From 96d0ae9cf7625e65f9d140d71309c552620d1528 Mon Sep 17 00:00:00 2001
From: Matt Bishop <mbishop@bitwarden.com>
Date: Fri, 23 Feb 2024 13:47:23 -0500
Subject: [PATCH] Consolidated scanning (#3832)

* Consolidated security scanning

* Add quality scan

* Version bumps

* Add container scanning

* Check out repo for container scan

* Build need and dependent outputs

* Incremental SAST

* Sonar fixes

* Underscore

* Inherit secrets

* Qualify Docker image name outputs

* Try a login

* Remove build modifications as this doesn't work with a matrix

* Move container scanning closer to tbe Docker steps for better management
---
 .github/workflows/build.yml | 27 +++++++++++++----
 .github/workflows/scan.yml  | 60 +++++++++++++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/scan.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index c63ebd669f..15c134f66d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -119,6 +119,8 @@ jobs:
   build-docker:
     name: Build Docker images
     runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
     needs: build-artifacts
     strategy:
       fail-fast: false
@@ -173,7 +175,7 @@ jobs:
       - name: Check out repo
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
 
-      - name: Check Branch to Publish
+      - name: Check branch to publish
         env:
           PUBLISH_BRANCHES: "main,rc,hotfix-rc"
         id: publish-branch-check
@@ -192,7 +194,7 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
         run: az acr login -n bitwardenprod
 
       - name: Log in to Azure - CI subscription
@@ -200,7 +202,7 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
         id: retrieve-secret-pat
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
@@ -270,6 +272,19 @@ jobs:
           secrets: |
             "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"
 
+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
+        with:
+          image: ${{ steps.image-names.outputs.names }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}
+
   upload:
     name: Upload
     runs-on: ubuntu-22.04
@@ -286,7 +301,7 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
 
-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
         run: az acr login -n $_AZ_REGISTRY --only-show-errors
 
       - name: Make Docker stubs
@@ -453,7 +468,7 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
         id: retrieve-secret-pat
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
@@ -486,7 +501,7 @@ jobs:
         with:
           creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
 
-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
         id: retrieve-secret-pat
         uses: bitwarden/gh-actions/get-keyvault-secrets@main
         with:
diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
new file mode 100644
index 0000000000..ff36b004de
--- /dev/null
+++ b/.github/workflows/scan.yml
@@ -0,0 +1,60 @@
+name: Scan
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - "main"
+      - "rc"
+      - "hotfix-rc"
+  pull_request:
+
+permissions: read-all
+
+jobs:
+  sast:
+    name: SAST scan
+    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Scan with Checkmarx
+        uses: checkmarx/ast-github-action@749fec53e0db0f6404a97e2e0807c3e80e3583a7 #2.0.23
+        env:
+          INCREMENTAL: "${{ github.event_name == 'pull_request' && '--sast-incremental' || '' }}"
+        with:
+          project_name: ${{ github.repository }}
+          cx_tenant: ${{ secrets.CHECKMARX_TENANT }}
+          base_uri: https://ast.checkmarx.net/
+          cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }}
+          cx_client_secret: ${{ secrets.CHECKMARX_SECRET }}
+          additional_params: --report-format sarif --output-path . ${{ env.INCREMENTAL }}
+
+      - name: Upload Checkmarx results to GitHub
+        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        with:
+          sarif_file: cx_result.sarif
+
+  quality:
+    name: Quality scan
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Scan with SonarCloud
+        uses: sonarsource/sonarcloud-github-action@49e6cd3b187936a73b8280d59ffd9da69df63ec9 # v2.1.1
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          args: >
+            -Dsonar.organization=${{ github.repository_owner }}
+            -Dsonar.projectKey=${{ github.repository_owner }}_${{ github.event.repository.name }}
+            -Dsonar.test.exclusions=test/**
+            -Dsonar.tests=test/