-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathscan.yaml
More file actions
157 lines (132 loc) · 6.12 KB
/
scan.yaml
File metadata and controls
157 lines (132 loc) · 6.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: "[SecurityEngineer] Scan Repository"
description: Runs security scanners (Trivy, OSV-Scanner) to find vulnerabilities in Go, Java/Kotlin, JS/TS, and Python codebases, then creates or updates Linear issues for high-priority findings
triggers:
- manual: {}
context:
projects: {}
action:
limits:
maxParallel: 5
maxTotal: 50
steps:
- task:
command: |
set -e
# Install security scanners to user-writable location
mkdir -p "$HOME/.local/bin"
export PATH="$HOME/.local/bin:$PATH"
echo "Installing Trivy..."
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b "$HOME/.local/bin"
echo "Installing OSV-Scanner..."
curl -sfL https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -o "$HOME/.local/bin/osv-scanner"
chmod +x "$HOME/.local/bin/osv-scanner"
# Verify installations
"$HOME/.local/bin/trivy" --version
"$HOME/.local/bin/osv-scanner" --version
echo "Scanners installed successfully"
- task:
command: |
set -e
export PATH="$HOME/.local/bin:$PATH"
# Run Trivy filesystem scan for vulnerabilities
echo "Running Trivy vulnerability scan..."
trivy fs --severity HIGH,CRITICAL --format json --output /tmp/trivy-results.json .
# Run OSV-Scanner
echo "Running OSV-Scanner..."
osv-scanner --format json --output /tmp/osv-results.json -r . || true
echo "Scans complete. Results saved to /tmp/"
- agent:
prompt: |
Check this repository ({{repository_name}}) against open advisory issues.
1. List advisory issues: team "Ona AI Security Engineer", label "advisory"
2. For each advisory (skip if comment contains "Scanned: {{repository_name}}"):
- Extract: advisory ID (CVE/GHSA/vendor), package, vulnerable versions
- Check dependency files (go.mod, package.json, pom.xml, build.gradle)
- Comment on advisory:
```
Scanned: {{repository_name}}
Status: AFFECTED / NOT AFFECTED
Reason: [details]
```
- If AFFECTED: write to /tmp/advisory-findings.json with advisory_issue_id, package, version, severity
3. Ensure /tmp/advisory-findings.json exists (empty array if no findings)
- agent:
prompt: |
Process vulnerability findings and create/update Linear issues.
INPUTS:
- /tmp/trivy-results.json, /tmp/osv-results.json (scanner results)
- /tmp/advisory-findings.json (from previous step)
FOR EACH HIGH/CRITICAL FINDING:
1. Search Linear team "Ona AI Security Engineer" for existing issue (advisory ID + repository name)
2. If exists: update description with current state, comment on changes
3. If new: create issue with label ["finding"]
4. For advisory-sourced findings: comment on advisory issue with link to finding
ISSUE TITLE: "[Finding] <ID> - {{repository_name}}" (ID = CVE/GHSA/vendor or package name)
ISSUE DESCRIPTION FORMAT:
```
## Vulnerability Details
- **Repository:** {{repository_url}}
- **Advisory ID:** CVE-XXXX-XXXXX / GHSA-XXXX / vendor ID (link if available)
- **Severity:** HIGH or CRITICAL
- **Affected Package:** package-name@version
- **Source:** Trivy / OSV / Advisory
- **Advisory Issue:** [link, if from advisory]
## Locations
- path/to/file1.go:123
- path/to/file2.java:456
## Remediation
Upgrade to version X.Y.Z or later.
---
Last scanned: YYYY-MM-DD
```
When updating: replace outdated info, don't append. Always update "Last scanned" timestamp.
- report:
outputs:
- key: high_count
title: High Severity Count (Scanner)
string: {}
prompt: |
Count the number of HIGH severity vulnerabilities found by Trivy/OSV scanners.
Return ONLY the integer count, nothing else.
- key: critical_count
title: Critical Severity Count (Scanner)
string: {}
prompt: |
Count the number of CRITICAL severity vulnerabilities found by Trivy/OSV scanners.
Return ONLY the integer count, nothing else.
- key: scanner_issues_created
title: Scanner Issues Created
string: {}
prompt: |
Count how many new Linear issues were created from scanner findings.
Return ONLY the integer count, nothing else.
- key: scanner_issues_updated
title: Scanner Issues Updated
string: {}
prompt: |
Count how many existing Linear issues were updated from scanner findings.
Return ONLY the integer count, nothing else.
- key: advisories_checked
title: Advisories Checked
string: {}
prompt: |
Count how many CVE advisory issues were checked against this repository.
Return ONLY the integer count, nothing else.
- key: advisories_affected
title: Advisories Affecting This Repo
string: {}
prompt: |
Count how many CVE advisories were found to affect this repository.
Return ONLY the integer count, nothing else.
- key: advisory_issues_created
title: Finding Issues Created (from Advisories)
string: {}
prompt: |
Count how many new finding issues were created from advisory matches.
Return ONLY the integer count, nothing else.
- key: advisory_ids
title: All Advisory IDs Found
string: {}
prompt: |
List all advisory IDs found (CVE, GHSA, or vendor IDs from scanners and advisory matches).
Return ONLY a comma-separated list, or "none" if none found.