-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
196 lines (196 loc) · 6.37 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
---
name: mcvs-golang-action
description: |
The Mission Critical Vulnerability Scanner (MCVS) Golang action.
inputs:
build-tags:
description: "What kind of code should be checked, e.g. component, e2e"
code-coverage-expected:
default: "80"
description: |
The minimum code coverage.
gci:
default: "true"
description: |
Whether to check gci. Disable if the project provides an alternative way.
github-token-for-downloading-private-go-modules:
description: |
Whether private go modules have to be downloaded.
golang-unit-tests-exclusions:
default: " "
description: |
The Golang paths that should be excluded from unit testing.
task-version:
default: v3.39.2
description: |
The Task version that has to be installed and used.
testing-type:
description: |
The testing type, e.g. integration, unit or some other.
token:
description: |
A token is required to allow the mcvs-golang-action to pull the
cached trivy DBs to prevent bump into rate limits.
trivy-action-db:
default: "public.ecr.aws/aquasecurity/trivy-db:2"
description: |
OCI repository to retrieve trivy-db from.
trivy-action-java-db:
default: "public.ecr.aws/aquasecurity/trivy-java-db:1"
description: |
OCI repository to retrieve trivy-java-db from.
runs:
using: "composite"
steps:
#
# Install task and the golang version that has been defined in the go.mod
# file.
#
# yamllint disable rule:line-length
- uses: actions/[email protected]
if: inputs.testing-type == 'component' || inputs.testing-type == 'coverage' || inputs.testing-type == 'integration' || inputs.testing-type == 'lint' || inputs.testing-type == 'unit'
with:
go-version-file: "go.mod"
cache: false
- name: install task
if: inputs.testing-type == 'component' || inputs.testing-type == 'coverage' || inputs.testing-type == 'integration' || inputs.testing-type == 'lint' || inputs.testing-type == 'unit'
shell: bash
run: |
if ! task --version | grep -q "Task version: ${{ inputs.task-version }}"; then
major_version=$(echo "${{ inputs.task-version }}" | sed -E 's/^v([0-9]+).*/\1/')
go install github.com/go-task/task/v${major_version}/cmd/task@${{ inputs.task-version }}
fi
- run: |
git config --global url.https://${{ inputs.github-token-for-downloading-private-go-modules }}@github.com/.insteadOf https://github.com/
shell: bash
if: ${{ inputs.github-token-for-downloading-private-go-modules != '' }}
# yamllint enable rule:line-length
#
# Verify downloaded dependencies.
#
- name: verify golang modules
if: inputs.testing-type == 'security-golang-modules'
shell: bash
run: |
go mod verify
- uses: golang/[email protected]
if: inputs.testing-type == 'security-golang-modules'
with:
go-version-file: go.mod
go-package: ./...
#
# Check for 'incorrect import order', let pipeline fail if true and provide
# instruction to remediate it. Note: check is included in golangci-lint,
# but it does not provide clarity how to resolve it when positive.
#
- name: gci
if: inputs.gci == 'true' && inputs.testing-type == 'lint'
shell: bash
run: |
task remote:gci --yes
#
# Code security scanning.
#
# * Grype
#
- uses: anchore/[email protected]
if: inputs.token != '' && inputs.testing-type == 'security-grype'
with:
only-fixed: false
output-format: table
path: "."
severity-cutoff: high
#
# * Trivy
#
- uses: 030/[email protected]
if: inputs.token != '' && inputs.testing-type == 'security-trivy'
- name: Log in to GitHub Packages Docker registry
if: inputs.token != '' && inputs.testing-type == 'security-trivy'
shell: bash
run: |
echo "${{ inputs.token }}" |\
docker login ghcr.io -u ${{ github.actor }} --password-stdin
#
# Duplicated trivy-action parameters as GitHub actions do NOT support
# anchors: https://github.com/actions/runner/issues/1182
#
- uses: aquasecurity/[email protected]
if: inputs.token != '' && inputs.testing-type == 'security-trivy'
env:
TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
TRIVY_PASSWORD: ${{ inputs.token }}
TRIVY_USERNAME: ${{ github.actor }}
with:
scan-type: "fs"
scan-ref: "."
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: .trivyignore
- uses: aquasecurity/[email protected]
if: inputs.token == '' && inputs.testing-type == 'security-trivy'
env:
TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
with:
scan-type: "fs"
scan-ref: "."
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: .trivyignore
#
# Run golangci-lint.
#
- name: golangci-lint
if: inputs.testing-type == 'lint'
shell: bash
env:
BUILD_TAGS: ${{ inputs.build-tags }}
GITHUB_TOKEN: ${{ inputs.token }}
run: |
task remote:golangci-lint --yes
#
# Unit tests.
#
- name: unit tests
if: inputs.testing-type == 'unit'
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.token }}
run: |
task remote:test --yes
#
# Integration tests.
#
- name: integration tests
if: inputs.testing-type == 'integration'
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.token }}
run: |
task remote:test-integration --yes
#
# Coverage.
#
- name: code coverage
if: inputs.testing-type == 'coverage'
shell: bash
env:
CODE_COVERAGE_EXPECTED: ${{ inputs.code-coverage-expected }}
CODE_COVERAGE_FILE_EXCLUSIONS: ${{ inputs.golang-unit-tests-exclusions }}
GITHUB_TOKEN: ${{ inputs.token }}
run: |
task remote:coverage --yes
#
# Component tests.
#
- name: component tests
if: inputs.testing-type == 'component'
shell: bash
env:
GITHUB_TOKEN: ${{ inputs.token }}
run: |
task remote:test-component --yes