diff options
| author | nicolargo <nicolas@nicolargo.com> | 2024-03-10 19:55:02 +0100 |
|---|---|---|
| committer | nicolargo <nicolas@nicolargo.com> | 2024-03-10 19:55:02 +0100 |
| commit | c591461fdefd87a58fdb4c220d8d3ca4c193081f (patch) | |
| tree | 735afcf4faf7094e7ef0e775427b469356d93966 | |
| parent | 5731cadbe34d922f7214c03089d8cf6afe0c7764 (diff) | |
Add Cyber scan (Trivy) github action
| -rw-r--r-- | .github/workflows/build.yml | 8 | ||||
| -rw-r--r-- | .github/workflows/ci.yml | 7 | ||||
| -rw-r--r-- | .github/workflows/cyber.yml | 28 | ||||
| -rw-r--r-- | .github/workflows/quality.yml | 18 | ||||
| -rw-r--r-- | .github/workflows/test.yml | 13 | ||||
| -rw-r--r-- | .github/workflows/webui.yml | 7 |
6 files changed, 35 insertions, 46 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b5e4964a..36fc816f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,6 @@ # This pipeline aims at building Glances for the following targets: -# - Docker Hub # - Pypi +# - Docker Hub name: build @@ -27,12 +27,6 @@ on: DOCKER_TOKEN: description: 'Docker Hub token' required: true - # pull_request: - # branches: [ develop ] - # push: - # branches: [ master, develop ] - # tags: - # - v* jobs: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index db1bad14..9116e0fd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,11 +13,14 @@ jobs: uses: ./.github/workflows/quality.yml test: uses: ./.github/workflows/test.yml - needs: quality + needs: [quality] webui: if: ${{ always() }} uses: ./.github/workflows/webui.yml needs: [quality, test] + cyber: + uses: ./.github/workflows/cyber.yml + needs: [quality, test, webui] build: uses: ./.github/workflows/build.yml secrets: @@ -25,4 +28,4 @@ jobs: PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }} DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }} - needs: [quality, test, webui] + needs: [quality, test, webui, cyber] diff --git a/.github/workflows/cyber.yml b/.github/workflows/cyber.yml new file mode 100644 index 00000000..27a2c9b7 --- /dev/null +++ b/.github/workflows/cyber.yml @@ -0,0 +1,28 @@ +name: cyber + +on: + workflow_call: + +jobs: + trivy: + name: Trivy scan + + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index 124c910f..6d0df601 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -1,25 +1,7 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -# -# ******** NOTE ******** -# We have attempted to detect the languages in your repository. Please check -# the `language` matrix defined below to confirm you have the correct set of -# supported CodeQL languages. -# name: quality on: workflow_call: - # push: - # branches: [ develop ] - # pull_request: - # # The branches below must be a subset of the branches above - # branches: [ develop ] - # schedule: - # - cron: '20 20 * * 0' jobs: analyze: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 7d27de8c..6599a1cf 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,8 +1,7 @@ -# Run unitary test + flake8 +# Run unitary test name: test -# on: [push] on: workflow_call: @@ -36,9 +35,6 @@ jobs: # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude=.git,./docs,./glances/outputs/static - # - name: Lint with Ruff - # uses: chartboost/ruff-action@v1 - - name: Static type check run: | if [ "${{ matrix.python-version }}" == "2.7" ]; @@ -54,13 +50,6 @@ jobs: run: | python ./unitest.py - - name: Security issues with Bandit - uses: jpetrucciani/bandit-check@master - with: - #path: '-r --exit-zero --skip B104 ./glances/' - path: '-r --exit-zero --skip B104 ./glances/' - - test-windows: runs-on: windows-latest diff --git a/.github/workflows/webui.yml b/.github/workflows/webui.yml index 2135ffb2..077b0b81 100644 --- a/.github/workflows/webui.yml +++ b/.github/workflows/webui.yml @@ -1,14 +1,7 @@ -# This workflow will do a clean installation of node dependencies, cache/restore them, build the source code and run tests across different versions of node -# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-nodejs - name: webui on: workflow_call: - # push: - # branches: [ "develop" ] - # pull_request: - # branches: [ "develop" ] jobs: build: |