Skip to content

disable trivy until it can be reliably downloaded #557

disable trivy until it can be reliably downloaded

disable trivy until it can be reliably downloaded #557

Workflow file for this run

name: PR pipeline
on:
pull_request:
branches:
- main
workflow_dispatch:
env:
IMAGE_NAME: "pr-${{ github.event.number }}"
ZAP_FILE: "zap-scan-pr-${{ github.event.number }}"
GITHUB_CLIENT_ID: "${{ secrets.CI_GITHUB_CLIENT_ID }}"
GITHUB_CLIENT_SECRET: "${{ secrets.CI_GITHUB_CLIENT_SECRET }}"
ENCRYPTION_JWT_REFRESH_SIGNING_KEY: "${{ secrets.CI_JWT_REFRESH_SIGNING_KEY }}"
ENCRYPTION_JWT_SIGNING_KEY: "${{ secrets.CI_JWT_SIGNING_KEY }}"
ENCRYPTION_KEYS: "${{ secrets.CI_SESSION_ENCRYPTION_KEYS }}"
NODE_ENV: development
SERVER_API_PROTOCOL: http
# for security reasons the github actions are pinned to specific release versions
jobs:
server_unit_tests:
name: Server unit tests
runs-on: ubuntu-24.04
defaults:
run:
working-directory: td.server
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
${{ runner.os }}-
- name: Install packages
run: npm clean-install
- name: lint
run: npm run lint
- name: Unit test
run: npm run test:unit
site_unit_tests:
name: Site unit tests
runs-on: ubuntu-24.04
defaults:
run:
working-directory: td.vue
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
${{ runner.os }}-
- name: Install packages
run: npm clean-install
- name: Site lint
run: npm run lint
- name: Run unit tests
run: npm run test:unit
desktop_unit_tests:
name: Desktop unit tests
runs-on: ubuntu-24.04
defaults:
run:
working-directory: td.vue
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
${{ runner.os }}-
- name: Install packages
run: npm clean-install
- name: Desktop lint
run: npm run lint:desktop
- name: Run unit tests
run: npm run test:desktop
codeql:
name: Analyze with codeql
runs-on: ubuntu-24.04
needs: [server_unit_tests, site_unit_tests, desktop_unit_tests]
permissions:
security-events: write
strategy:
fail-fast: false
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Initialize CodeQL
uses: github/codeql-action/[email protected]
with:
languages: 'javascript'
config-file: ./.github/codeql/codeql-config.yml
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
- name: CodeQL autobuild
uses: github/codeql-action/[email protected]
- name: Perform vulnerability analysis
uses: github/codeql-action/[email protected]
e2e_smokes:
name: Local site e2e smokes
runs-on: ubuntu-24.04
needs: [site_unit_tests, server_unit_tests]
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
${{ runner.os }}-
- name: Install packages
run: npm clean-install
- name: Build and run locally
run: npm start
- name: Run e2e tests
run: |
cd td.vue
npm run test:e2e-pr-smokes
- name: Upload e2e videos
uses: actions/[email protected]
with:
name: e2e_vids.zip
path: td.vue/tests/e2e/videos
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
e2e_tests:
name: Local site e2e tests
runs-on: ubuntu-24.04
needs: e2e_smokes
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install packages
run: npm clean-install
- name: Build and run locally
run: npm start
- name: Run e2e tests
run: |
cd td.vue
npm run test:e2e-pr
- name: Upload e2e videos
uses: actions/[email protected]
with:
name: e2e_vids.zip
path: td.vue/tests/e2e/videos
if: ${{ failure() && hashFiles('td.vue/tests/e2e/videos/') != '' }}
zap_scan_web_app:
name: Local site zap scan
runs-on: ubuntu-24.04
needs: e2e_tests
steps:
- name: Checkout
uses: actions/[email protected]
- name: Use node LTS 20.14.0
uses: actions/[email protected]
with:
node-version: '20.14.0'
- name: Cache NPM dir
uses: actions/[email protected]
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install packages
run: npm clean-install
- name: Build and run locally
run: npm start
- name: ZAP Scan
uses: zaproxy/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
target: 'http://localhost:8080'
rules_file_name: '.github/workflows/.zap-rules-web.tsv'
allow_issue_writing: false
fail_action: false
artifact_name: ${{ env.ZAP_FILE }}
cmd_options: '-a'
build_docker_image:
name: Build docker image
runs-on: ubuntu-24.04
needs: e2e_smokes
if: github.repository == 'OWASP/threat-dragon'
steps:
- name: Checkout
uses: actions/[email protected]
- name: Set up Docker Buildx
id: buildx
uses: docker/[email protected]
with:
install: true
- name: Cache Docker layers
uses: actions/[email protected]
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile') }}
restore-keys: |
${{ runner.os }}-buildx-
${{ runner.os }}-
- name: Build for amd64
id: docker_build
uses: docker/[email protected]
with:
context: ./
file: ./Dockerfile
builder: ${{ steps.buildx.outputs.name }}
tags: ${{ env.IMAGE_NAME }}
outputs: type=docker,dest=/tmp/${{ env.IMAGE_NAME }}.tar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
platforms: linux/amd64
load: true
- name: Upload docker local image
uses: actions/[email protected]
with:
name: ${{ env.IMAGE_NAME }}
path: /tmp/${{ env.IMAGE_NAME }}.tar
- name: Check docker local image
run: |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
docker image ls -a
- # Temp fix for large cache bug
# https://github.com/docker/build-push-action/issues/252
name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
scan_image_with_trivy:
name: Scan with trivy (disabled)
runs-on: ubuntu-24.04
needs: build_docker_image
permissions:
contents: write
if: ${{ ! always() }}
# disable trivy until it can be reliably downloaded in the pipeline
steps:
- name: Checkout
uses: actions/[email protected]
- name: Download docker local image
uses: actions/[email protected]
with:
name: ${{ env.IMAGE_NAME }}
path: /tmp
- name: Load docker local image
run: |
docker load --input /tmp/${{ env.IMAGE_NAME }}.tar
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: '${{ env.IMAGE_NAME }}'
format: 'table'
trivyignores: '.github/workflows/.trivyignore'
exit-code: 1