generated from nhcarrigan/template
Compare commits
18 Commits
31c2c3da64
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
5d90c4ed08
|
|||
|
259ae28463
|
|||
|
13e5b09d99
|
|||
|
cf4cede4aa
|
|||
|
a513566f13
|
|||
|
56437eb3cd
|
|||
|
af213ff31b
|
|||
|
7e531e44b0
|
|||
|
546ac3efa4
|
|||
|
6b66b0617c
|
|||
|
9d0cd7f284
|
|||
|
4f880830e8
|
|||
|
0c84a58e64
|
|||
|
8544a69dde
|
|||
|
81a05162d5
|
|||
|
1f02b770ae
|
|||
|
b2117e0974
|
|||
|
5038db9947
|
34
.gitea/workflows/sonar.yml
Normal file
34
.gitea/workflows/sonar.yml
Normal file
@ -0,0 +1,34 @@
|
||||
name: Code Analysis
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
|
||||
jobs:
|
||||
sonar:
|
||||
name: SonarQube
|
||||
|
||||
steps:
|
||||
- name: Checkout Source Files
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: SonarCube Scan
|
||||
uses: SonarSource/sonarqube-scan-action@v4
|
||||
timeout-minutes: 10
|
||||
env:
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||
SONAR_HOST_URL: "https://quality.nhcarrigan.com"
|
||||
with:
|
||||
args: >
|
||||
-Dsonar.sources=.
|
||||
-Dsonar.projectKey=security
|
||||
|
||||
- name: SonarQube Quality Gate check
|
||||
uses: sonarsource/sonarqube-quality-gate-action@v1
|
||||
with:
|
||||
pollingTimeoutSec: 600
|
||||
env:
|
||||
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
|
||||
SONAR_HOST_URL: "https://quality.nhcarrigan.com"
|
||||
117
scan.sh
117
scan.sh
@ -1,87 +1,92 @@
|
||||
# Clean existing reports.
|
||||
# Clean any existing reports.
|
||||
rm -r ./gitleaks;
|
||||
rm -r ./trivy;
|
||||
rm -r ./grype;
|
||||
rm -r ./syft;
|
||||
rm -r ./snyk;
|
||||
rm -r ./deps;
|
||||
rm ./index.html;
|
||||
|
||||
# Create the directories for the reports.
|
||||
mkdir ./gitleaks;
|
||||
mkdir ./trivy;
|
||||
mkdir ./grype;
|
||||
mkdir ./syft;
|
||||
mkdir ./snyk;
|
||||
mkdir ./deps;
|
||||
|
||||
# Parse directories for all of the projects we "own".
|
||||
repositories=($(find /home/naomi/code/naomi -maxdepth 1 -type d -not -name '.' -printf "%f\n" | sort));
|
||||
# List of repositories to scan.
|
||||
repositories=("typescript-config" "boost-monitor" "tingle-bot" "rig-task-bot" "blog" "mod-logs" "a4p-bot" "mod-bot" "rosalia-nightsong" "eslint-config" "logger" "aria-iuvo" "cordelia-taryne" "melody-iuvo" "nginx-configs" "website-headers" "discord-rpc" "portfolio" "forms" "static-pages" "ocean-breeze" "becca-lyria" "docs" "gwen-abalise" "nails" "maylin-taryne" "standup-bot");
|
||||
# Sort them alphabetically.
|
||||
repositories=($(echo "${repositories[@]}" | tr ' ' '\n' | sort -u | tr '\n' ' '));
|
||||
html=();
|
||||
current_dir=$(pwd);
|
||||
date=$(date);
|
||||
|
||||
for directory in "${repositories[@]}"; do
|
||||
if [ $directory == "naomi" ] || [ $directory == "security" ]; then
|
||||
continue;
|
||||
fi;
|
||||
echo "Scanning $directory";
|
||||
|
||||
# Automated scanning tools
|
||||
gitleaks detect --source /home/naomi/code/naomi/$directory -r ./gitleaks/$directory.json --no-banner;
|
||||
trivy repo --format json --output ./trivy/$directory.json /home/naomi/code/naomi/$directory;
|
||||
grype -o json --file ./grype/$directory.json /home/naomi/code/naomi/$directory;
|
||||
syft scan /home/naomi/code/naomi/$directory -o json=./syft/$directory.json;
