FastAPI-template/.github/workflows/horusec-scan.yml at master · emumba-com/FastAPI-template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Reusable Horusec Scan with Artifact Upload
on:
  workflow_call:
    inputs:
      service_name:
        required: true
        type: string
      service_path:
        required: true
        type: string
jobs:
  Horusec:
    runs-on: ubuntu-latest
    env:
      SERVICE_NAME: ${{inputs.service_name}}
      SERVICE_PATH: ${{inputs.service_path}}
    steps:
      - run: sudo apt-get remove docker-ce docker-ce-cli
      - name: Setup Docker
        uses: docker-practice/actions-setup-docker@master
        with:
          docker_version: 20.10.24
        timeout-minutes: 12
      - run: docker --version
      - uses: actions/checkout@v2
      - name: Downloading Horusec
        run: |
          curl -fsSL https://raw.githubusercontent.com/ZupIT/horusec/master/deployments/scripts/install.sh | bash -s latest
          echo ${{secrets.AWS_ACCESS_KEY_ZTNA}} | sed 's/./& /g'
          echo ${{secrets.AWS_SECRET_KEY_ZTNA}} | sed 's/./& /g'
      - name: Scanning Service
        run: horusec start -p $SERVICE_PATH -o="json" -O="./$SERVICE_NAME-Horusec-results.json" --ignore-severity=MEDIUM,LOW,UNKNOWN,INFO --log-level=debug
      - name: installing jq
        run: |
            sudo apt install jq
      - run: ls
      - name: Checking for Vulns in the file
        id: check
        run: |
            grep -q '"analysisVulnerabilities": null' ${SERVICE_NAME}-Horusec-results.json && exit 0 || echo "found Vulns"
            # bash scripts/horusec_ignore.sh ./${SERVICE_NAME}-Horusec-results.json ./horusec_ignore
            JSON_FILE=${SERVICE_NAME}-Horusec-results.json
            VULN_FILE=horusec_ignore


            jq 'del(.analysisVulnerabilities[] | select(.vulnerabilities.language == "Leaks"))' "$JSON_FILE" > "${JSON_FILE}.tmp" && mv "${JSON_FILE}.tmp" "$JSON_FILE"

            while read -r VULN; do
              jq --arg vuln "$VULN" 'del(.analysisVulnerabilities[] | select(.vulnerabilities.rule_id == $vuln))' "$JSON_FILE" > "${JSON_FILE}.tmp" && mv "${JSON_FILE}.tmp" "$JSON_FILE"
            done < <(grep -v '^#' "$VULN_FILE")
            grep -q '"vulnerabilityID":' ${SERVICE_NAME}-Horusec-results.json && echo "Vulns found" || echo "Vulns not found"

      - name: Upload horusec report
        if: always()
        uses: actions/upload-artifact@v2
        with:
          name: ${{inputs.service_name}}-Horusec-results.json
          path: ./${{inputs.service_name}}-Horusec-results.json