forked from open-metadata/OpenMetadata
-
Notifications
You must be signed in to change notification settings - Fork 0
427 lines (372 loc) · 15.8 KB
/
Copy pathsecurity-scan.yml
File metadata and controls
427 lines (372 loc) · 15.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
# Copyright 2021 Collate
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: security-scan
on:
schedule:
- cron: "0 0 */2 * *"
workflow_dispatch:
inputs:
SEND_SLACK_NOTIFICATION:
description: "Post results to Slack (uncheck for test runs)"
type: boolean
required: false
default: true
env:
# Manual runs may opt out of Slack; schedule (where inputs are unset) always sends.
# Explicit empty-check, since `||` would treat the string 'false' inconsistently when the
# input is typed `boolean` — only an empty string should fall back to 'true'.
SEND_SLACK_NOTIFICATION: ${{ github.event.inputs.SEND_SLACK_NOTIFICATION == '' && 'true' || github.event.inputs.SEND_SLACK_NOTIFICATION }}
jobs:
vulnerability-scan:
runs-on: ubuntu-latest
environment: security-scan
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version-file: "openmetadata-ui/src/main/resources/ui/.nvmrc"
- name: Enable yarn
run: corepack enable
- name: Install UI dependencies
working-directory: openmetadata-ui/src/main/resources/ui
run: yarn install --frozen-lockfile --ignore-scripts
- name: Run Retire.js scan
id: retire-scan
continue-on-error: true
working-directory: openmetadata-ui/src/main/resources/ui
run: |
npx retire@5 \
--path node_modules/ \
--severity high \
--outputformat json \
--outputpath retire-report.json
- name: Verify report was generated
working-directory: openmetadata-ui/src/main/resources/ui
run: |
if [ ! -f retire-report.json ]; then
echo '::error::retire-report.json was not generated — retire scan may have crashed'
exit 1
fi
- name: Upload Retire.js Report
if: success()
uses: actions/upload-artifact@v4
with:
name: retire-js-report
path: openmetadata-ui/src/main/resources/ui/retire-report.json
retention-days: 30
- name: Generate Retire.js Slack summary
if: always()
run: |
mkdir -p retire-report
python3 scripts/retire_slack_summary.py \
openmetadata-ui/src/main/resources/ui/retire-report.json \
--counts-file retire-report/_retire_counts.json \
--slack-file retire-report/_retire_slack.txt \
> /dev/null
- name: Upload Retire.js Slack artifact
if: always()
uses: actions/upload-artifact@v4
with:
name: retire-slack
path: |
retire-report/_retire_slack.txt
retire-report/_retire_counts.json
retention-days: 30
- name: Publish Retire.js Summary
if: success()
working-directory: openmetadata-ui/src/main/resources/ui
run: |
python3 - << 'EOF' >> $GITHUB_STEP_SUMMARY
import json
SEVERITY_ICON = {"critical": "🚨", "high": "🔴", "medium": "🟠", "low": "🟡"}
SEVERITY_ORDER = {"critical": 0, "high": 1, "medium": 2, "low": 3}
NM = "node_modules/"
def escape(text):
return str(text).replace('|', '\\|').replace('`', "'")
try:
with open("retire-report.json") as f:
data = json.load(f)
except FileNotFoundError:
print("## Retire.js Scan Results\n\n> Report file not found — scan may not have run.")
raise SystemExit(0)
findings = data.get("data", [])
libs = {}
for item in findings:
filepath = item.get("file", "")
short = filepath[filepath.find(NM) + len(NM):] if NM in filepath else filepath
for result in item.get("results", []):
key = (result.get("component", ""), result.get("version", ""))
if key not in libs:
libs[key] = {"files": [], "vulns": result.get("vulnerabilities", [])}
if short not in libs[key]["files"]:
libs[key]["files"].append(short)
print("## Retire.js Scan Results\n")
if not libs:
print("✅ No vulnerable libraries found.")
