@@ -121,12 +121,12 @@ jobs:
121121 run : |
122122 make install
123123
124- name : Check if project uses Poetry
125- id : check_poetry
124+ name : Check language tools used and setup trivy config
125+ id : check_languages
126126 run : |
127127 if [ -f "pyproject.toml" ] && grep -q '\[tool.poetry\]' "pyproject.toml"; then
128128 echo "****************"
129- echo "Project uses poetry"
129+ echo "Detected a poetry project "
130130 echo "****************"
131131 echo "uses_poetry=true" >> "$GITHUB_OUTPUT"
132132 else
@@ -135,10 +135,6 @@ jobs:
135135 echo "****************"
136136 echo "uses_poetry=false" >> "$GITHUB_OUTPUT"
137137 fi
138-
139- name : Check if project uses Java
140- id : check_java
141- run : |
142138 if [ -f pom.xml ]; then
143139 echo "****************"
144140 echo "Detected a Java project"
@@ -150,11 +146,80 @@ jobs:
150146 echo "****************"
151147 echo "uses_java=false" >> "$GITHUB_OUTPUT"
152148 fi
153-
154- name : Check licenses (Makefile)
149+ if [ -f package-lock.json ]; then
150+ echo "****************"
151+ echo "Detected a Node.js project"
152+ echo "****************"
153+ echo "uses_node=true" >> "$GITHUB_OUTPUT"
154+ else
155+ echo "****************"
156+ echo "Project does not use Node.js"
157+ echo "****************"
158+ echo "uses_node=false" >> "$GITHUB_OUTPUT"
159+ fi
160+ if [ -f src/go.sum ]; then
161+ echo "****************"
162+ echo "Detected a Go project"
163+ echo "****************"
164+ echo "uses_go=true" >> "$GITHUB_OUTPUT"
165+ else
166+ echo "****************"
167+ echo "Project does not use Go"
168+ echo "****************"
169+ echo "uses_go=false" >> "$GITHUB_OUTPUT"
170+ fi
171+ touch trivy.yaml
172+ name : Update trivy config to include dev dependencies
173+ uses : mikefarah/yq@065b200af9851db0d5132f50bc10b1406ea5c0a8
174+ with :
175+ cmd : yq -i '.pkg.include-dev-deps = true' 'trivy.yaml'
176+ - name : convert python dependencies to requirements.txt
177+ if : ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
155178 run : |
156- make check-licenses
179+ POETRY_VERSION=$(poetry --version | awk '{print $3}')
157180
181+ if [[ "$(printf '%s\n' "2.0.0" "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "2.0.0" ]] \
182+ && [[ "$(printf '%s\n' "$POETRY_VERSION" "3.0.0" | sort -V | head -n1)" == "$POETRY_VERSION" ]]; then
183+ echo "Poetry version $POETRY_VERSION is >=2.0.0 and <3.0.0 - installing plugin-export"
184+ poetry self add poetry-plugin-export
185+ else
186+ echo "Poetry version $POETRY_VERSION is outside the required range so not installing plugin-export"
187+ fi
188+ poetry export -f requirements.txt --with dev --without-hashes --output=requirements.txt
189+ name : download go dependencies
190+ if : ${{ steps.check_languages.outputs.uses_go == 'true' }}
191+ run : |
192+ cd src
193+ go mod vendor
194+ name : Check licenses
195+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
196+ with :
197+ scan-type : " fs"
198+ scan-ref : " ."
199+ severity : " CRITICAL,HIGH"
200+ scanners : " license"
201+ format : " table"
202+ output : " license_scan.txt"
203+ exit-code : " 1"
204+ list-all-pkgs : " false"
205+ trivy-config : trivy.yaml
206+ env :
207+ VIRTUAL_ENV : " ./.venv/"
208+ - name : remove requirements.txt
209+ if : ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
210+ run : |
211+ rm -f requirements.txt
212+ name : clean go dependencies
213+ if : ${{ steps.check_languages.outputs.uses_go == 'true' }}
214+ run : |
215+ cd src
216+ rm -rf vendor
217+ name : Show license scan output
218+ if : always()
219+ run : |
220+ if [ -f license_scan.txt ]; then
221+ cat license_scan.txt
222+ fi
158223name : Run code lint
159224 run : make lint
160225
@@ -173,28 +238,107 @@ jobs:
173238name : Run unit tests
174239 run : make test
175240
176- - name : Generate and check SBOMs
177- uses : NHSDigital/eps-action-sbom@7684ce6314e515df7b7929fac08b4464f8a03d06
241+ - name : Generate SBOM
242+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
243+ with :
244+ scan-type : " fs"
245+ scan-ref : " ."
