diff --git a/.github/workflows/alarm-to-slack-checks.yml b/.github/workflows/alarm-to-slack-checks.yml index 582e1e2b..b681839b 100644 --- a/.github/workflows/alarm-to-slack-checks.yml +++ b/.github/workflows/alarm-to-slack-checks.yml @@ -1,4 +1,4 @@ -name: python-checks (alarm-to-slack) +name: code-checks (alarm-to-slack) description: Checks CDAP hosted alarm-to-slack function for python vulnerabilities and code quality. on: @@ -8,11 +8,16 @@ on: - 'terraform/services/alarm-to-slack/lambda_src/**/*.py' - 'terraform/services/alarm-to-slack/lambda_src/**/requirements.txt' - 'terraform/modules/function/**' + - '.github/workflows/alarm-to-slack-checks.yml' + - '.github/workflows/checks-reusable.yml' jobs: - python-checks: - uses: ./.github/workflows/python-checks-reusable.yml + checks: + permissions: + id-token: write + contents: read + uses: ./.github/workflows/checks-reusable.yml + secrets: inherit with: source_path: terraform/services/alarm-to-slack/lambda_src sonar_project_key: cdap-alarm-to-slack - sonar_project_name: "CDAP Alarm to Slack" diff --git a/.github/workflows/aws-params-env-action-checks.yml b/.github/workflows/aws-params-env-action-checks.yml new file mode 100644 index 00000000..45e7e15d --- /dev/null +++ b/.github/workflows/aws-params-env-action-checks.yml @@ -0,0 +1,28 @@ +name: code-checks (aws-params-env-action) +description: Leverages sonarqube to scan for quality issues and then gate the workflow success based on any issues. + +on: + workflow_dispatch: + pull_request: + paths: + - 'actions/aws-params-env-action/**' + - '!actions/aws-params-env-action/**.md' + - '.github/workflows/aws-params-env-action-checks.yml' + - '.github/workflows/checks-reusable.yml' + +jobs: + checks: + permissions: + contents: read + id-token: write + uses: ./.github/workflows/checks-reusable.yml + secrets: inherit + with: + source_path: actions/aws-params-env-action + node_version: '24' + sonar_project_key: cdap-aws-params-env-action + sonar_extra_args: > + -Dsonar.language=ts + -Dsonar.typescript.tsconfigPath=tsconfig.json + -Dsonar.tests=__tests__ + -Dsonar.test.inclusions=**/*.test.ts diff --git a/.github/workflows/aws-params-env-action-sonarqube.yml b/.github/workflows/aws-params-env-action-sonarqube.yml deleted file mode 100644 index f5756eda..00000000 --- a/.github/workflows/aws-params-env-action-sonarqube.yml +++ /dev/null @@ -1,63 +0,0 @@ -name: Sonarqube analysis for aws-params-env-action -description: Leverages sonarqube to scan for quality issues and then gate the workflow success based on any issues. - -on: - pull_request: - paths: - - 'actions/aws-params-env-action/**' - - '!actions/aws-params-env-action/**.md' - schedule: - - cron: '31 7 * * 3' - workflow_dispatch: - -permissions: - contents: read - id-token: write - -defaults: - run: - working-directory: actions/aws-params-env-action - -jobs: - sonarqube: - runs-on: codebuild-cdap-${{ github.ref_name =='main' && 'prod' || 'non-prod' }}-${{github.run_id}}-${{github.run_attempt}} - - steps: - - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.3.0 - with: - fetch-depth: 0 # Sonarqube requirement - - - name: Assume role to AWS - uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0 - with: - role-to-assume: arn:aws:iam::${{ github.ref_name =='main' && secrets.PROD_ACCOUNT || secrets.NON_PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ github.ref_name =='main' && 'cdap-prod' || 'cdap-test' }}-github-actions - aws-region: ${{ vars.AWS_REGION }} - - - name: Retrieve Sonarqube credentials - uses: ./actions/aws-params-env-action - env: - AWS_REGION: ${{ vars.AWS_REGION }} - with: - params: | - SONAR_HOST_URL=/sonarqube/url - SONAR_TOKEN=/sonarqube/token - - - name: Setup node - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 - with: - node-version: 24.x - - - name: Install dependencies - run: npm ci - - - name: Run Sonarqube - uses: sonarsource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 - with: - projectBaseDir: actions/aws-params-env-action - - - name: Quality Gate Check - uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b #v1.2.0 - timeout-minutes: 5 - with: - scanMetadataReportFile: actions/aws-params-env-action/.scannerwork/report-task.txt diff --git a/.github/workflows/python-checks-reusable.yml b/.github/workflows/checks-reusable.yml similarity index 52% rename from .github/workflows/python-checks-reusable.yml rename to .github/workflows/checks-reusable.yml index 4f8b93d0..e297b598 100644 --- a/.github/workflows/python-checks-reusable.yml +++ b/.github/workflows/checks-reusable.yml @@ -1,29 +1,30 @@ -name: python-checks (reusable) -description: Workflow that can be called to evaluate any script or folder containing python logic. +name: code-checks (reusable) +description: Workflow that can be called to evaluate any script or folder containing python logic. Used in tandem with built-in Snyk integration. on: workflow_call: inputs: source_path: - description: 'Path to the Python source directory to scan' + description: 'Path to Python or JavaScript source directory (optional)' required: true type: string - python_version: - description: 'Python version to use' + node_version: + description: 'Node.js version (if source is JavaScript and requires npm install)' required: false type: string - default: '3.14' + default: '' sonar_project_key: description: 'SonarQube project key' required: true type: string - sonar_project_name: - description: 'SonarQube project name' - required: true + sonar_extra_args: + description: 'Additional sonar-scanner -D args (optional)' + required: false type: string + default: '' jobs: - python-checks: + checks: permissions: contents: read id-token: write @@ -35,12 +36,6 @@ jobs: with: fetch-depth: 0 - - name: Set up Python ${{ inputs.python_version }} - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 - with: - python-version: ${{ inputs.python_version }} - update-environment: true - - name: Assume role to AWS uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v4.1.0 with: @@ -53,41 +48,34 @@ jobs: AWS_REGION: ${{ vars.AWS_REGION }} with: params: | - SNYK_TOKEN=/cdap/${{ github.ref_name == 'main' && 'prod' || 'test' }}/snyk/api_token SONAR_HOST_URL=/sonarqube/url SONAR_TOKEN=/sonarqube/token - - name: Install Snyk CLI - run: | - curl -sSLo /usr/local/bin/snyk https://static.snyk.io/cli/latest/snyk-linux-arm64 - chmod +x /usr/local/bin/snyk - snyk --version - - - name: Snyk Dependency Scan (snyk test) - run: | - REQ="${{ inputs.source_path }}/requirements.txt" - if [ -f "$REQ" ]; then - echo "[Snyk] Found requirements.txt — running dependency scan..." - snyk test --file="$REQ" - else - echo "[Snyk] No requirements.txt found at $REQ — skipping dependency scan." - fi + - name: Setup node for Sonarqube analysis of compiled typescript + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 + with: + node-version: ${{ inputs.node_version }} - - name: Snyk Code Scan (snyk code test) - continue-on-error: true - run: snyk code test ${{ inputs.source_path }} --include="**/*.py" + - name: Install Node dependencies + if: inputs.node_version != '' + working-directory: ${{ inputs.source_path }} + run: npm ci - name: Run SonarQube Scan + if: inputs.source_path != '' && inputs.sonar_project_key != '' uses: SonarSource/sonarqube-scan-action@299e4b793aaa83bf2aba7c9c14bedbb485688ec4 # v7.1.0 with: + projectBaseDir: ${{ inputs.source_path }} args: > -Dsonar.projectKey=${{ inputs.sonar_project_key }} - -Dsonar.projectName=${{ inputs.sonar_project_name }} - -Dsonar.sources=${{ inputs.source_path }} - -Dsonar.language=py - -Dsonar.python.version=${{ inputs.python_version }} - -Dsonar.exclusions=**/__pycache__/**,**/*.pyc,**/.terraform/** + -Dsonar.projectName=${{ inputs.sonar_project_key }} + -Dsonar.sources=. + -Dsonar.ci.autoconfig.disabled=true + -Dsonar.exclusions=**/__pycache__/**,**/*.pyc,**/.terraform/**,**/node_modules/**,**/dist/**,**/lib/** - - name: Quality Gate Check + - name: SonarQube Quality Gate Check + if: inputs.source_path != '' && inputs.sonar_project_key != '' uses: sonarsource/sonarqube-quality-gate-action@cf038b0e0cdecfa9e56c198bbb7d21d751d62c3b # v1.2.0 timeout-minutes: 5 + with: + scanMetadataReportFile: ${{ inputs.source_path }}/.scannerwork/report-task.txt diff --git a/.github/workflows/set_log_retention_checks.yml b/.github/workflows/set-log-retention-checks.yml similarity index 55% rename from .github/workflows/set_log_retention_checks.yml rename to .github/workflows/set-log-retention-checks.yml index 2339c08b..30c1f3f3 100644 --- a/.github/workflows/set_log_retention_checks.yml +++ b/.github/workflows/set-log-retention-checks.yml @@ -1,4 +1,4 @@ -name: set-log-retention-checks (cloudwatch log retention) +name: code-checks (set-log-retention-checks / cloudwatch log retention) description: Checks CDAP hosted check-log-retention for python vulnerabilities and code quality. on: @@ -8,11 +8,16 @@ on: - 'scripts/set_log_retention/*.py' - 'scripts/set_log_retention/requirements.txt' - 'terraform/modules/function/**' + - '.github/workflows/set-log-retention-checks.yml' + - '.github/workflows/checks-reusable.yml' jobs: - python-checks: - uses: ./.github/workflows/python-checks-reusable.yml + checks: + permissions: + id-token: write + contents: read + uses: ./.github/workflows/checks-reusable.yml + secrets: inherit with: source_path: scripts/set_log_retention sonar_project_key: cdap-set-log-retention - sonar_project_name: "CDAP Set Log Retention"