From 856db88d547b3d8a507ac3862a5dea2e55be758e Mon Sep 17 00:00:00 2001 From: petergphillips <5099053+petergphillips@users.noreply.github.com> Date: Fri, 20 Sep 2024 15:55:34 +0100 Subject: [PATCH] =?UTF-8?q?SDIT-2050:=20=F0=9F=91=B7=20Switch=20to=20githu?= =?UTF-8?q?b=20actions=20for=20security=20jobs=20(#2273)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .circleci/config.yml | 66 ++----------------- .github/workflows/security_owasp.yml | 13 ++++ .github/workflows/security_trivy.yml | 13 ++++ .../security_veracode_pipeline_scan.yml | 23 +++++++ .../security_veracode_policy_scan.yml | 23 +++++++ 5 files changed, 79 insertions(+), 59 deletions(-) create mode 100644 .github/workflows/security_owasp.yml create mode 100644 .github/workflows/security_trivy.yml create mode 100644 .github/workflows/security_veracode_pipeline_scan.yml create mode 100644 .github/workflows/security_veracode_policy_scan.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 1e3381a293..e6dc3f49dc 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,24 +1,16 @@ version: 2.1 - orbs: hmpps: ministryofjustice/hmpps@10 - -executor: - &executor +executor: &executor executor: name: hmpps/java tag: "21.0" environment: # Setting max gradle workers to 1 (which means 1 running concurrently, not max 1!) - because although this doesn't stop the ktlint workers from starting it does seem to prevent the test executor from needing as much memory. - _JAVA_OPTIONS: -Xmx2048m -XX:ParallelGCThreads=2 -XX:ConcGCThreads=2 - -XX:ParallelGCThreads=2 - -Djava.util.concurrent.ForkJoinPool.common.parallelism=2 - -Dorg.gradle.daemon=false -Dorg.gradle.jvmargs=-XX:+UseContainerSupport - -Dkotlin.compiler.execution.strategy=in-process -Dorg.gradle.workers.max=1 - + _JAVA_OPTIONS: -Xmx2048m -XX:ParallelGCThreads=2 -XX:ConcGCThreads=2 -XX:ParallelGCThreads=2 -Djava.util.concurrent.ForkJoinPool.common.parallelism=2 -Dorg.gradle.daemon=false -Dorg.gradle.jvmargs=-XX:+UseContainerSupport -Dkotlin.compiler.execution.strategy=in-process -Dorg.gradle.workers.max=1 jobs: check: - <<: *executor + !!merge <<: *executor steps: - run: command: | @@ -51,15 +43,14 @@ jobs: # The resource_class feature allows configuring CPU and RAM resources for each job. Different resource classes are available for different executors. https://circleci.com/docs/2.0/configuration-reference/#resourceclass resource_class: large test-integration: - <<: *executor + !!merge <<: *executor steps: - checkout - restore_cache: key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }} - restore_cache: key: gradle-cache-{{ checksum "build.gradle.kts" }} - - run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" - -Dkotlin.daemon.jvm.options="--illegal-access=permit" testIntegration + - run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" -Dkotlin.daemon.jvm.options="--illegal-access=permit" testIntegration - save_cache: key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }} paths: @@ -77,16 +68,14 @@ jobs: # The resource_class feature allows configuring CPU and RAM resources for each job. Different resource classes are available for different executors. https://circleci.com/docs/2.0/configuration-reference/#resourceclass resource_class: large test-schema-nomis: - <<: *executor + !!merge <<: *executor steps: - checkout - restore_cache: key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }} - restore_cache: key: gradle-cache-{{ checksum "build.gradle.kts" }} - - run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" - -Dkotlin.daemon.jvm.options="--illegal-access=permit" - testWithSchemaNomis + - run: ./gradlew -Dorg.gradle.jvmargs="--illegal-access=permit" -Dkotlin.daemon.jvm.options="--illegal-access=permit" testWithSchemaNomis - save_cache: key: gradle-wrapper-{{ checksum "gradle/wrapper/gradle-wrapper.properties" }} paths: @@ -102,7 +91,6 @@ jobs: - store_artifacts: path: build/libs resource_class: large - workflows: version: 2 build-test-and-deploy: @@ -146,7 +134,6 @@ workflows: type: approval requires: - deploy_dev - - hmpps/deploy_env: name: deploy_preprod env: "preprod" @@ -159,12 +146,10 @@ workflows: - prison-api-preprod requires: - request-preprod-approval - - request-prod-approval: type: approval requires: - deploy_preprod - - hmpps/deploy_env: name: deploy_prod env: "prod" @@ -178,40 +163,3 @@ workflows: - prison-api-prod requires: - request-prod-approval - - security: - triggers: - - schedule: - cron: "46 6 * * 1-5" - filters: - branches: - only: - - main - jobs: - - hmpps/gradle_owasp_dependency_check: - cache_key: "v2_0" - jdk_tag: "21.0" - context: - - hmpps-common-vars - - hmpps/trivy_latest_scan: - context: - - hmpps-common-vars - - hmpps/veracode_pipeline_scan: - jdk_tag: "21.0" - context: - - hmpps-common-vars - - veracode-credentials - security-weekly: - triggers: - - schedule: - cron: "51 5 * * 1" - filters: - branches: - only: - - main - jobs: - - hmpps/veracode_policy_scan: - jdk_tag: "21.0" - context: - - veracode-credentials - - hmpps-common-vars diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml new file mode 100644 index 0000000000..7a95e41d9b --- /dev/null +++ b/.github/workflows/security_owasp.yml @@ -0,0 +1,13 @@ +name: Security OWASP dependency check +on: + workflow_dispatch: + schedule: + - cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC +jobs: + security-kotlin-owasp-check: + name: Kotlin security OWASP dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@0.2 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: + SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml new file mode 100644 index 0000000000..cd7bb6b1e3 --- /dev/null +++ b/.github/workflows/security_trivy.yml @@ -0,0 +1,13 @@ +name: Security trivy dependency check +on: + workflow_dispatch: + schedule: + - cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC +jobs: + security-kotlin-trivy-check: + name: Project security trivy dependency check + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@0.2 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: + SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml new file mode 100644 index 0000000000..b8f4d398aa --- /dev/null +++ b/.github/workflows/security_veracode_pipeline_scan.yml @@ -0,0 +1,23 @@ +name: Security veracode pipeline check +on: + workflow_dispatch: + schedule: + - cron: "23 9 * * MON-FRI" # Every weekday at 09:23 UTC +jobs: + security-veracode-policy-check: + name: Project security veracode policy scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@0.2 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: + SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} + VERACODE_API_ID_0: ${{ secrets.HMPPS_VERACODE_API_ID_0 }} + VERACODE_API_ID_1: ${{ secrets.HMPPS_VERACODE_API_ID_1 }} + VERACODE_API_ID_2: ${{ secrets.HMPPS_VERACODE_API_ID_2 }} + VERACODE_API_ID_3: ${{ secrets.HMPPS_VERACODE_API_ID_3 }} + VERACODE_API_ID_4: ${{ secrets.HMPPS_VERACODE_API_ID_4 }} + VERACODE_API_KEY_0: ${{ secrets.HMPPS_VERACODE_API_KEY_0 }} + VERACODE_API_KEY_1: ${{ secrets.HMPPS_VERACODE_API_KEY_1 }} + VERACODE_API_KEY_2: ${{ secrets.HMPPS_VERACODE_API_KEY_2 }} + VERACODE_API_KEY_3: ${{ secrets.HMPPS_VERACODE_API_KEY_3 }} + VERACODE_API_KEY_4: ${{ secrets.HMPPS_VERACODE_API_KEY_4 }} diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml new file mode 100644 index 0000000000..26e09b7973 --- /dev/null +++ b/.github/workflows/security_veracode_policy_scan.yml @@ -0,0 +1,23 @@ +name: Security veracode policy check +on: + workflow_dispatch: + schedule: + - cron: "32 9 * * 1" # Every Monday at 09:32 UTC +jobs: + security-veracode-policy-check: + name: Project security veracode policy scan + uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@0.2 # WORKFLOW_VERSION + with: + channel_id: ${{ vars.SECURITY_ALERTS_SLACK_CHANNEL_ID || 'NO_SLACK' }} + secrets: + SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SRE_SLACK_BOT_TOKEN }} + VERACODE_API_ID_0: ${{ secrets.HMPPS_VERACODE_API_ID_0 }} + VERACODE_API_ID_1: ${{ secrets.HMPPS_VERACODE_API_ID_1 }} + VERACODE_API_ID_2: ${{ secrets.HMPPS_VERACODE_API_ID_2 }} + VERACODE_API_ID_3: ${{ secrets.HMPPS_VERACODE_API_ID_3 }} + VERACODE_API_ID_4: ${{ secrets.HMPPS_VERACODE_API_ID_4 }} + VERACODE_API_KEY_0: ${{ secrets.HMPPS_VERACODE_API_KEY_0 }} + VERACODE_API_KEY_1: ${{ secrets.HMPPS_VERACODE_API_KEY_1 }} + VERACODE_API_KEY_2: ${{ secrets.HMPPS_VERACODE_API_KEY_2 }} + VERACODE_API_KEY_3: ${{ secrets.HMPPS_VERACODE_API_KEY_3 }} + VERACODE_API_KEY_4: ${{ secrets.HMPPS_VERACODE_API_KEY_4 }}