From 2e669974037d824edd728976e64a759eb7f9c2fb Mon Sep 17 00:00:00 2001 From: J1 Security Date: Mon, 30 Jan 2023 17:40:21 -0500 Subject: [PATCH] Added Security Files --- .github/workflows/peril.yml | 90 +++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .github/workflows/peril.yml diff --git a/.github/workflows/peril.yml b/.github/workflows/peril.yml new file mode 100644 index 0000000..b375a23 --- /dev/null +++ b/.github/workflows/peril.yml @@ -0,0 +1,90 @@ +name: "Peril" + +on: + pull_request: + +env: + TRANSPONDER_DOCKER_IMAGE: 081157560428.dkr.ecr.us-east-1.amazonaws.com/transponder:1 + SECURITY_SCAN_IMAGE: ghcr.io/jupiterone/security-scan:latest + +jobs: + Peril: + name: Peril + permissions: + id-token: write + contents: read + packages: read + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Node + uses: actions/setup-node@v1 + with: + node-version: 14.x + + - name: Run build + run: yarn install + + - name: Get Variables + id: get-vars + run: | + if [[ "${GITHUB_REF}" == 'ref/head/main' && "${GITHUB_EVENT_NAME}" == 'push' ]]; + then + echo ::set-output name=aws-oidc-role::arn:aws:iam::081157560428:role/github-main-role + else + echo ::set-output name=aws-oidc-role::arn:aws:iam::081157560428:role/github-pull-request-role + fi + + - name: Configure aws credentials + uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{ steps.get-vars.outputs.aws-oidc-role }} + role-session-name: pr-role-session + aws-region: us-east-1 + + - name: ECR login + uses: aws-actions/amazon-ecr-login@v1 + id: amazon-ecr-login + + - name: Login to GHCR + uses: docker/login-action@v2 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.PACKAGE_TOKEN }} + + - name: Pull security-scan + run: | + docker pull $SECURITY_SCAN_IMAGE + + - name: Run security-scan + run: | + docker run \ + --user root \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v `pwd`:`pwd` \ + -e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \ + -e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \ + -e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \ + -e GITHUB_REPOSITORY=$GITHUB_REPOSITORY \ + -e GITHUB_REF_NAME=$GITHUB_REF_NAME \ + -e GITHUB_RUN_NUMBER=$GITHUB_RUN_NUMBER \ + -e GITHUB_SERVER_URL=$GITHUB_SERVER_URL \ + -e GITHUB_RUN_ID=$GITHUB_RUN_ID \ + -e MODE=ci \ + -w `pwd` $SECURITY_SCAN_IMAGE + + - name: Pull transponder + run: | + docker pull $TRANSPONDER_DOCKER_IMAGE + + - name: Run transponder + run: | + docker run --rm -v `pwd`:`pwd` -w `pwd` \ + -e J1_API_KEY=${{ secrets.J1_API_KEY_TRANSPONDER }} \ + -e J1_API_DOMAIN=${{ secrets.J1_API_DOMAIN_TRANSPONDER }} \ + -e J1_ACCOUNT_ID=${{ secrets.J1_ACCOUNT_ID_TRANSPONDER }} \ + $TRANSPONDER_DOCKER_IMAGE \ No newline at end of file