246+ scanners : " vuln"
247+ format : " cyclonedx"
248+ output : " sbom.cdx.json"
249+ exit-code : " 0"
250+ trivy-config : trivy.yaml
251+ - name : Upload sbom
252+ uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
253+ with :
254+ name : sbom.cdx.json
255+ path : sbom.cdx.json
178256
257+ - name : Check python vulnerabilities
258+ if : ${{ steps.check_languages.outputs.uses_poetry == 'true' }}
259+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
260+ with :
261+ scan-type : " fs"
262+ skip-files : " **/package-lock.json,**/go.mod,**/pom.xml"
263+ scan-ref : " ."
264+ severity : " CRITICAL,HIGH"
265+ scanners : " vuln"
266+ format : " table"
267+ output : " dependency_results_python.txt"
268+ exit-code : " 1"
269+ trivy-config : trivy.yaml
270+ - name : Check node vulnerabilities
271+ if : ${{ steps.check_languages.outputs.uses_node == 'true' }}
272+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
273+ with :
274+ scan-type : " fs"
275+ skip-files : " **/poetry.lock,**/go.mod,**/pom.xml"
276+ scan-ref : " ."
277+ severity : " CRITICAL,HIGH"
278+ scanners : " vuln"
279+ format : " table"
280+ output : " dependency_results_node.txt"
281+ exit-code : " 1"
282+ trivy-config : trivy.yaml
283+ - name : Check go vulnerabilities
284+ if : ${{ steps.check_languages.outputs.uses_go == 'true' }}
285+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
286+ with :
287+ scan-type : " fs"
288+ skip-files : " **/poetry.lock,**/package-lock.json,**/pom.xml"
289+ scan-ref : " ."
290+ severity : " CRITICAL,HIGH"
291+ scanners : " vuln"
292+ format : " table"
293+ output : " dependency_results_go.txt"
294+ exit-code : " 1"
295+ - name : Check java vulnerabilities
296+ if : ${{ steps.check_languages.outputs.uses_java == 'true' }}
297+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
298+ with :
299+ scan-type : " fs"
300+ skip-files : " **/poetry.lock,**/package-lock.json,**/go.mod"
301+ scan-ref : " ."
302+ severity : " CRITICAL,HIGH"
303+ scanners : " vuln"
304+ format : " table"
305+ output : " dependency_results_java.txt"
306+ exit-code : " 1"
307+ trivy-config : trivy.yaml
308+ - name : Show vulnerability output
309+ if : always()
310+ run : |
311+ if [ -f dependency_results_python.txt ]; then
312+ cat dependency_results_python.txt
313+ fi
314+ if [ -f dependency_results_node.txt ]; then
315+ cat dependency_results_node.txt
316+ fi
317+ if [ -f dependency_results_java.txt ]; then
318+ cat dependency_results_java.txt
319+ fi
320+ if [ -f dependency_results_go.txt ]; then
321+ cat dependency_results_go.txt
322+ fi
179323name : " check is SONAR_TOKEN exists"
180324 env :
181325 super_secret : ${{ secrets.SONAR_TOKEN }}
182326 if : ${{ env.super_secret != '' && inputs.run_sonar == true }}
183327 run : echo "SONAR_TOKEN_EXISTS=true" >> "$GITHUB_ENV"
184328
185329 - name : Run SonarQube analysis
186- if : ${{ steps.check_java .outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
330+ if : ${{ steps.check_languages .outputs.uses_java == 'true' && env.SONAR_TOKEN_EXISTS == 'true' }}
187331 run : mvn sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
188332
189333 - name : SonarCloud Scan
190334 uses : SonarSource/sonarqube-scan-action@a31c9398be7ace6bbfaf30c0bd5d415f843d45e9
191- if : ${{ steps.check_java .outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
335+ if : ${{ steps.check_languages .outputs.uses_java == 'false' && env.SONAR_TOKEN_EXISTS == 'true' }}
192336 env :
193337 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
194338 SONAR_TOKEN : ${{ secrets.SONAR_TOKEN }}
195339
196340 # CloudFormation validation (runs only if templates exist, ~3-5 minutes)
197- cloudformation -validation
341+ IaC -validation
198342 runs-on : ubuntu-22.04
199343 steps :
200344 - name : Checkout code
0 commit comments