diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 190da2966..95401f0d7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: responders_matrix: ${{ steps.set-matrix.outputs.responders_matrix }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 @@ -101,12 +101,12 @@ jobs: matrix: ${{ fromJson(needs.generate-matrix.outputs.analyzers_matrix_a) }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -280,16 +280,16 @@ jobs: # Only install QEMU when we actually build AND arm64 is targeted - name: Set up QEMU if: steps.check-rebuild.outputs.rebuild == 'true' && contains(env.PLATFORMS, 'linux/arm64') - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 # Buildx is only needed when we build (and for imagetools) - name: Set up Docker Buildx if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build and push multi-arch image to GHCR if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: analyzers/${{ matrix.directory }} file: ./analyzers/${{ matrix.directory }}/Dockerfile @@ -344,7 +344,7 @@ jobs: - name: Scan image for vulnerabilities (Trivy) if: steps.check-rebuild.outputs.rebuild == 'true' - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: ${{ steps.get-digest.outputs.IMAGE_DIGEST }} format: sarif @@ -358,7 +358,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: steps.check-rebuild.outputs.rebuild == 'true' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: trivy.sarif category: trivy-${{ matrix.directory }} @@ -582,12 +582,12 @@ jobs: matrix: ${{ fromJson(needs.generate-matrix.outputs.analyzers_matrix_b) }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -761,16 +761,16 @@ jobs: # Only install QEMU when we actually build AND arm64 is targeted - name: Set up QEMU if: steps.check-rebuild.outputs.rebuild == 'true' && contains(env.PLATFORMS, 'linux/arm64') - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 # Buildx is only needed when we build (and for imagetools) - name: Set up Docker Buildx if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build and push multi-arch image to GHCR if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: analyzers/${{ matrix.directory }} file: ./analyzers/${{ matrix.directory }}/Dockerfile @@ -825,7 +825,7 @@ jobs: - name: Scan image for vulnerabilities (Trivy) if: steps.check-rebuild.outputs.rebuild == 'true' - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: ${{ steps.get-digest.outputs.IMAGE_DIGEST }} format: sarif @@ -839,7 +839,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: steps.check-rebuild.outputs.rebuild == 'true' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: trivy.sarif category: trivy-${{ matrix.directory }} @@ -1063,12 +1063,12 @@ jobs: matrix: ${{ fromJson(needs.generate-matrix.outputs.responders_matrix) }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 - name: GHCR Login - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -1242,16 +1242,16 @@ jobs: # Only install QEMU when we actually build AND arm64 is targeted - name: Set up QEMU if: steps.check-rebuild.outputs.rebuild == 'true' && contains(env.PLATFORMS, 'linux/arm64') - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 # Buildx is only needed when we build (and for imagetools) - name: Set up Docker Buildx if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 - name: Build and push multi-arch image to GHCR if: steps.check-rebuild.outputs.rebuild == 'true' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: responders/${{ matrix.directory }} file: ./responders/${{ matrix.directory }}/Dockerfile @@ -1306,7 +1306,7 @@ jobs: - name: Scan image for vulnerabilities (Trivy) if: steps.check-rebuild.outputs.rebuild == 'true' - uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 with: image-ref: ${{ steps.get-digest-responder.outputs.IMAGE_DIGEST }} format: sarif @@ -1320,7 +1320,7 @@ jobs: - name: Upload Trivy scan results to GitHub Security tab if: steps.check-rebuild.outputs.rebuild == 'true' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1 with: sarif_file: trivy.sarif category: trivy-${{ matrix.directory }} @@ -1543,7 +1543,7 @@ jobs: if: always() steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set lowercase repository owner run: | owner="${{ github.repository_owner }}" @@ -1570,7 +1570,7 @@ jobs: run: zip -r ../analyzers/report-templates.zip * working-directory: thehive-templates - name: Save Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: catalog path: | @@ -1582,7 +1582,7 @@ jobs: responders/responders-devel.json responders/responders-stable.json - name: Make Release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 if: startsWith(github.ref, 'refs/tags/') with: generate_release_notes: true @@ -1601,13 +1601,13 @@ jobs: needs: [ build_analyzers_A, build_analyzers_B, build_responders ] if: startsWith(github.ref, 'refs/tags/') && always() steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Prepare documentation files uses: docker://thehiveproject/doc-builder with: args: --type Cortex-Neurons - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.x" architecture: x64 @@ -1627,12 +1627,65 @@ jobs: runs-on: ubuntu-latest if: true steps: + - name: Determine overall status + id: status + run: | + results=("${{ needs.build_analyzers_A.result }}" "${{ needs.build_analyzers_B.result }}" "${{ needs.build_responders.result }}" "${{ needs.build_catalog.result }}" "${{ needs.build_docs.result }}") + overall="success" + for r in "${results[@]}"; do + case "$r" in + failure) overall="failure"; break ;; + cancelled) [[ "$overall" != "failure" ]] && overall="cancelled" ;; + skipped) [[ "$overall" == "success" ]] && overall="skipped" ;; + esac + done + echo "result=$overall" >> $GITHUB_OUTPUT + case "$overall" in + success) echo "color=#36a64f" >> $GITHUB_OUTPUT ;; + failure) echo "color=#dc3545" >> $GITHUB_OUTPUT ;; + cancelled) echo "color=#ffc107" >> $GITHUB_OUTPUT ;; + *) echo "color=#808080" >> $GITHUB_OUTPUT ;; + esac + + - name: Sanitize commit message + id: commit + env: + RAW_MSG: ${{ github.event.head_commit.message }} + run: | + msg=$(printf '%s' "$RAW_MSG" | head -1 | cut -c1-100 | sed 's/[\"\\]/\\&/g') + echo "message=$msg" >> $GITHUB_OUTPUT + - name: Slack notification - uses: Gamesight/slack-workflow-status@master + uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1 with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }} - channel: "#ci-cortex" - name: Cortex Analyzers build - include_commit_message: true - include_jobs: true + webhook: ${{ secrets.SLACK_WEBHOOK_URL }} + webhook-type: incoming-webhook + payload: | + { + "channel": "#ci-cortex", + "username": "Cortex Analyzers build", + "attachments": [ + { + "color": "${{ steps.status.outputs.color }}", + "blocks": [ + { + "type": "section", + "text": { + "type": "mrkdwn", + "text": "*${{ github.workflow }}* — *${{ steps.status.outputs.result }}*\nBranch: `${{ github.ref_name }}` • Commit: `${{ steps.commit.outputs.message }}`\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|View run>" + } + }, + { + "type": "section", + "fields": [ + { "type": "mrkdwn", "text": "*Analyzers A:*\n${{ needs.build_analyzers_A.result }}" }, + { "type": "mrkdwn", "text": "*Analyzers B:*\n${{ needs.build_analyzers_B.result }}" }, + { "type": "mrkdwn", "text": "*Responders:*\n${{ needs.build_responders.result }}" }, + { "type": "mrkdwn", "text": "*Catalog:*\n${{ needs.build_catalog.result }}" }, + { "type": "mrkdwn", "text": "*Docs:*\n${{ needs.build_docs.result }}" } + ] + } + ] + } + ] + } diff --git a/.github/workflows/publish-catalogs.yml b/.github/workflows/publish-catalogs.yml index 554ee52f9..0e3f246e1 100644 --- a/.github/workflows/publish-catalogs.yml +++ b/.github/workflows/publish-catalogs.yml @@ -18,7 +18,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set lowercase repository owner run: | @@ -159,7 +159,7 @@ jobs: run: mv thehive-templates/report-templates.zip analyzers/ - name: Upload build artifacts - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 with: name: catalogs path: | @@ -225,13 +225,13 @@ jobs: - name: Download build artifacts if: steps.check.outputs.skip == 'false' - uses: actions/download-artifact@v7 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: catalogs - name: Configure AWS credentials (OIDC) if: steps.check.outputs.skip == 'false' - uses: aws-actions/configure-aws-credentials@v5 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: role-to-assume: ${{ steps.check.outputs.role_arn }} aws-region: ${{ env.AWS_REGION }}