fix(aws-api-mcp-server): validate origin/host headers #7199
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow uses actions that are not certified by GitHub. | |
| # They are provided by a third-party and are governed by | |
| # separate terms of service, privacy policy, and support | |
| # documentation. | |
| name: trivy | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| # The branches below must be a subset of the branches above | |
| branches: [ "main" ] | |
| schedule: | |
| - cron: '43 16 * * 1' | |
| permissions: {} | |
| jobs: | |
| detect-dockerfiles: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| outputs: | |
| dockerfiles: ${{ steps.find-dockerfiles.outputs.dockerfiles }} | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Find Dockerfiles | |
| id: find-dockerfiles | |
| run: | | |
| DOCKERFILES=$(find . -name Dockerfile -exec dirname {} \; | sed 's/^\.\///' | jq -R -s -c 'split("\n")[:-1]') | |
| echo "dockerfiles=$DOCKERFILES" >> $GITHUB_OUTPUT | |
| build: | |
| needs: [detect-dockerfiles] | |
| if: ${{ needs.detect-dockerfiles.outputs.dockerfiles != '[]' && needs.detect-dockerfiles.outputs.dockerfiles != '' }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| dockerfile: ${{ fromJson(needs.detect-dockerfiles.outputs.dockerfiles) }} | |
| name: Build ${{ matrix.dockerfile }} | |
| permissions: | |
| contents: read | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clear Up Space (Agressively) for Trivy Scans that Run Out of Space | |
| if: contains(toJson('["src/core-mcp-server"]'), matrix.dockerfile) | |
| uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@61ce600d5c7fd6584b22b6eac98f9b097aabce11 | |
| - name: Get Checkout Depth | |
| id: checkout-depth | |
| run: | | |
| # Fetch depth the number of commits in the PR and otherwise 1 | |
| echo "fetch-depth=$(( ${{ (github.event_name == 'pull_request' && github.event.pull_request.commits) || 0 }} + 1 ))" >> "${GITHUB_OUTPUT}" | |
| echo "image-name=$( echo "${{ matrix.dockerfile}}" | cut -d'/' -f2 )" >> "${GITHUB_OUTPUT}" | |
| - name: Checkout code | |
| id: checkout-code | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| lfs: true | |
| fetch-depth: ${{ steps.checkout-depth.outputs.fetch-depth || '1' }} | |
| sparse-checkout: | | |
| ${{ matrix.dockerfile }} | |
| - name: If trivy-results.sarif exists, it must be part of the PR changes | |
| if: github.event_name == 'pull_request' && hashFiles(format('{0}/trivy-results.sarif', matrix.dockerfile)) != '' | |
| id: check-sarif-in-pr | |
| run: | | |
| # Check if trivy-results.sarif is in the PR changes | |
| if git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ steps.checkout-code.outputs.commit }} | grep -q "${{ matrix.dockerfile }}/trivy-results.sarif"; then | |
| echo "${{ matrix.dockerfile }}/trivy-results.sarif is in the PR changes" | |
| echo "sarif-in-pr=true" >> $GITHUB_OUTPUT | |
| echo "::group::Here is the SARIF file before LFS pull" | |
| cat "${{ matrix.dockerfile }}/trivy-results.sarif" | |
| echo "::endgroup::" | |
| else | |
| echo "Either remove the ${{ matrix.dockerfile }}/trivy-results.sarif or include a fresh one in the PR" | |
| echo "sarif-in-pr=false" >> $GITHUB_OUTPUT | |
| exit 1 | |
| fi | |
| - name: Build an image from Dockerfile | |
| working-directory: ${{ matrix.dockerfile }} | |
| run: | | |
| docker build -t docker.io/${{ matrix.dockerfile }}:${{ github.sha }} . | |
| - name: Save an image | |
| working-directory: ${{ matrix.dockerfile }} | |
| run: | | |
| docker image save -o "${{ runner.temp }}/image.tar" docker.io/${{ matrix.dockerfile }}:${{ github.sha }} | |
| - name: Upload digest | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: image-${{ steps.checkout-depth.outputs.image-name }} | |
| path: ${{ runner.temp }}/image.tar | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - name: Delete the exported image | |
| run: | | |
| rm -r -f "${{ runner.temp }}/image.tar" | |
| - name: Run Trivy vulnerability scanner | |
| if: hashFiles(format('{0}/trivy-results.sarif', matrix.dockerfile)) == '' | |
| uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v0.33.1 | |
| with: | |
| image-ref: 'docker.io/${{ matrix.dockerfile }}:${{ github.sha }}' | |
| format: 'sarif' | |
| output: '${{ matrix.dockerfile }}/trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@57eebf61a2246ab60a0c2f5a85766db783ad3553 # v3.28.15 | |
| with: | |
| sarif_file: '${{ matrix.dockerfile }}/trivy-results.sarif' | |
| - name: Upload results | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0 | |
| with: | |
| name: trivy-results-${{ steps.checkout-depth.outputs.image-name }} | |
| path: '${{ matrix.dockerfile }}/trivy-results.sarif' | |
| if-no-files-found: error | |
| retention-days: 1 |