From bb12e61d2f8e19e4f79c68e0a52ece53c96ca395 Mon Sep 17 00:00:00 2001 From: Simon Date: Thu, 17 Nov 2022 15:40:07 +0100 Subject: [PATCH 1/4] :technologist: Created Issue Templates --- .github/ISSUE_TEMPLATE/bug_report.md | 39 +++++++++++++++++++++++ .github/ISSUE_TEMPLATE/feature_request.md | 20 ++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md create mode 100644 .github/ISSUE_TEMPLATE/feature_request.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..12ea76d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,39 @@ +--- +name: Bug report +about: Create a report to help us improve +title: "[BUG]" +labels: bug +assignees: Templum + +--- + +**Setting a Baseline** +Please start by providing the necessary insights to ensure you can be helped swiftly + +Which version of the Action are you using: <> +How does your configuration look like: + +```yaml + - uses: actions/checkout@v3 + - name: Scan for Vulnerabilities in Code + uses: Templum/govulncheck-action@vX.X.X + with: + go-version: 1.18 + env: + DEBUG: "true" +``` + +Logs: + +Please share the output of the action, preferably turning the Action into Debug mode. This can be done by specifying an env called `DEBUG` and setting it to `true`. + +``` +Your logs here +``` + +**Bug Description** +Please describe the BUG you encounter be as precise as possible and provide context if needed. + + +**Screenshots** +If applicable, add screenshots to help explain your problem. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..4e57a2f --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: "[FR]" +labels: enhancement +assignees: Templum + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. From 4b43f32617d5dad6781ccf2fdcbbfcbc2652c691 Mon Sep 17 00:00:00 2001 From: Simon Date: Thu, 17 Nov 2022 15:51:42 +0100 Subject: [PATCH 2/4] :memo: Added New Configuration Examples (#18) Including a Debug one, should allow people to be redirected to --- README.md | 57 +++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 51 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index eea67b3..91caee9 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Please be aware there will be no direct output to the console, all found vulnera
- This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. Also it explicitly sets the github-token. + This configuration uses a different version of go (1.18) scans ./... and will fail if at least one vulnerability was found. ```yaml @@ -47,21 +47,19 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Running govulncheck + - name: Scan for Vulnerabilities in Code uses: Templum/govulncheck-action@ with: go-version: 1.18 vulncheck-version: latest package: ./... - github-token: ${{ secrets.GITHUB_TOKEN }} fail-on-vuln: true ```
- This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action - to upload the result directly as build artifact. + This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact. ```yaml @@ -72,7 +70,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - - name: Running govulncheck + - name: Scan for Vulnerabilities in Code uses: Templum/govulncheck-action@ with: skip-upload: true @@ -84,6 +82,53 @@ jobs: ```
+
+ + This configuration shows how to grant required permissions to the action in case you run into permission issues. + + +```yaml +name: My Workflow +on: [push, pull_request] +permissions: + security-events: write +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Scan for Vulnerabilities in Code + uses: Templum/govulncheck-action@ +``` +
+ +
+ + The following configuration sets the action into DEBUG Mode. Which features verbose logging and allows access to the raw govulncheck JSON report. + + +```yaml +name: My Debug Workflow +on: [push, pull_request] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Scan for Vulnerabilities in Code + uses: Templum/govulncheck-action@ + with: + skip-upload: true + env: + DEBUG: "true" + - name: Upload Report + uses: actions/upload-artifact@v3 + with: + name: raw-report + path: raw-report.json +``` +
+ ### Inputs | Input | Description | From 3967a172148a5b620d9db4abe679bc21d7e9b4ea Mon Sep 17 00:00:00 2001 From: Simon Date: Mon, 9 Jan 2023 15:38:01 +0100 Subject: [PATCH 3/4] :sparkles: Implement support for private deps via GOPRIVATE & GH PAT (#21) * :sparkles: Defined Build Args * :sparkles: Passing args from ENV * :wrench: Escaping * Issue with escaping * :wrench: Moved config to correct place * :sparkles: Just wanting Token now * :bug: Using add flag * :bug: Corrected default value type * :bug: Mixed up states * :construction: Investigate weird behaviour * :construction: Print GOPRIVATE * :bug: Using correct config override * :sparkles: Finalized Feature * :memo: Documented feature * :memo: Added missing link --- Dockerfile | 6 ++++++ README.md | 26 +++++++++++++++++++++++++- action.yml | 6 +++--- main.go | 1 + 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6a7dd82..2beb57e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,5 +16,11 @@ FROM golang:$GOLANG_VERSION ARG VULNCHECK_VERSION=latest RUN go install golang.org/x/vuln/cmd/govulncheck@$VULNCHECK_VERSION +ARG GH_PAT_TOKEN +RUN if [[ -n "$GH_PAT_TOKEN" ]]; then echo "No token was provided"; else git config --global --add url."https://govulncheck_action:$GH_PAT_TOKEN@github.com/".insteadOf "https://github.com/"; fi + +ARG GOPRIVATE +ENV GOPRIVATE=$GOPRIVATE + COPY --from=builder /go/src/github.com/Templum/govulncheck-action/action /action ENTRYPOINT ["/action"] \ No newline at end of file diff --git a/README.md b/README.md index 91caee9..b731216 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,30 @@ jobs: ``` +
+ + Example configuration for repository that relies on a private library. + + +> :information_source: This action for the moment works with [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) while creating one make sure it has write-read access to the dependent repositories as this is required for `$ go get`. Further following best practices create the token with the smallest possible scope. + +```yaml +name: My Workflow +on: [push, pull_request] +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Scan for Vulnerabilities in Code + uses: Templum/govulncheck-action@ + env: + GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }} + GOPRIVATE: "github.com/your-name/private-lib" + +``` +
+
This configuration uses most of the default values, which are specified below. However it skips the upload to Github and instead uses the upload-artifact-action to upload the result directly as build artifact. @@ -142,4 +166,4 @@ jobs: > :warning: Please be aware that go-version should be a valid tag name for the [golang dockerhub image](https://hub.docker.com/_/golang/tags). -> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) +> :lock: Please be aware if the token is not specified it uses `github.token` for more details on that check [those docs](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token) \ No newline at end of file diff --git a/action.yml b/action.yml index 462aac8..3b401d4 100644 --- a/action.yml +++ b/action.yml @@ -20,18 +20,18 @@ inputs: required: false fail-on-vuln: description: "This allows you to specify if the action should fail on encountering any vulnerability, by default it will not" - default: false + default: "false" required: false skip-upload: description: "This flag allows you to skip the sarif upload, it will be instead written to disk" - default: false + default: "false" required: false runs: using: "composite" steps: - id: build - run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH + run: docker build --build-arg GOLANG_VERSION=${{ inputs.go-version }} --build-arg GH_PAT_TOKEN=$GH_PAT_TOKEN --build-arg GOPRIVATE=$GOPRIVATE --build-arg VULNCHECK_VERSION=${{ inputs.vulncheck-version }} -q -f $GITHUB_ACTION_PATH/Dockerfile -t templum/govulncheck-action:local $GITHUB_ACTION_PATH shell: bash - id: run run: docker run --rm -v $(pwd):/github/workspace --workdir /github/workspace -e GITHUB_TOKEN=${{ inputs.github-token }} -e STRICT=${{ inputs.fail-on-vuln }} -e PACKAGE=${{ inputs.package }} -e SKIP_UPLOAD=${{ inputs.skip-upload }} -e DEBUG=${DEBUG} -e GITHUB_REPOSITORY=${{ github.repository }} -e GITHUB_REF=${{ github.ref }} -e GITHUB_SHA=${{ github.sha }} templum/govulncheck-action:local diff --git a/main.go b/main.go index 09fb657..d628a60 100644 --- a/main.go +++ b/main.go @@ -39,6 +39,7 @@ func main() { Str("Go-Version", info.Version). Str("Go-Os", info.Os). Str("Go-Arch", info.Arch). + Str("GOPRIVATE", os.Getenv("GOPRIVATE")). Msg("GoEnvironment Details:") logger.Debug(). From dfb34f5277f07e594b0e6973499b94844349e068 Mon Sep 17 00:00:00 2001 From: Simon Date: Wed, 11 Jan 2023 21:56:00 +0100 Subject: [PATCH 4/4] :construction_worker: Implement Integration Test (#22) * :construction_worker: Started assembling integration test pipeline * :wrench: Setup for testing * :wrench: Selected correct report * :white_check_mark: Added Bash based Integration Test * :wrench: Added Schedule (every 3 day at 22.00) * Minor Name adjustment * :wrench: Removed test branch as implementation concluded --- .github/workflows/integration.yml | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 9e1fd08..5be3009 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -5,14 +5,33 @@ on: - main tags: - v* + schedule: + - cron: '0 22 */3 * *' jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@main - - name: Debug - run: pwd && ls - shell: bash - - name: Integration Test - id: integration-test + - name: Checkout playground repository + uses: actions/checkout@main + with: + repository: Templum/playground + - name: Run Action against known repository and skip upload to compare generated file uses: Templum/govulncheck-action@main + with: + skip-upload: true + go-version: 1.19 + env: + GH_PAT_TOKEN: ${{ secrets.PAT_TOKEN }} + GOPRIVATE: "github.com/Templum/private-lib" + - name: Ensure at least 8 Vulnerabilities are discovered + run: | + rules=$(cat govulncheck-report.sarif | jq '.runs[0].tool.driver.rules | length') + occurrences=$(cat govulncheck-report.sarif | jq '.runs[0].results | length') + if [[ $rules -ge 8 ]]; then echo "Found expected number of rules"; else echo "Found unexpected number of rules $rules expected 8"; exit 1; fi + if [[ $occurrences -ge 8 ]]; then echo "Found expected number of call sites"; else echo "Found unexpected number of call sites ($occurrences expected 8)"; exit 1; fi + - name: Upload Report if Test failed + if: ${{ failure() }} + uses: actions/upload-artifact@v3 + with: + name: sarif-report + path: govulncheck-report.sarif