From b8f316a55b5b65bc3eb621d35c2b0681d83fa927 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Claudio=20Andr=C3=A9?= Date: Sat, 23 Nov 2024 12:08:25 -0300 Subject: [PATCH 1/2] revert: ci(scorecard): add context to workf.. (#656) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit 419eb9f4e841afa0b9b79cc4e4058f9ce03a779d. The scorecard action is very restrictive in terms of what it accepts to be done So I'm reverting #655. Signed-off-by: Claudio André --- .github/workflows/scorecard.yml | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 23b3b48b..0cae84de 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -30,6 +30,9 @@ jobs: # contents: read # actions: read + if: + github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && + (github.event_name == 'push' || github.event_name == 'schedule') steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -55,21 +58,8 @@ jobs: with: persist-credentials: false - - name: GitHub context - env: - GITHUB_CONTEXT: ${{ toJSON(github) }} - run: | - echo ${{ github.repository }} - echo ${{ github.ref }} - echo ${{ github.event_name }} - echo "--------------------------------------------------" - echo "$GITHUB_CONTEXT" - - name: "Run analysis" uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 - if: - github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && - (github.event_name == 'push' || github.event_name == 'schedule') with: results_file: results.sarif results_format: sarif @@ -92,9 +82,6 @@ jobs: # format to the repository Actions tab. - name: "Upload artifact" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 - if: - github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && - (github.event_name == 'push' || github.event_name == 'schedule') with: name: SARIF file path: results.sarif @@ -103,8 +90,5 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 - if: - github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && - (github.event_name == 'push' || github.event_name == 'schedule') with: sarif_file: results.sarif From b04d104970a011766c33965a10d8e52b2ee339e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Claudio=20Andr=C3=A9?= Date: Sat, 23 Nov 2024 12:22:59 -0300 Subject: [PATCH 2/2] ci(trivy): add context to workflow run (#656) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I need information about the workflow execution context in order to identify any points for improvement. Signed-off-by: Claudio André --- .github/workflows/trivy.yml | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 681fc618..cc7a8590 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -38,9 +38,6 @@ jobs: contents: write security-events: write - if: - github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && - (github.event_name == 'push') steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -59,8 +56,21 @@ jobs: - name: Checkout code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: GitHub context + env: + GITHUB_CONTEXT: ${{ toJSON(github) }} + run: | + echo ${{ github.repository }} + echo ${{ github.ref }} + echo ${{ github.event_name }} + echo "--------------------------------------------------" + echo "$GITHUB_CONTEXT" + - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + if: + github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && + (github.event_name == 'push' || github.event_name == 'schedule') with: scan-type: "fs" format: "github" @@ -74,6 +84,9 @@ jobs: - name: Run Trivy vulnerability scanner with rootfs command uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + if: + github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && + (github.event_name == 'push' || github.event_name == 'schedule') with: skip-setup-trivy: true scan-type: "rootfs" @@ -88,5 +101,8 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 + if: + github.repository == 'openwall/john-packages' && github.ref == 'refs/heads/main' && + (github.event_name == 'push' || github.event_name == 'schedule') with: sarif_file: "trivy-results.sarif"