feat(docs): add initial job to generate security reports for Apps

2022-12-22 19:34:48 +01:00 · 2022-12-22 19:34:48 +01:00 · 85f4a037be
parent 9dbbaf349c
commit 85f4a037be
1 changed files with 109 additions and 0 deletions
--- a/.github/workflows/secgen.yaml
+++ b/.github/workflows/secgen.yaml
@ -0,0 +1,109 @@
+name: "Chore: Generate Security Docs"
+
+concurrency: helm-release
+
+on:
+  workflow_dispatch:
+
+jobs:
+  gen-sec:
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/truecharts/devcontainer:v3.1.1@sha256:f0ecaa533663f88346b745eb497f6f6acf63561ad88e345cd71c8280963b8c1e
+    steps:
+      - name: Install Kubernetes tools
+        uses: yokawasa/action-setup-kube-tools@b91bb02bc122bd84ac7bbea5f25ed6b0f2ec6275 # tag=v0.9.2
+        with:
+          setup-tools: |
+            helmv3
+          helm: "3.8.0"
+
+      - name: Prep Helm
+        run: |
+          helm repo add truecharts https://charts.truecharts.org
+          helm repo add truecharts-library https://library-charts.truecharts.org
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo add prometheus https://prometheus-community.github.io/helm-charts
+          helm repo update
+
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+        with:
+          token: ${{ secrets.BOT_TOKEN }}
+          fetch-depth: 0
+
+      - name: Setting repo parent dir as safe safe.directory
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
+      - name: Checkout
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3
+        with:
+          fetch-depth: 1
+          repository: truecharts/website
+          token: ${{ secrets.BOT_TOKEN }}
+          path: website
+
+      - name: Copy docs to website
+        shell: bash
+        run: |
+          helm_sec_scan() {
+              local chart="$1"
+              local chartname="$2"
+              local train="$3"
+              echo "Scanning helm security for ${chartname}"
+              mkdir -p ${chart}/render
+              rm -rf website/docs/charts/${train}/${chartname}/helm-security.md | echo "removing old sec-scan.md file failed..."
+              echo "# Security Scan" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "## Helm-Chart" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              helm template ${chart} --output-dir ${chart}/render
+              trivy config -f template --template "@./templates/trivy.tpl" ${chart}/render >> website/docs/charts/${train}/${chartname}/helm-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/helm-security.md
+              }
+          container_sec_scan() {
+              local chart="$1"
+              local chartname="$2"
+              local train="$3"
+              echo "Scanning container security for ${chartname}"
+              echo "## Containers" >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "##### Detected Containers" >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+              find ${chart}/render/ -name '*.yaml' -type f -exec cat {} \; | grep image: | sed "s/image: //g" | sed "s/\"//g" >> ${chart}/render/containers.tmp
+              cat ${chart}/render/containers.tmp >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "##### Scan Results" >> website/docs/charts/${train}/${chartname}/container-security.md
+              echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+              for container in $(cat ${chart}/render/containers.tmp); do
+                echo "**Container: ${container}**" >> website/docs/charts/${train}/${chartname}/container-security.md
+                echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+                ghcrcont=$(echo ${container} | sed "s/tccr.io/ghcr.io/g")
+                trivy image -f template --template "@./templates/trivy.tpl" ${ghcrcont} >> website/docs/charts/${train}/${chartname}/container-security.md
+                echo "" >> website/docs/charts/${train}/${chartname}/container-security.md
+                done
+          
+              }
+          for train in stable SCALE incubator games enterprise develop non-free deprecated dependency core; do
+            for chart in charts/${train}/*; do
+              if [ -d "${chart}" ]; then
+          	    chartname="$(basename "$(dirname "$path")")"
+		        helm_sec_scan ${chart} ${chartname} ${train}
+          	    #container_sec_scan ${chart} ${chartname} ${train}
+              fi
+            done
+          done
+
+      - name: Commit Website Changes
+        if: |
+          steps.collect-changes.outputs.changesDetected == 'true'
+        run: |
+          cd website
+          git config user.name "TrueCharts-Bot"
+          git config user.email "bot@truecharts.org"
+          git add --all
+          git commit -sm "Commit released docs for TrueCharts" || exit 0
+          git push
+