diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1b2182d..8273814 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -82,55 +82,3 @@ jobs: --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ --certificate-identity-regexp="github.com/Pyronewbic/casecomp" \ "${{ env.IMAGE }}@${{ steps.digest.outputs.digest }}" || true - - scan: - needs: deploy - runs-on: ubuntu-latest - steps: - - uses: google-github-actions/auth@v3 - with: - workload_identity_provider: projects/129850122606/locations/global/workloadIdentityPools/github-pool/providers/github-provider - service_account: casecomp-deploy@casecomp-495718.iam.gserviceaccount.com - - - uses: google-github-actions/setup-gcloud@v3 - - - name: Pull image - run: | - gcloud auth configure-docker --quiet - docker pull "${{ env.IMAGE }}@${{ needs.deploy.outputs.digest }}" - - - name: Generate SBOM (Syft) - uses: anchore/sbom-action@v0 - with: - image: "${{ env.IMAGE }}@${{ needs.deploy.outputs.digest }}" - format: spdx-json - output-file: sbom.spdx.json - - - name: Vulnerability scan (Grype) - uses: anchore/scan-action@v6 - id: grype - with: - sbom: sbom.spdx.json - fail-build: false - severity-cutoff: critical - - - name: Upload SBOM - uses: actions/upload-artifact@v4 - with: - name: sbom-${{ github.sha }} - path: sbom.spdx.json - retention-days: 90 - - - name: Upload Grype report - if: always() - uses: actions/upload-artifact@v4 - with: - name: grype-report-${{ github.sha }} - path: ${{ steps.grype.outputs.sarif }} - retention-days: 90 - - - name: Upload SARIF to GitHub Security - if: always() && steps.grype.outputs.sarif != '' - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ steps.grype.outputs.sarif }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index af180c6..ca9f81a 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -5,6 +5,10 @@ on: pull_request: branches: [main] +permissions: + contents: read + security-events: write + jobs: unit: runs-on: ubuntu-latest @@ -41,3 +45,37 @@ jobs: run: npx playwright install-deps chromium - run: node test/smoke-test.js + scan: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v5 + + - name: Generate SBOM (Syft) + uses: anchore/sbom-action@v0 + with: + path: . + format: spdx-json + output-file: sbom.spdx.json + + - name: Vulnerability scan (Grype) + uses: anchore/scan-action@v6 + id: grype + with: + sbom: sbom.spdx.json + fail-build: false + severity-cutoff: critical + + - name: Upload SBOM + uses: actions/upload-artifact@v4 + with: + name: sbom-${{ github.sha }} + path: sbom.spdx.json + retention-days: 90 + + - name: Upload SARIF to GitHub Security + if: always() && steps.grype.outputs.sarif != '' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.grype.outputs.sarif }} + category: grype diff --git a/terraform/main.tf b/terraform/main.tf index d916248..e7971e8 100644 --- a/terraform/main.tf +++ b/terraform/main.tf @@ -56,7 +56,7 @@ resource "google_binary_authorization_policy" "default" { default_admission_rule { evaluation_mode = "ALWAYS_ALLOW" - enforcement_mode = "DRYRUN_AUDIT_LOG_ONLY" + enforcement_mode = "ENFORCED_BLOCK_AND_AUDIT_LOG" } depends_on = [google_project_service.binaryauthorization] @@ -164,6 +164,10 @@ resource "google_cloud_run_v2_service" "api" { use_default = true } + lifecycle { + ignore_changes = [template[0].containers[0].image, client, client_version] + } + depends_on = [ google_project_service.run, google_secret_manager_secret_iam_member.cloud_run_access, @@ -254,6 +258,10 @@ resource "google_cloud_run_v2_service" "site" { use_default = true } + lifecycle { + ignore_changes = [template[0].containers[0].image, client, client_version] + } + depends_on = [ google_project_service.run, google_binary_authorization_policy.default,