||||
|
# Parse directories for all of the projects we "own".
|
||||||
|
repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
|
||||||
|
html=();
|
||||||
|
current_dir=$(pwd);
|
||||||
|
|
||||||
|
for directory in "${repositories[@]}"; do
|
||||||
|
echo "Scanning $directory";
|
||||||
|
|
||||||
|
git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
|
||||||
|
|
||||||
|
# Automated scanning tools
|
||||||
|
gitleaks detect --source ./_repos/$directory -r ./gitleaks/$directory.json --no-banner;
|
||||||
|
trivy repo --format json --output ./trivy/$directory.json ./_repos/$directory;
|
||||||
|
grype -o json --file ./grype/$directory.json ./_repos/$directory;
|
||||||
|
syft scan ./_repos/$directory -o json=./syft/$directory.json;
|
||||||
|
|
||||||
|
# Need to move directories for Snyk to track the target correctly.
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) ./_repos/$directory;
|
||||||
|
snyk test --dev --json --json-file-output=./_repos/security/snyk/$directory.json ./_repos/$directory;
|
||||||
|
cd $current_dir;
|
||||||
|
|
||||||
|
# Manual dependency version checks (no reliable package to do this for us :/ )
|
||||||
|
echo "No supported package manager found in this project." > ./_repos/security/deps/$directory.txt;
|
||||||
|
if [ -f ./_repos/$directory/package.json ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
pnpm outdated | grep -v "^WARN" > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/Pipfile ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
pip list --outdated > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/*.csproj ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
dotnet list package --outdated > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/go.mod ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
go list -m -u all > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/rockspec ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
luarocks list --outdated > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/composer.json ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
composer outdated --format=json > ./_repos/security/deps/$directory.json;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/Gemfile ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
bundle outdated > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
if [ -f ./_repos/$directory/Cargo.toml ]; then
|
||||||
|
cd ./_repos/$directory;
|
||||||
|
cargo outdated > ./_repos/security/deps/$directory.txt;
|
||||||
|
cd current_dir
|
||||||
|
fi;
|
||||||
|
html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
|
||||||
|
|
||||||
|
# Remove just to be sure - I THINK runner cleans up after itself.
|
||||||
|
rm -rf ./_repos/$directory;
|
||||||
|
done;
|
||||||
|
|
||||||
|
echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
|
||||||
|
|
||||||
|
# Deploy the reports
|
||||||
|
cp -r ./deps /home/nhcarrigan/security;
|
||||||
|
cp -r ./gitleaks /home/nhcarrigan/security;
|
||||||
|
cp -r ./trivy /home/nhcarrigan/security;
|
||||||
|
cp -r ./grype /home/nhcarrigan/security;
|
||||||
|
cp -r ./syft /home/nhcarrigan/security;
|
||||||
|
cp -r ./snyk /home/nhcarrigan/security;
|
||||||
|
cp ./index.html /home/nhcarrigan/security;
|
||||||
Loading…
x
Reference in New Issue
Block a user