Skip to content

Commit

Permalink
Migrate static-analysis-and-no-known-cves to GitHub Actions
Browse files Browse the repository at this point in the history
This ports the same functionality but in a much simpler way since we
just need the latest versions of the safety and semgrep packages.

We want this to run on each PR and every night, so move it into
security.yml and configure that workflow to run on each PR as well. As a
side-effect, `rust-audit` will now run on each PR, which is fine.
  • Loading branch information
legoktm committed Aug 13, 2024
1 parent e76017f commit 26bb369
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 39 deletions.
38 changes: 0 additions & 38 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -242,37 +242,6 @@ jobs:
command: |
cd admin; make test
static-analysis-and-no-known-cves:
machine:
image: ubuntu-2004:current
enabled: true
environment:
DOCKER_API_VERSION: 1.24
BASE_OS: focal
steps:
- checkout
- *rebaseontarget
- *createcachedir
- *restorecache
- *loadimagelayers
- *dockerimagebuild
- *saveimagelayers
- *savecache

- run:
name: Check Python dependencies for CVEs
command: |
fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell \
bash -c "pip3 install -U -q --upgrade safety && make -C .. safety"
- run:
name: Run static security testing on source code with semgrep
command: |
fromtag=$(docker images |grep securedrop-test-focal-py3 |head -n1 |awk '{print $2}')
DOCKER_BUILD_ARGUMENTS="--cache-from securedrop-test-focal-py3:${fromtag:-latest}" securedrop/bin/dev-shell \
bash -c "pip3 install -U -q --upgrade pip && pip3 install -U -q --upgrade semgrep && make -C .. semgrep"
staging-test-with-rebase:
machine:
image: ubuntu-2004:current
Expand Down Expand Up @@ -375,12 +344,6 @@ workflows:
context:
- circleci-slack
<<: *slack-fail-post-step
- static-analysis-and-no-known-cves:
requires:
- lint
context:
- circleci-slack
<<: *slack-fail-post-step
- staging-test-with-rebase:
filters:
branches:
Expand Down Expand Up @@ -411,7 +374,6 @@ workflows:
- develop
jobs:
- staging-test-with-rebase
- static-analysis-and-no-known-cves

weekly:
triggers:
Expand Down
22 changes: 21 additions & 1 deletion .github/workflows/security.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: Security (cron)
name: Security
on:
push:
pull_request:
merge_group:
schedule:
- cron: '0 3 * * *'

Expand All @@ -13,3 +16,20 @@ jobs:
- name: Check Rust dependencies
run: |
make rust-audit
static-analysis-and-no-known-cves:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.8'
- name: Install dependencies
run: |
pip install safety semgrep
- name: Check Python dependencies for CVEs
run: |
make safety
- name: Run static security testing on source code with semgrep
run: |
make semgrep

0 comments on commit 26bb369

Please sign in to comment.