Skip to content

security

security #228

Workflow file for this run

name: Security Scans
on:
repository_dispatch:
types: [security]
workflow_dispatch:
workflow_call:
env:
RUN_URL: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}
jobs:
codedx-scans:
name: Run CodeDx Scans
runs-on: [self-hosted, Linux]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Dependency Check Scans
uses: dependency-check/[email protected]
with:
project: "uikit"
path: "."
format: "XML"
- name: Upload Reports to CodeDX
run: .github/scripts/codedx-upload.sh
env:
CODE_DX_URL: "${{ secrets.CODE_DX_URL }}"
CODE_DX_API_KEY: ${{ secrets.CODE_DX_API_KEY }}
CODE_DX_PROJECT_ID: 120
citadel-scan:
name: Request Citadel Scan
runs-on: [self-hosted, Linux]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 18
- name: Request Citadel scan
run: .github/scripts/citadel-request.mjs
black-duck-scans:
name: Run Black Duck Scans
runs-on: [self-hosted, Linux]
strategy:
fail-fast: false
matrix:
PACKAGE:
- "cli"
- "code-editor"
- "core"
- "icons"
- "lab"
- "shared"
- "styles"
- "uno-preset"
- "viz"
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Node.js
uses: actions/setup-node@v4
with:
node-version: 18
# ==========================
# code-editor (npm package)
# ==========================
# Install dependencies inside each package so blackduck can scan them
# To do this we need to remove the package.json and package-lock.json from the root
- name: Prepare packages for Blackduck scan
uses: lumada-common-services/[email protected]
with:
command: |
rm -rf node_modules package.json package-lock.json && \
cd packages/${{ matrix.PACKAGE }} && npm i
- name: Load BlackDuck variables
working-directory: packages/${{ matrix.PACKAGE }}
run: |
echo "PROJECT_NAME=$(npm pkg get name --workspaces=false | tr -d '""')" >> $GITHUB_ENV
echo "PROJECT_VERSION=$(npm pkg get version --workspaces=false | tr -d '"')" >> $GITHUB_ENV
- name: Load blackduck project properties
run: echo "BLACKDUCK_ARGS=$(.github/scripts/getBlackduckArgs.mjs ${{ matrix.PACKAGE }})" >> $GITHUB_ENV
- name: Blackduck Scan
uses: lumada-common-services/[email protected]
env:
BLACKDUCK_DOCKER_USERNAME: hvservices-service-cicd
BLACKDUCK_DOCKER_PASSWORD: ${{ secrets.ARTIFACTORY_HVSERVICES_CICD_TOKEN }}
BlackDuck_Project_Name: "${{ env.PROJECT_NAME }}"
BlackDuck_Source_Path: /workdir/packages
BlackDuck_Project_Version: "${{ env.PROJECT_VERSION }}"
BlackDuck_Api_Token: "${{ secrets.BLACKDUCK_TOKEN }}"
BlackDuck_Url: "${{ secrets.BLACKDUCK_URL }}"
ADDITIONAL_ARGS: "${{ env.BLACKDUCK_ARGS }}"
notify-fail:
name: Notify Fail
needs: [codedx-scans, citadel-scan, black-duck-scans]
if: failure()
runs-on: ubuntu-latest
steps:
- uses: technote-space/workflow-conclusion-action@v1
- name: Notify Fail
uses: hbfernandes/[email protected]
env:
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}
CONCLUSION: ${{ env.WORKFLOW_CONCLUSION }}
COLOR: "#C62828"
with:
args: |
{
"channel": "ui-kit-internal",
"attachments": [
{
"mrkdwn_in": ["text"],
"color": "${{env.COLOR}}",
"title": "Security Scans failed",
"title_link": "${{ env.RUN_URL }}"
}
]
}