else:
total_vulns = sum(len(v["vulns"]) for v in libs.values())
print(f"> **{len(libs)} vulnerable librar{'y' if len(libs) == 1 else 'ies'} · {total_vulns} CVE{'s' if total_vulns != 1 else ''} found**\n")
for (component, version), info in sorted(libs.items(), key=lambda x: min(
(SEVERITY_ORDER.get(v.get("severity", "low"), 3) for v in x[1]["vulns"]), default=3)):
top_sev = min(info["vulns"], key=lambda v: SEVERITY_ORDER.get(v.get("severity", "low"), 3))
icon = SEVERITY_ICON.get(top_sev.get("severity", "low"), "⚪")
print(f"### {icon} {component} {version}\n")
print("| Severity | CVE | Summary |")
print("|---|---|---|")
for vuln in sorted(info["vulns"], key=lambda v: SEVERITY_ORDER.get(v.get("severity", "low"), 3)):
sev = vuln.get("severity", "")
ids = vuln.get("identifiers", {})
cves = ids.get("CVE", [])
summary = ids.get("summary", "").split("\n")[0][:120]
cve_str = ", ".join(f"[{c}](https://nvd.nist.gov/vuln/detail/{c})" for c in cves) if cves else ids.get("githubID", "—")
print(f"| {SEVERITY_ICON.get(sev, '')} {sev} | {escape(cve_str)} | {escape(summary)} |")
print("\n**Bundled in:**")
for f in info["files"]:
print(f"- `{f}`")
print()
EOF
- name: Force failure on vulnerabilities found
if: steps.retire-scan.outcome == 'failure'
run: exit 1
security-scan:
runs-on: ubuntu-latest
environment: security-scan
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
SNYK_ORGANIZATION: ${{ secrets.SNYK_ORGANIZATION_ID }}
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true
- uses: actions/checkout@v4
- name: Set up Python 3.10
uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Set up JDK 21
uses: actions/setup-java@v4
with:
java-version: "21"
distribution: "temurin"
- name: Install Ubuntu dependencies
run: |
# stop relying on apt cache of GitHub runners
sudo apt-get update
sudo apt-get install -y unixodbc-dev python3-venv librdkafka-dev gcc libsasl2-dev build-essential libssl-dev libffi-dev \
librdkafka-dev unixodbc-dev libevent-dev wkhtmltopdf libkrb5-dev
# Install and Authenticate to Snyk
- name: Install Snyk & Authenticate
run: |
sudo make install_antlr_cli
sudo npm install -g snyk
snyk auth ${SNYK_TOKEN}
snyk config set org=${SNYK_ORGANIZATION}
- name: Install Python dependencies
run: |
python3 -m venv env
source env/bin/activate
make install_all install_apis
- name: Maven build
id: maven-build
continue-on-error: true
run: mvn -DskipTests clean install
- name: Run Scan
id: security-report
if: steps.maven-build.outcome == 'success'
continue-on-error: true
run: |
source env/bin/activate
rm -rf security-report
mkdir -p security-report
# Run snyk subtargets directly; skip `export-snyk-pdf-report` which deletes JSONs after PDF conversion.
make snyk-ingestion-report || true
make snyk-ingestion-base-slim-report || true
make snyk-airflow-apis-report || true
make snyk-server-report || true
make snyk-ui-report || true
- name: Publish Snyk Summary
id: snyk-summary
if: always() && steps.maven-build.outcome == 'success'
run: |
python3 scripts/snyk_summary.py security-report \
--counts-file security-report/_counts.json \
--slack-file security-report/_slack.txt \
>> $GITHUB_STEP_SUMMARY
# Expose counts as step output for downstream gating.
counts=$(cat security-report/_counts.json)
echo "counts=$counts" >> $GITHUB_OUTPUT
high=$(jq '.high + .critical' security-report/_counts.json)
echo "high_critical=$high" >> $GITHUB_OUTPUT
- name: Fail on high/critical Snyk findings
if: always() && steps.snyk-summary.outputs.high_critical != '' && steps.snyk-summary.outputs.high_critical != '0'
run: |
echo "::error::Snyk found ${{ steps.snyk-summary.outputs.high_critical }} high/critical vulnerabilities (see Job Summary)"
exit 1
- name: Generate Snyk HTML/PDF
if: always() && steps.maven-build.outcome == 'success'
