feat(COD-6201): Docker approach of running the codesec GHA - unified scanning of both SCA and IaC#244
feat(COD-6201): Docker approach of running the codesec GHA - unified scanning of both SCA and IaC#244baltoiteodor wants to merge 4 commits intomainfrom
Conversation
baltoiteodor
force-pushed
the
COD-6201-unified
branch
4 times, most recently
from
b5a3559 to
ffb930e
Compare
baltoiteodor
changed the title
unified scanner docker image unified scanner docker image debug + erase macOS runner debug... debug testing clean add back the generateUILink clean added env-file to docker for iac added env-file to docker for iac code-scanning-path argument missed
baltoiteodor
force-pushed
the
COD-6201-unified
branch
from
5ba91d4 to
57c7727
Compare
| env: | ||
| LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_CAT }} | ||
| LW_API_KEY: ${{ secrets.LW_API_KEY_CAT }} | ||
| LW_API_SECRET: ${{ secrets.LW_API_SECRET_CAT }} |
There was a problem hiding this comment.
I think this can be reverted now that I fixed the SCA scan
| - macos-latest | ||
| - ubuntu-latest | ||
| runs-on: ${{ matrix.os }} | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
This can be moved into a dedicated PR.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
| - name: Set up Java |
There was a problem hiding this comment.
Why did you remove this?
There was a problem hiding this comment.
That was needed for the CLI command to work I believe? The docker approach does not need it.
There was a problem hiding this comment.
I think that this code is there for another reason. I will have a look at it
| import path from 'path' | ||
|
|
||
| const artifactPrefix = getInput('artifact-prefix') | ||
| const sarifReportPath = getInput('code-scanning-path') |
There was a problem hiding this comment.
Why is this removed? This is useful for the end user when they want to post-process the SARIF report, e.g. if they want to upload it to the GitHub Advanced Security UI.
There was a problem hiding this comment.
Both should still be there: https://github.com/lacework/code-security-action/pull/244/changes#diff-a2a171449d862fe29692ce031981047d7ab755ae7f84c707aef80701b3ea0c80R61, https://github.com/lacework/code-security-action/pull/244/changes#diff-a2a171449d862fe29692ce031981047d7ab755ae7f84c707aef80701b3ea0c80R42.
Is there any functionality removed?
src/index.ts
Outdated
|
|
||
| const uploadStart = Date.now() | ||
| // Upload IAC JSON from the returned results path | ||
| const iacJsonFile = path.join(resultsPath, 'iac', `iac-${targetScan}.json`) |
There was a problem hiding this comment.
Maybe, the first version should do SCA only but use Docker for the scans and we make sure the functionalities are preserved. We can then add IaC in another PR.
src/index.ts
Outdated
| } | ||
| if (debug()) { | ||
| args.push('--debug') | ||
| const resultsPath = await codesecRun('scan', true, true, targetScan) |
There was a problem hiding this comment.
| const resultsPath = await codesecRun('scan', true, true, targetScan) | |
| const shouldRunSca = true | |
| // TODO(...): set to true | |
| const shouldRunIaC = false | |
| const resultsPath = await codesecRun('scan', shouldRunIaC, shouldRunSca, targetScan) |
disable iac scanning for now
| matrix: | ||
| os: | ||
| - macos-latest | ||
| - ubuntu-latest |
There was a problem hiding this comment.
Are these changes based on the latest version of main?
There was a problem hiding this comment.
they were not, they are now
… into COD-6201-unified
2 participants
Linked JIRA issue(s) - Required
https://lacework.atlassian.net/browse/COD-6201
Description
NOTE: At the moment, we launch this with IaC disabled as to make sure we have 1:1 scanning parity for SCA first.
Migrated the GitHub Action from Lacework CLI-based scanner to a Docker-based unified scanner (lacework/codesec:latest).
Changes:
Potential Breaking changes:
Tests and additional notes
Integration tests:
Testing Action on WebGoat, using lacework UEDEMO prod credentials:
PR workflow:
Scenario 1 - Only SCA originated violations: https://github.com/lacework-dev/WebGoat/pull/173
Scenario 2 - Only IaC originated violations: https://github.com/lacework-dev/WebGoat/pull/174
Scenario 3 - Combined violations: https://github.com/lacework-dev/WebGoat/pull/172
Push workflow:
Lacework UI IaC results are under "pipelines" - webgoat repo: https://uedemo.lacework.net/ui/investigation/codesec/iac/assessments/5c2840e6-a3d5-477e-ab34-01799724db40
SCA results not in UI as the scan is not done on main branch.
Notes: