feat(cis-scans): add GH CIS scan action #303
Conversation
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
Luacheck Report1 files 1 suites 0s ⏱️ Results for commit 55dc907. ♻️ This comment has been updated with latest results. |
pankajmouriyakong
added
WIP
pankajmouriyakong
changed the title
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
|
@pankajmouriyakong update on this one? |
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
| @@ -0,0 +1,14 @@ | |||
| { | |||
| "name": "cis-scans", | |||
There was a problem hiding this comment.
May be audit-github-repository or similar to indicate purpose?
There was a problem hiding this comment.
Reason kept it cis-scans with the intention to add more future CIS scans to this action(say CIS kubernetes, move existing Docker CIS here). Making it "audit-github-repository" makes it specific to github audit. LMK what you think?
There was a problem hiding this comment.
Changed the action directory name to scan-gh-config
|
This woohld force someone to run all the checks in one go, when would this be thr case? Otherwise we need to add conditions. If any complex logic needs to be added specific to control they all go in 1 file that makes it unmangeable rather be modular. |
The idea was to adjust for better user UX here. Also Charly shared his 2c as an end user so(having to run less actions). |
- scan-docker-image@5.1.0
…sca (#302) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.30.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@51f7732...192325c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pankaj <pankaj.mouriya@konghq.com>
- sca@5.1.2
* github-actions(deps): bump sigstore/cosign-installer Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.1 to 3.10.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...d7543c9) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * github-actions(deps): bump anchore/sbom-action Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.5 to 0.20.6. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@da167ea...f8bdd1d) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * github-actions(deps): bump anchore/scan-action Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 6.5.1 to 7.0.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/RELEASE.md) - [Commits](anchore/scan-action@1638637...f660128) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * github-actions(deps): bump anchore/scan-action in /security-actions/sca Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 6.5.1 to 7.0.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/RELEASE.md) - [Commits](anchore/scan-action@1638637...f660128) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * github-actions(deps): bump anchore/sbom-action in /security-actions/sca Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.5 to 0.20.6. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@da167ea...f8bdd1d) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- sca@5.1.3 - scan-docker-image@5.1.1 - sign-docker-image@5.0.3
pankajmouriyakong
force-pushed
the
feat/add-legitify-gh-cis-scan-action
branch
from
3680459 to
a5d1541
Compare
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
had a problem deploying
to
dev
GitHub Actions
Failure
pankajmouriyakong
temporarily deployed
to
dev
GitHub Actions
Inactive
|
@saisatishkarra please review again and stamp it |
| - name: Run CIS Compliance Scan | ||
| uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA | ||
| with: | ||
| github_token: ${{ secrets.CLASSIC_PAT }} |
There was a problem hiding this comment.
why does this need classic PAT ?
- This action is meant to run only in the repository it is configured.
- Teams mostly use app token.
- Update usage/example accordingly to reflect "As-Is" for CI
what permissions are required to scan only specific repository ?
There was a problem hiding this comment.
Legitify supports Classic PATs and their GH README explicitly mentions that they don't support fine grained PATs and there is no mention of GitHub App tokens yet.
Let me run a scan with GIthub App PAT token and with repo level permissions and get back on this and rest of the comments.
| uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA | ||
| with: | ||
| github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} | ||
| repositories: "${{github.repository_owner}}/httpsnippet" |
There was a problem hiding this comment.
use {{github.repository}} to keep this generic
| - name: Run Legitify CIS Scan | ||
| uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA | ||
| with: | ||
| github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} |
There was a problem hiding this comment.
- Keep this token <secrets.GITHUB_TOKEN> - Either a PAT or App token based example
| The action generates multiple output formats: | ||
|
|
||
| ### 2. GitHub Code Scanning Integration | ||
| - SARIF report automatically uploaded to Security tab |
There was a problem hiding this comment.
For public repositories only. CodeQL is paid feature for other repo types.
| ### 2. GitHub Code Scanning Integration | ||
| - SARIF report automatically uploaded to Security tab | ||
| - Findings appear alongside other code scanning results | ||
| - **Note**: Only works for public repositories and when `codeql_upload` is set to `true` |
There was a problem hiding this comment.
Document reporting format for private repositories
|
|
||
| ### Token Permissions | ||
| The GitHub token needs these scopes: | ||
| - `admin:org` - Organization management |
There was a problem hiding this comment.
why Org:Admin ? Is repo:Admin scope not sufficieint when running a single repo ?
| ### Token Permissions | ||
| The GitHub token needs these scopes: | ||
| - `admin:org` - Organization management | ||
| - `read:enterprise` - Enterprise settings |
There was a problem hiding this comment.
Should not be required. validate it please.
| artifact_name: | ||
| description: 'Name for the artifact containing scan results' | ||
| required: false | ||
| default: 'legitify-cis-scan-results' |
There was a problem hiding this comment.
Default doesn't match with legitify-output.* elsewhere in the code. What is the source of truth ?
| if: ${{ steps.legitify-scan.conclusion == 'success' }} | ||
| shell: bash | ||
| run: | | ||
| if ls legitify-output.* 1> /dev/null 2>&1; then |
There was a problem hiding this comment.
Why is this a regex ? Isn't a single file produced when run on a repository ? If so, use -f <filename> to check existence
| echo "::warning::No Legitify output files found" | ||
| fi | ||
|
|
||
| - name: Upload outputs as Workflow Artifacts |
There was a problem hiding this comment.
Does this output also displayed as GH Job Summary for internal / private repos? If not, we should be doing this in table / markdown format
Summary
Add composite action for GH CIS compliance scanning using Legitify with SARIF report generation and artifact upload.
Changes
security-actions/cis-scanscomposite action