run: |
# Back up JSONs because html_to_pdf.py deletes them after PDF conversion.
mkdir -p /tmp/snyk-json-backup
cp security-report/*.json /tmp/snyk-json-backup/ 2>/dev/null || true
make export-snyk-pdf-report || true
# Restore JSONs alongside generated PDFs/HTMLs.
cp /tmp/snyk-json-backup/*.json security-report/ 2>/dev/null || true
- name: Upload Snyk Reports
if: always() && steps.maven-build.outcome == 'success'
uses: actions/upload-artifact@v4
with:
name: security-report
path: security-report
retention-days: 30
- name: Force failure
if: steps.maven-build.outcome != 'success' || steps.security-report.outcome != 'success'
run: |
exit 1
notify:
runs-on: ubuntu-latest
environment: security-scan
needs: [vulnerability-scan, security-scan]
if: always()
steps:
- name: Download Snyk artifact
if: needs.security-scan.result != 'skipped'
uses: actions/download-artifact@v4
with:
name: security-report
path: security-report
continue-on-error: true
- name: Download Retire.js Slack artifact
if: needs.vulnerability-scan.result != 'skipped'
uses: actions/download-artifact@v4
with:
name: retire-slack
path: retire-report
continue-on-error: true
- name: Build Slack header payload
id: build-header
env:
RETIRE_RESULT: ${{ needs.vulnerability-scan.result }}
SNYK_RESULT: ${{ needs.security-scan.result }}
REF_NAME: ${{ github.ref_name }}
RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
run: |
python3 - <<'PY' > header.json
import json, os, pathlib
retire = os.environ["RETIRE_RESULT"]
snyk = os.environ["SNYK_RESULT"]
ref_name = os.environ["REF_NAME"]
run_url = os.environ["RUN_URL"]
def status_icon(s):
return {"success": "✅", "cancelled": "⚠️ (cancelled)", "skipped": "⚠️ (skipped)"}.get(s, "❌")
def load_counts(path):
p = pathlib.Path(path)
if not p.exists():
return None
try:
return json.loads(p.read_text())
except Exception:
return None
def totals_line(counts):
if not counts:
return ""
return (
f"\n🚨 {counts.get('critical', 0)} critical · "
f"🔴 {counts.get('high', 0)} high · "
f"🟠 {counts.get('medium', 0)} medium · "
f"🟡 {counts.get('low', 0)} low"
)
retire_counts = load_counts("retire-report/_retire_counts.json")
snyk_counts = load_counts("security-report/_counts.json")
if retire == "success" and snyk == "success":
overall = "🟢"
elif retire == "failure" or snyk == "failure":
overall = "🚨"
else:
overall = "⚠️"
header = (
f"{overall} *Security scan* — *OpenMetadata Repo*\n"
f"_branch_ `{ref_name}` · <{run_url}|Open run details>\n"
f"• Vulnerability scan (Retire.js): {status_icon(retire)}"
f"{totals_line(retire_counts)}\n"
f"• Security scan (Snyk): {status_icon(snyk)}"
f"{totals_line(snyk_counts)}"
)
fallback = f"{overall} Security scan — OpenMetadata Repo on {ref_name}. {run_url}"
payload = {
"text": fallback,
"blocks": [{"type": "section", "text": {"type": "mrkdwn", "text": header}}],
}
print(json.dumps(payload))
PY
- name: Send Slack — header
id: send-header
if: env.SEND_SLACK_NOTIFICATION == 'true'
uses: slackapi/slack-github-action@v1.27.1
with:
channel-id: ${{ secrets.SLACK_CHANNEL_IDS }}
payload-file-path: header.json
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Build Slack thread payload
id: build-thread
if: always() && steps.send-header.outputs.ts != ''
env:
THREAD_TS: ${{ steps.send-header.outputs.ts }}
run: |
python3 - <<'PY' > thread.json
import json, os, pathlib
thread_ts = os.environ["THREAD_TS"]
def read_sections(path):
p = pathlib.Path(path)
if not p.exists():
return []
text = p.read_text().strip()
return [s.strip() for s in text.split("\n\n") if s.strip()]
retire_sections = read_sections("retire-report/_retire_slack.txt")
snyk_sections = read_sections("security-report/_slack.txt")
blocks = []
MAX_TEXT = 2850
def push(section):
text = section if len(section) <= MAX_TEXT else section[:MAX_TEXT].rstrip() + "\n_…truncated, see Job Summary_"
blocks.append({"type": "section", "text": {"type": "mrkdwn", "text": text}})
for section in retire_sections[:24]:
push(section)
if retire_sections and snyk_sections:
blocks.append({"type": "divider"})
for section in snyk_sections[:23]:
push(section)
if not blocks:
push("_No detailed scan output was produced._")
payload = {
"thread_ts": thread_ts,
"text": "Security scan details (thread reply)",
"blocks": blocks,
}
print(json.dumps(payload))
PY
- name: Send Slack — thread reply
if: always() && env.SEND_SLACK_NOTIFICATION == 'true' && steps.send-header.outputs.ts != '' && steps.build-thread.outcome == 'success'
uses: slackapi/slack-github-action@v1.27.1
with:
channel-id: ${{ secrets.SLACK_CHANNEL_IDS }}
payload-file-path: thread.json
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}