onaio · bonfaceshisakha · Jul 28, 2022 · Sep 29, 2022 · Nov 4, 2022
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,37 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    # Look for `package.json` and `lock` files in the `root` directory
+    directory: "/"
+    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    # Raise all npm pull requests with custom labels
+    labels:
+      - "npm dependencies"
+    commit-message:
+      prefix: requirements
+    reviewers:
+      - "ukanga"
+      - "bennsimon"
+      - "machariamuguku"
+      - "p-netm"
+
+  - package-ecosystem: docker
+    # Look for `Dockerfile` files in the `root` directory
+    directory: "/"
+    # Check the npm registry for updates every day (weekdays)
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 10
+    # Raise all npm pull requests with custom labels
+    labels:
+      - "npm dependencies"
+    commit-message:
+      prefix: requirements
+    reviewers:
+      - "ukanga"
+      - "bennsimon"
+      - "machariamuguku"
+      - "p-netm"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,79 @@
+
+name: "CodeQL Repository scan"
+
+on:
+  push:
+    branches:
+      - master
+      - v2*
+  pull_request:
+  schedule:
+    - cron: '0 3 * * 1,3'     # CodeQL Scan every Monday and Wednesday at 3 AM UTC
+  # wokflow_dispatch option enables for manual scanning
+  workflow_dispatch:
+
+
+jobs:
+  analyze:
+    name: Analyze 
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+
+
+    steps:
+    - name: Cancel previous workflow runs
+      uses: styfle/[email protected]
+      with:
+        access_token: ${{ github.token }} 
+
+    - name: Checkout repository
+      uses: actions/checkout@v3
+      with:
+       submodules: recursive
+
+    - name: Set up JDK 11
+      uses: actions/setup-java@v1
+      with:
+        java-version: 11
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        queries: security-and-quality
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+
+        # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
+        # queries: security-extended,security-and-quality
+
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    - name: Autobuild Java Code
+      run:  |
+        mvn clean install -DskipTests
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
+    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+    # - run: |
+    #   echo "Run, Build Application using script"
+    #   ./location_of_script_within_repo/buildscript.sh
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -8,6 +8,7 @@ on:
     # See also https://github.com/crazy-max/ghaction-docker-meta#basic
     branches:
       - master
+      - Trivy-CI-scan
 
     # Publish `v1.2.3` tags as releases.
     tags:
@@ -103,3 +104,77 @@ jobs:
 
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}
+
+      - name: Run Trivy vulnerability scanner - JSON
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: json
+          output: 'trivy-opensrp-web-results.json'
+
+      - name: Run Trivy vulnerability scanner - SARIF
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: sarif
+          severity: 'CRITICAL, HIGH'
+          output: 'trivy-opensrp-web-results.sarif'
+
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-opensrp-web-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Create summary of trivy issues
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="0 Issues"
+          fi
+          echo "SUMMARY=$summary" >> $GITHUB_ENV
+
+      - name: Generate trivy HTML report for download
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }}
+          format: 'template'
+          template: '@/contrib/html.tpl'
+          output: 'trivy-results-opensrp-web-report.html'
+
+      - name: Upload Trivy results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: "trivy-results-opensrp-web-report.html"
+          path: './trivy-results-opensrp-web-report.html'
+          retention-days: 30
+
+      # - name: Send Slack Notification
+      #   uses: slackapi/[email protected]
+      #   with:
+      #     payload: |
+      #       {
+      #         "text": "Trivy scan results for ${{ steps.docker_meta.outputs.tags }}",
+      #         "blocks": [
+      #           {
+      #             "type": "section",
+      #             "text": {
+      #               "type": "mrkdwn",
+      #               "text": "Trivy scan results: ${{ env.SUMMARY }}"
+      #             }
+      #           },
+      #           {
+      #             "type": "section",
+      #             "text": {
+      #               "type": "mrkdwn",
+      #               "text": "View result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
+      #             }
+      #           }
+      #         ]
+      #       }
+      #   env:
+      #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      #     SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
+
diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml
@@ -0,0 +1,129 @@
+name: Trivy Security Scan on repository
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  schedule:
+    - cron: '0 3 * * 1,3'   # CodeQL Scan every Monday and Wednesday at 3 AM UTC
+  # Below is for manual scanning
+  workflow_dispatch:
+
+env:
+  FULL_SUMMARY: ""
+  PATCH_SUMMARY: ""
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Cancel previous workflow runs
+        uses: styfle/[email protected]
+        with:
+          access_token: ${{ github.token }} 
+
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode - SARIF
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-repo-results.sarif'          
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-repo-results.sarif'
+
+      - name: Run Trivy vulnerability scanner in repo mode - JSON (Full)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'json'
+          output: 'trivy-repo-full-results.json'
+
+      - name: Create summary of trivy issues on Repository Full scan
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-full-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="No vulnerabilities found"
+          fi
+          echo "FULL_SUMMARY=$summary" >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner in repo mode - JSON (with Patches)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'json'
+          output: 'trivy-repo-fixable-results.json'
+
+      - name: Create summary of trivy issues on Repository scan
+        run: |
+          summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-repo-fixable-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}')
+          if [ -z $summary ]
+          then
+            summary="No issues or vulnerability fixes available"
+          fi
+          echo "PATCH_SUMMARY=$summary" >> $GITHUB_ENV
+
+      - name: Generate trivy HTML report on Repository for download
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'template'
+          template: '@/contrib/html.tpl'
+          output: 'trivy-repo-report.html'
+
+      - name: Upload Trivy results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: "trivy-repo-report.html"
+          path: './trivy-repo-report.html'
+          retention-days: 30
+
+      - name: Send Slack Notification
+        uses: slackapi/[email protected]
+        with:
+          payload: |
+            {
+              "text": "Trivy scan results for ${{ github.repository }} repository",
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "TRIVY REPO SCAN RESULTS FOR ${{ github.repository }} REPOSITORY"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   Total Vulnerabilities: ${{ env.FULL_SUMMARY }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   Vulnerabilities with fixes: ${{ env.PATCH_SUMMARY }}"
+                  }
+                },
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": "   View HTML result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days."
+                  }
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK