New scan workflow + sonar project config file to enable sonarqube scans #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # AMMOS OSS Security Scan | |
| # (internal) docs - https://wiki.jpl.nasa.gov/pages/viewpage.action?spaceKey=AmmosArch&title=Code+Vulnerability+Scanning+Set+Up+for+AMMOS+Open+Source+Software | |
| name: "Security Scan" | |
| on: | |
| push: | |
| branches: | |
| - develop | |
| tags: | |
| - 'v*' | |
| pull_request: | |
| branches: | |
| - develop | |
| - 'dev-[0-9]+.[0-9]+.[0-9]+' | |
| schedule: | |
| - cron: '42 2 * * 0' # weekly cron scan | |
| jobs: | |
| analyze: | |
| name: Analyze (${{ matrix.language }}) | |
| runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} | |
| env: | |
| # PRs for forks can't use secrets, can't upload to Sonar | |
| CAN_USE_SECRETS: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| permissions: | |
| # required for all workflows | |
| security-events: write | |
| # required to fetch internal or private CodeQL packs | |
| packages: read | |
| # only required for workflows in private repositories | |
| actions: read | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - language: actions | |
| build-mode: none | |
| - language: javascript-typescript | |
| build-mode: none | |
| # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #v4.3.1 | |
| # Add any setup steps before running the `github/codeql-action/init` action. | |
| # This includes steps like installing compilers or runtimes (`actions/setup-node` | |
| # or others). This is typically only required for manual builds. | |
| # - name: Setup runtime (example) | |
| # uses: actions/setup-example@v1 | |
| # Initializes the CodeQL tools for scanning. | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba #4.35.5 | |
| with: | |
| languages: ${{ matrix.language }} | |
| build-mode: ${{ matrix.build-mode }} | |
| # If you wish to specify custom queries, you can do so here or in a config file. | |
| # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs | |
| # queries: security-extended,security-and-quality | |
| # If the analyze step fails for one of the languages you are analyzing with | |
| # "We were unable to automatically build your code", modify the matrix above | |
| # to set the build mode to "manual" for that language. Then modify this step | |
| # to build your code. | |
| # ℹ️ Command-line programs to run using the OS shell. | |
| # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun | |
| - name: Run manual build steps | |
| if: matrix.build-mode == 'manual' | |
| shell: bash | |
| run: | | |
| echo 'If you are using a "manual" build mode for one or more of the' \ | |
| 'languages you are analyzing, replace this with the commands to build' \ | |
| 'your code, for example:' | |
| echo ' make bootstrap' | |
| echo ' make release' | |
| exit 1 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba #4.35.5 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| output: ../results | |
| # This step is required by AMMOS to remove malformed data from the CodeQL output | |
| # It may be possible to remove in future iterations | |
| - name: Post-Process Output | |
| run: | | |
| python3 -m pip install nasa-scrub | |
| results_dir=`realpath ${{ github.workspace }}/../results` | |
| sarif_files=`find $results_dir -name '*.sarif'` | |
| for sarif_file in $sarif_files | |
| do | |
| output_file="$results_dir/$(basename $sarif_file .sarif)_stripped.sarif" | |
| python3 -m scrub.tools.parsers.translate_results $sarif_file $output_file ${{ github.workspace }} sarifv2.1.0 | |
| done | |
| echo "RESULTS_DIR=$results_dir" >> $GITHUB_ENV | |
| # This step makes the analysis artifacts available for download | |
| # This can be helpful for debugging and archive purposes | |
| - name: Upload Artifacts | |
| uses: actions/upload-artifact@v4.3.1 | |
| with: | |
| name: codeql-artifacts-${{ matrix.language }} | |
| path: ${{ env.RESULTS_DIR }} | |
| - name: collect stripped .sarif file paths | |
| if: env.CAN_USE_SECRETS == 'true' | |
| shell: bash | |
| run: | | |
| sarif_paths="$(find "${{ github.workspace }}/../results" -name '*_stripped.sarif' -type f | paste -sd, -)" | |
| echo "sarif paths: $sarif_paths" | |
| test -n "$sarif_paths" | |
| echo "SARIF_REPORT_PATHS=$sarif_paths" >> "$GITHUB_ENV" | |
| - name: SonarQube Scan | |
| if: env.CAN_USE_SECRETS == 'true' | |
| uses: SonarSource/sonarqube-scan-action@7006c4492b2e0ee0f816d36501671557c97f5995 # v8.1.0 | |
| env: | |
| SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
| with: | |
| args: > | |
| -Dsonar.sarifReportPaths=${{ env.SARIF_REPORT_PATHS }} |