Fix: Install Node.js in all Ubuntu containers for checkout action
Some checks failed
CI / lint-and-test (push) Successful in 58s
CI / ansible-validation (push) Successful in 3m13s
CI / secret-scanning (push) Failing after 1m21s
CI / dependency-scan (push) Failing after 1m20s
CI / sast-scan (push) Successful in 2m25s
CI / license-check (push) Successful in 55s
CI / vault-check (push) Failing after 2m44s
CI / playbook-test (push) Successful in 2m28s
CI / container-scan (push) Failing after 1m24s
Some checks failed
CI / lint-and-test (push) Successful in 58s
CI / ansible-validation (push) Successful in 3m13s
CI / secret-scanning (push) Failing after 1m21s
CI / dependency-scan (push) Failing after 1m20s
CI / sast-scan (push) Successful in 2m25s
CI / license-check (push) Successful in 55s
CI / vault-check (push) Failing after 2m44s
CI / playbook-test (push) Successful in 2m28s
CI / container-scan (push) Failing after 1m24s
This commit is contained in:
ilia
parent
1a565cc30e
commit
a9ed19c9d2
@ -27,14 +27,23 @@ jobs:
|
||||
ansible-validation:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Ansible and linting tools
|
||||
- name: Install Python and dependencies
|
||||
run: |
|
||||
pip install --no-cache-dir ansible ansible-lint yamllint
|
||||
apt-get update && apt-get install -y python3 python3-pip
|
||||
|
||||
- name: Install Ansible and linting tools
|
||||
run: pip3 install --no-cache-dir ansible ansible-lint yamllint
|
||||
|
||||
- name: Validate YAML syntax
|
||||
run: |
|
||||
@ -50,13 +59,28 @@ jobs:
|
||||
secret-scanning:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: gitleaks/gitleaks:latest
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Install Gitleaks
|
||||
run: |
|
||||
apt-get update && apt-get install -y wget curl
|
||||
GITLEAKS_VERSION=$(curl -s https://api.github.com/repos/gitleaks/gitleaks/releases/latest | grep tag_name | cut -d '"' -f 4 | sed 's/v//')
|
||||
wget -q "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" -O /tmp/gitleaks.tar.gz
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /usr/local/bin/ gitleaks
|
||||
chmod +x /usr/local/bin/gitleaks
|
||||
gitleaks version
|
||||
|
||||
- name: Run Gitleaks secret scan
|
||||
run: |
|
||||
gitleaks detect --source . --verbose --no-banner --exit-code 1
|
||||
@ -64,11 +88,25 @@ jobs:
|
||||
dependency-scan:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: aquasec/trivy:latest
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
apt-get update && apt-get install -y wget curl
|
||||
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - || true
|
||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
|
||||
apt-get update && apt-get install -y trivy || \
|
||||
(wget -qO /usr/local/bin/trivy https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64 && chmod +x /usr/local/bin/trivy)
|
||||
|
||||
- name: Scan npm dependencies
|
||||
run: |
|
||||
if [ -f "package.json" ]; then
|
||||
@ -105,11 +143,22 @@ jobs:
|
||||
sast-scan:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: returntocorp/semgrep:latest
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Semgrep
|
||||
run: |
|
||||
apt-get update && apt-get install -y python3 python3-pip
|
||||
pip3 install semgrep
|
||||
|
||||
- name: Run Semgrep scan
|
||||
run: semgrep --config=auto --error
|
||||
continue-on-error: true
|
||||
@ -137,13 +186,23 @@ jobs:
|
||||
vault-check:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Python and dependencies
|
||||
run: |
|
||||
apt-get update && apt-get install -y python3 python3-pip
|
||||
|
||||
- name: Install Ansible
|
||||
run: pip install --no-cache-dir ansible
|
||||
run: pip3 install --no-cache-dir ansible
|
||||
|
||||
- name: Validate vault files are encrypted
|
||||
run: |
|
||||
@ -166,13 +225,23 @@ jobs:
|
||||
playbook-test:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: python:3.11-slim
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Python and dependencies
|
||||
run: |
|
||||
apt-get update && apt-get install -y python3 python3-pip
|
||||
|
||||
- name: Install Ansible
|
||||
run: pip install --no-cache-dir ansible
|
||||
run: pip3 install --no-cache-dir ansible
|
||||
|
||||
- name: Dry-run playbooks
|
||||
run: |
|
||||
@ -198,11 +267,25 @@ jobs:
|
||||
container-scan:
|
||||
runs-on: ubuntu-latest
|
||||
container:
|
||||
image: aquasec/trivy:latest
|
||||
image: ubuntu:22.04
|
||||
steps:
|
||||
- name: Install Node.js for checkout action
|
||||
run: |
|
||||
apt-get update && apt-get install -y curl
|
||||
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
|
||||
apt-get install -y nodejs
|
||||
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
apt-get update && apt-get install -y wget curl
|
||||
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | apt-key add - || true
|
||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | tee -a /etc/apt/sources.list.d/trivy.list
|
||||
apt-get update && apt-get install -y trivy || \
|
||||
(wget -qO /usr/local/bin/trivy https://github.com/aquasecurity/trivy/releases/latest/download/trivy_linux_amd64 && chmod +x /usr/local/bin/trivy)
|
||||
|
||||
- name: Scan for Dockerfiles and container configs
|
||||
run: |
|
||||
if [ -f "Dockerfile" ] || [ -f "docker-compose.yml" ] || find . -name "Dockerfile*" -o -name "*.dockerfile" 2>/dev/null | grep -v ".git" | head -1 > /dev/null; then
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user