VulnDB Workflow #38
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: VulnDB Workflow | |
| on: workflow_dispatch | |
| env: | |
| POSTGRES_DB: devguard | |
| POSTGRES_USER: devguard | |
| POSTGRES_HOST: localhost | |
| POSTGRES_PASSWORD: not_reachable_from_the_internet | |
| DATE : $(date +%s) | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| services: | |
| postgres: | |
| image: ghcr.io/l3montree-dev/devguard-postgresql:v0.5.3@sha256:a06c9e7c8ee334790cc66d52e89ff5ef05352ab264841d3d9f3659c046732251 | |
| env: | |
| POSTGRES_DB: ${{env.POSTGRES_DB}} | |
| POSTGRES_USER: ${{env.POSTGRES_USER}} | |
| POSTGRES_PASSWORD: ${{env.POSTGRES_PASSWORD}} | |
| ports: | |
| - 5432:5432 | |
| options: "--health-cmd=\"pg_isready -U devguard\" --health-interval=10s --health-timeout=5s --health-retries=5 " | |
| steps: | |
| - name: Install postgresql client | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y wget | |
| wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | sudo apt-key add - | |
| echo "deb http://apt.postgresql.org/pub/repos/apt/ $(lsb_release -cs)-pgdg main" | sudo tee /etc/apt/sources.list.d/pgdg.list | |
| sudo apt-get update | |
| sudo apt-get install -y postgresql-client-16 | |
| - name: Create semver extension | |
| run: | | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "CREATE EXTENSION IF NOT EXISTS semver;" | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Install Golang | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22 | |
| - name: Build the database (this takes some time) | |
| run: | | |
| go run ./cmd/devguard-cli/main.go vulndb repair --startIndex=0 | |
| - name: Dump the PostgreSQL database | |
| # skip:checkov:CKV_SECRET_6 | |
| run: | | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM affected_components) TO STDOUT WITH DELIMITER ',' CSV HEADER" > affected_component.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_affected_component) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_affected_component.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cves) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cves.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cpe_matches) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cpe_matches.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cve_cpe_match) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cve_cpe_match.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM cwes) TO STDOUT WITH DELIMITER ',' CSV HEADER" > cwes.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM exploits) TO STDOUT WITH DELIMITER ',' CSV HEADER" > exploits.csv | |
| PGPASSWORD=${{env.POSTGRES_PASSWORD}} psql -h localhost -U devguard devguard -c "COPY (SELECT * FROM weaknesses) TO STDOUT WITH DELIMITER ',' CSV HEADER" > weaknesses.csv | |
| - name: install zip | |
| run: sudo apt-get install zip | |
| - name: Zip the CSV files | |
| run: zip vulndb.zip affected_component.csv cve_affected_component.csv cves.csv cpe_matches.csv cve_cpe_match.csv cwes.csv exploits.csv weaknesses.csv | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@main | |
| - name: Write signing key to disk | |
| run: echo "${{ secrets.COSIGN_PRIVATE_KEY }}" > cosign.key | |
| - name: Sign the database CSV files | |
| env: | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| run: cosign sign-blob --yes --key cosign.key vulndb.zip > vulndb.zip.sig | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Setup oras cli | |
| uses: oras-project/setup-oras@v1 | |
| - name: set the date | |
| run: echo "date="${{env.DATE}} >> "$GITHUB_ENV" | |
| - name: Push the database ZIP file to GitHub Container Registry | |
| run: | | |
| oras push ghcr.io/l3montree-dev/devguard/vulndb:$date vulndb.zip | |
| - name: Push the sign file to GitHub Container Registry | |
| run: | | |
| oras push ghcr.io/l3montree-dev/devguard/vulndb:$date.sig vulndb.zip.sig |