|
||||
|
||||
# Need to move directories for Snyk to track the target correctly.
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
snyk monitor --dev --project-name=$directory --remote-repo-url=$(git remote get-url origin) /home/naomi/code/naomi/$directory;
|
||||
snyk test --dev --json --json-file-output=/home/naomi/code/naomi/security/snyk/$directory.json /home/naomi/code/naomi/$directory;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
git clone https://git.nhcarrigan.com/nhcarrigan/$directory ./_repos/$directory;
|
||||
|
||||
# Manual dependency version checks (no reliable package to do this for us :/ )
|
||||
echo "No supported package manager found in this project." > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
if [ -f /home/naomi/code/naomi/$directory/package.json ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
pnpm outdated | grep -v "^WARN" > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
echo "No supported package manager found in this project." > $current_dir/deps/$directory.txt;
|
||||
if [ -f $current_dir/_repos/$directory/package.json ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
pnpm install;
|
||||
pnpm outdated | grep -v "^WARN" > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/Pipfile ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
pip list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/Pipfile ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
pip install;
|
||||
pip list --outdated > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/*.csproj ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
dotnet list package --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/*.csproj ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
dotnet restore;
|
||||
dotnet list package --outdated > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/go.mod ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
go list -m -u all > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/go.mod ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
go install;
|
||||
go list -m -u all > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/rockspec ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
luarocks list --outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/rockspec ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
luarocks install;
|
||||
luarocks list --outdated > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/composer.json ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
composer outdated --format=json > /home/naomi/code/naomi/security/deps/$directory.json;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/composer.json ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
composer install;
|
||||
composer outdated --format=json > $current_dir/deps/$directory.json;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/Gemfile ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
bundle outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/Gemfile ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
bundle install;
|
||||
bundle outdated > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
if [ -f /home/naomi/code/naomi/$directory/Cargo.toml ]; then
|
||||
cd /home/naomi/code/naomi/$directory;
|
||||
cargo outdated > /home/naomi/code/naomi/security/deps/$directory.txt;
|
||||
cd /home/naomi/code/naomi/security;
|
||||
if [ -f $current_dir/_repos/$directory/Cargo.toml ]; then
|
||||
cd $current_dir/_repos/$directory;
|
||||
cargo install;
|
||||
cargo outdated > $current_dir/deps/$directory.txt;
|
||||
cd $current_dir
|
||||
fi;
|
||||
html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./snyk/$directory.json'>Snyk</a></ul><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
|
||||
|
||||
# Automated scanning tools
|
||||
gitleaks detect --source $current_dir/_repos/$directory -r $current_dir/gitleaks/$directory.json --no-banner;
|
||||
trivy repo --format json --output $current_dir/trivy/$directory.json $current_dir/_repos/$directory --include-dev-deps;
|
||||
grype -o json --file $current_dir/grype/$directory.json $current_dir/_repos/$directory;
|
||||
syft scan $current_dir/_repos/$directory -o json=$current_dir/syft/$directory.json;
|
||||
|
||||
html+=("<h2>$directory</h2><ul><li style='list-style-type: none;'><a href='./gitleaks/$directory.json'>Gitleaks</a></li><li style='list-style-type: none;'><a href='./trivy/$directory.json'>Trivy</a></li><li style='list-style-type: none;'><a href='./grype/$directory.json'>Grype</a></li><li style='list-style-type: none;'><a href='./syft/$directory.json'>Syft</a></li><li style='list-style-type: none;'><a href='./deps/$directory.txt'>Outdated Dependencies</a></ul>");
|
||||
|
||||
done;
|
||||
|
||||
echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</section><section>${html[*]}</section></main></body></html>" > ./index.html;
|
||||
rm -rf $current_dir/_repos;
|
||||
|
||||
# Deploy the reports to the production server.
|
||||
GLOBIGNORE='.git' scp -r ./* prod:/home/nhcarrigan/security
|
||||
echo "<!DOCTYPE html><html><head><title>Security Audits</title><meta charset=\"utf-8\" /><meta name=\"viewport\" content=\"width=device-width, initial-scale=1\" /><meta name=\"description\" content=\"A collection of the various reporting tools we run against our repositories.\" /><script src=\"https://cdn.nhcarrigan.com/headers/index.js\" async defer></script></head><body><main><h1>Security Audits</h1><section><p>A collection of the various reporting tools we run against our repositories.</p><p>Contributions to resolve a reported issue are welcomed!</p><p>Updated: ${date}</p></section><section>${html[*]}</section></main></body></html>" > ./index.html;
|
||||
|
||||
Reference in New Issue
Block a user