Consolidated scanning (#3832)

* Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management
2025-05-20 11:04:31 -05:00 · 2024-02-23 13:47:23 -05:00 · 2024-02-23 13:47:23 -05:00 · 96d0ae9cf7
commit 96d0ae9cf7
parent 6d089d3c26
2 changed files with 81 additions and 6 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -119,6 +119,8 @@ jobs:
  build-docker:
    name: Build Docker images
    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
    needs: build-artifacts
    strategy:
      fail-fast: false
@ -173,7 +175,7 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

-      - name: Check Branch to Publish
+      - name: Check branch to publish
        env:
          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
        id: publish-branch-check
@ -192,7 +194,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
        run: az acr login -n bitwardenprod

      - name: Log in to Azure - CI subscription
@ -200,7 +202,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@ -270,6 +272,19 @@ jobs:
          secrets: |
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
+        with:
+          image: ${{ steps.image-names.outputs.names }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}
+
  upload:
    name: Upload
    runs-on: ubuntu-22.04
@ -286,7 +301,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
        run: az acr login -n $_AZ_REGISTRY --only-show-errors

      - name: Make Docker stubs
@ -453,7 +468,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@ -486,7 +501,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -0,0 +1,60 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request:
+
+permissions: read-all
+
+jobs:
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
+        env:
+          INCREMENTAL: "${{ github.event_name == 'pull_request' && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.test.exclusions=test/**
+            -Dsonar.tests=test/