moved the upstream and registry1 to separate tasks

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
defenseunicorns · Apr 2, 2024 · 3840a1a · 3840a1a
1 parent 1ab0cf2
commit 3840a1a
Show file tree

Hide file tree

Showing 2 changed files with 68 additions and 16 deletions.
diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml
@@ -9,9 +9,10 @@ on:
   workflow_dispatch: {}
 
 jobs:
-  scan:
+  # cannot scan registry1 and upstream at the same time because the sarif upload have a file limit of 20 files
+  scan-upstream:
     runs-on: ubuntu-latest
-    name: Scan for vulnerabilities
+    name: Scan for vulnerabilities - Upstream
     permissions:
       contents: read
       pull-requests: read
@@ -23,17 +24,47 @@ jobs:
           fetch-depth: 0
 
       - name: Environment setup
-        uses: defenseunicorns/uds-common/.github/actions/setup@e2ad99f7caba1b0d08856918db9385a431cfdbca # v0.3.3
+        uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9
         with:
           username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
           password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
 
-      - name: Scan the repository for vulnerabilities
+
+      - name: Scan the repository for vulnerabilities - Upstream
+        run: |
+          uds run grype:install
+          uds run scan:upstream
+
+      - name: Upload SARIF files - Upstream
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
+        with:
+          sarif_file: ./sarif
+
+  scan-registry1:
+    runs-on: ubuntu-latest
+    name: Scan for vulnerabilities - Registry1
+    permissions:
+      contents: read
+      pull-requests: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Environment setup
+        uses: defenseunicorns/uds-common/.github/actions/setup@264ec430c4079129870820e70c4439f3f3d57cbc # v0.3.9
+        with:
+          username: ${{ secrets.IRON_BANK_ROBOT_USERNAME }}
+          password: ${{ secrets.IRON_BANK_ROBOT_PASSWORD }}
+
+      - name: Scan the repository for vulnerabilities - Registry1
         run: |
           uds run grype:install
-          uds run scan:vulns
+          uds run scan:registry1
 
-      - name: Upload SARIF files 
+      - name: Upload SARIF files - Registry1
         uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2
         with:
           sarif_file: ./sarif
diff --git a/tasks/scan.yaml b/tasks/scan.yaml
@@ -1,26 +1,47 @@
 ---
 tasks:
-  - name: vulns
-    description: Create a UDS package with configurable flavor and extract the SBOM from all created packages and analyze for vulnerabilities
+  - name: upstream
+    description: Create a UDS package with upstream flavor, extract the SBOM, and analyze for vulnerabilities
     actions:
       - cmd: |
-          bash -c 'flavors=("upstream" "registry1")
-          for flavor in "${flavors[@]}"; do
+          bash -c '
+            flavor="upstream"
             output_dir="sbom/$flavor"
             mkdir -p "$output_dir"
             uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
             for file in "$output_dir"/*.zst; do
               uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
             done
-          done
-          sarif_output_dir="./sarif"
-          mkdir -p "$sarif_output_dir"
-          for flavor in "${flavors[@]}"; do
+            sarif_output_dir="./sarif"
+            mkdir -p "$sarif_output_dir"
             find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
               sarif_file_name="${flavor}_$(basename "${json_file}").sarif"
               echo "Processing $json_file"
               echo "Outputting to $sarif_output_dir/$sarif_file_name"
-              grype sbom:"$json_file" --fail-on high -o sarif --file "$sarif_output_dir/$sarif_file_name" || true
+              grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name"
               echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
             done
-          done'
+          '
+
+  - name: registry1
+    description: Create a UDS package with registry1 flavor, extract the SBOM, and analyze for vulnerabilities
+    actions:
+      - cmd: |
+          bash -c '
+            flavor="registry1"
+            output_dir="sbom/$flavor"
+            mkdir -p "$output_dir"
+            uds zarf package create . --flavor="$flavor" --confirm --no-progress -o "$output_dir"
+            for file in "$output_dir"/*.zst; do
+              uds zarf package inspect "$file" --sbom-out "$output_dir" --no-progress
+            done
+            sarif_output_dir="./sarif"
+            mkdir -p "$sarif_output_dir"
+            find "sbom/$flavor" -type f -name "*.json" | while read -r json_file; do
+              sarif_file_name="${flavor}_$(basename "${json_file}").sarif"
+              echo "Processing $json_file"
+              echo "Outputting to $sarif_output_dir/$sarif_file_name"
+              grype sbom:"$json_file" -o sarif --file "$sarif_output_dir/$sarif_file_name"
+              echo "Grype analysis for $json_file exported to $sarif_output_dir/$sarif_file_name (errors ignored)"
+            done
+          '