-
Notifications
You must be signed in to change notification settings - Fork 137
169 lines (147 loc) · 6.49 KB
/
ash-full-repository-scan.yml
File metadata and controls
169 lines (147 loc) · 6.49 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
name: ASH Full Repository Scan
on:
push:
branches: [ main ]
schedule:
# Run at 2 AM UTC on the 1st of every month
- cron: '0 2 1 * *'
workflow_dispatch: # Allow manual triggering
permissions:
contents: read
issues: write
jobs:
full-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Install ASH
run: pip install git+https://github.com/awslabs/automated-security-helper.git@v3.2.2
- name: Run ASH full repository scan
run: |
# Create ASH config for comprehensive scanning
cat > .ash_config.yaml << 'EOF'
reporters:
markdown:
enabled: true
options:
include_detailed_findings: true
max_detailed_findings: 1000
EOF
# Run ASH on entire repository
ash --mode container --config .ash_config.yaml 2>&1 | tee ash-output.log
continue-on-error: true
- name: Generate scan summary
id: scan-summary
env:
EVENT_NAME: ${{ github.event_name }}
COMMIT_SHA: ${{ github.sha }}
ACTOR: ${{ github.actor }}
run: |
SUMMARY_FILE="ash-summary.md"
echo "# ASH Security Scan - Full Repository Report" > "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"
echo "**Scan Date:** $(date -u +%Y-%m-%dT%H:%M:%S+00:00)" >> "$SUMMARY_FILE"
echo "**Trigger:** ${EVENT_NAME}" >> "$SUMMARY_FILE"
if [ "${EVENT_NAME}" == "push" ]; then
echo "**Commit:** ${COMMIT_SHA}" >> "$SUMMARY_FILE"
echo "**Pushed by:** ${ACTOR}" >> "$SUMMARY_FILE"
elif [ "${EVENT_NAME}" == "schedule" ]; then
echo "**Type:** Monthly scheduled scan" >> "$SUMMARY_FILE"
elif [ "${EVENT_NAME}" == "workflow_dispatch" ]; then
echo "**Type:** Manual trigger by ${ACTOR}" >> "$SUMMARY_FILE"
fi
echo "" >> "$SUMMARY_FILE"
# Extract and format scan results
if [ -f "ash-output.log" ]; then
# Find the table boundaries
TABLE_START=$(grep -n "ASH Scan Results Summary" ash-output.log | head -1 | cut -d: -f1 || echo "0")
TABLE_END=$(grep -n "source-dir:" ash-output.log | head -1 | cut -d: -f1 || echo "0")
if [ "$TABLE_START" != "0" ] && [ "$TABLE_END" != "0" ] && [ "$TABLE_END" -gt "$TABLE_START" ]; then
echo "## Scanner Results Summary" >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"
# Convert terminal table to markdown
echo "| Scanner | S | C | H | M | L | I | Time | Action | Result | Thresh |" >> "$SUMMARY_FILE"
echo "|---------|---|---|---|---|---|---|------|--------|--------|--------|" >> "$SUMMARY_FILE"
sed -n "${TABLE_START},${TABLE_END}p" ash-output.log | \
sed 's/\x1b\[[0-9;]*m//g' | \
grep "^│" | \
sed 's/│/|/g' | \
sed 's/^ *|/|/' | \
sed 's/| *$/|/' >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"
fi
# Check for findings
if grep -q "Actionable findings detected!" ash-output.log; then
echo "has_findings=true" >> "$GITHUB_OUTPUT"
echo "**Status:** ⚠️ Security findings detected" >> "$SUMMARY_FILE"
else
echo "has_findings=false" >> "$GITHUB_OUTPUT"
echo "**Status:** ✅ No security issues found" >> "$SUMMARY_FILE"
fi
fi
# Include detailed findings if available
if [ -f ".ash/ash_output/reports/ash.summary.md" ]; then
echo "" >> "$SUMMARY_FILE"
echo "## Detailed Findings" >> "$SUMMARY_FILE"
echo "" >> "$SUMMARY_FILE"
grep -A 1000 "Detailed Findings" ".ash/ash_output/reports/ash.summary.md" | \
grep -v -E '^(Time since scan:|Report generated:)' | \
grep -v 'Report generated by Automated Security Helper' >> "$SUMMARY_FILE" || true
fi
- name: Upload ASH results as artifacts
if: always()
uses: actions/upload-artifact@v4
with:
name: ash-full-scan-${{ github.run_id }}
path: |
.ash/
ash-output.log
ash-summary.md
retention-days: 90
- name: Create issue for critical findings (monthly scan only)
if: github.event_name == 'schedule' && steps.scan-summary.outputs.has_findings == 'true'
uses: actions/github-script@v7
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const fs = require('fs');
const summaryPath = 'ash-summary.md';
if (fs.existsSync(summaryPath)) {
const summaryContent = fs.readFileSync(summaryPath, 'utf8');
// Create issue for monthly scan findings
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🔒 ASH Security Scan - Monthly Report (${new Date().toISOString().split('T')[0]})`,
body: summaryContent + '\n\n---\n*This issue was automatically created by the monthly security scan workflow.*',
labels: ['security', 'automated-scan']
});
}
- name: Job summary
if: always()
env:
HAS_FINDINGS: ${{ steps.scan-summary.outputs.has_findings }}
REPO: ${{ github.repository }}
RUN_ID: ${{ github.run_id }}
run: |
echo "## ASH Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ -f "ash-summary.md" ]; then
cat ash-summary.md >> $GITHUB_STEP_SUMMARY
else
echo "No scan summary available." >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "---" >> $GITHUB_STEP_SUMMARY
echo "*Full scan results are available in the [workflow artifacts](https://github.com/${REPO}/actions/runs/${RUN_ID})*" >> $GITHUB_STEP_SUMMARY
if [ "${HAS_FINDINGS}" == "true" ]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "⚠️ **Action Required:** Security findings were detected. Please review the results and address any critical issues." >> $GITHUB_STEP_SUMMARY
fi