FilesExpand file tree

 main

/

scb-bot.yaml

Copy path

View Runs

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

205 lines (173 loc) · 9.17 KB

 main

/

scb-bot.yaml

Top

File metadata and controls

• Code
• Blame

205 lines (173 loc) · 9.17 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

# SPDX-FileCopyrightText: the secureCodeBox authors

#

# SPDX-License-Identifier: Apache-2.0

# This is a Github Action workflow that runs daily at 9:15 AM UTC Time.

# It checks if any of the scanners listed in the matrix section are outdated.

# If a scanner is outdated, it checks if a pull request to upgrade that scanner already exists.

# If it does not, it creates a new pull request with a title that includes the current and new versions of the scanner.

# It also includes the changelog for the new version of the scanner in the body of the pull request.

# This workflow uses a number of third-party actions to accomplish these tasks,

# including mikefarah/yq to fetch local and remote versions of the scanners,

# crazy-max/ghaction-import-gpg to import a GPG key, and jq to parse the JSON output of the scanner version API.

# The CI runs on ubuntu-24.04; More info about the installed software is found here:

# https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2204-Readme.md

name: Check outdated scanners

on:

schedule:

- cron: "15 9 * * *" # Daily at 9:15 (avoids the beginning of the hour congestion)

permissions:

contents: write

pull-requests: write

jobs:

version-compare:

runs-on: ubuntu-24.04

if: github.repository == 'secureCodeBox/secureCodeBox'

strategy:

# Keep running other jobs even if one fails

fail-fast: false

matrix:

scanner:

- ffuf

- gitleaks

- kube-hunter

- ncrack

- nuclei

- semgrep

- ssh-audit

- sslyze

- subfinder

- trivy

- trivy-sbom

- whatweb

- wpscan

- zap-automation-framework

# missing scanners are : nmap, nikto

steps:

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Import GPG key

uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0

with:

gpg_private_key: ${{ secrets.GPG_COMMITS_PRIVATE_KEY }}

passphrase: ${{ secrets.GPG_COMMITS_PASSPHRASE }}

git_user_signingkey: true

git_commit_gpgsign: true

# Fetching scanner version from local chart .appVersion attribute

# this would look like 1.1.1 or v1.1.1 depending on the corresponding Docker image tag

- name: Fetch local scanner version

uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4

with:

cmd: echo local=$(yq e .appVersion scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV

# Fetching scanner version API from local chart .annotations.versionApi attribute

# This would look like https://api.github.com/repos/projectdiscovery/nuclei/releases/latest

- name: Fetch scanner's version API

uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4

with:

cmd: echo versionApi=$(yq e .annotations.versionApi scanners/${{ matrix.scanner }}/Chart.yaml) >> $GITHUB_ENV

# Fetching scanner version from remote API and making sure it's in the same format as the local version

- name: Fetch latest release scanner version

run: |

# Set the -e and -o pipefail options to cause the script to exit immediately

# if any command returns a non-zero exit status

set -e

set -o pipefail

local=${{env.local}}

release=$(curl -sL ${{env.versionApi}} | jq -er ".tag_name" )

upgrade=$release

# Check the exit status of the curl and jq command

if [[ $? -ne 0 ]] ; then

echo "Error: Failed to download release version"

exit 1

fi

# We check if the first characters of local and release are different i.e whether it's "v1.0.0" or "1.0.0"

# This is to make sure that we don't compare "v1.0.0" to "1.0.0" which would result in an upgrade

# And also we want to keep the version format the same in the helm chart so that it will still correspond the the docker image tag.

# Therefore We make sure to add or remove the "v" character when necessary

if [[ ${local:0:1} != ${release:0:1} ]] ; then

# Check if the first character of local is "v"

# In this case docker/local format is "v1.0.0" and github format is "1.0.1"

# We want the upgrade to be "v1.0.1"

if [[ ${local:0:1} == "v" ]] ; then

# set upgrade to "v" followed by the value of release.

upgrade=v${release};

# Check if the first character of release is "v"

# in this case docker/local format is "1.0.0" and github format is "v1.0.1"

# We want the upgrade to be "1.0.1"

elif [[ ${release:0:1} == "v" ]] ; then

# set upgrade to the value of release without the "v" character

upgrade=$(echo $release| tr -d "v")

fi

fi

# Save how the latest release version looks in github releases to an environment variable

echo releaseGithub=$release >> $GITHUB_ENV

# Save how the latest release version looks in docker images to an environment variable

echo release=$upgrade >> $GITHUB_ENV

# Output bash exit code

echo exitCode=$?

- name: Check if scanner is outdated and if PR already exists

if: ${{ env.release != env.local && env.release != null }}

run: |

echo 'The ${{ matrix.scanner }} scanner is outdated. Current SCB version is ${{env.local}} and remote version is ${{env.release}}'

pullRequestTitle="[SCB-Bot] Upgraded ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}"

echo pullRequest=$pullRequestTitle >> $GITHUB_ENV

echo ${{ secrets.GITHUB_TOKEN }} | gh auth login --with-token

echo prExists=$(gh pr list --state all --limit 100 | grep -F "$pullRequestTitle" -c) >> $GITHUB_ENV

- name: Fetch new release changelog

if: ${{ env.release != env.local && env.release != null }}

# Reformats the versionApi to have an HTML view of the release changelog

# sed command is divided into three parts s/api.//g; , s/\/repos//g; and s/latest//g

# "api." and "/repos" and "latest" are replaced with nothing (a.k.a removed)

# example: https://api.github.com/repos/projectdiscovery/nuclei/releases/latest --> https://github.com/projectdiscovery/nuclei/releases/

# the next command then appends the link with the new release version as it is in Github.

run: |

changelog=$(echo ${{env.versionApi}} | sed -e 's/api.//g;s/\/repos//g;s/latest//g')

echo releaseChangelog=${changelog}${{env.releaseGithub}} >> $GITHUB_ENV

- name: Upgrade Scanner Helm Chart

if: ${{ env.release != env.local && env.prExists == 0 && env.release != null}}

uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4

with:

# appVersion value in chart is replaced with release value. Empty lines are deleted in the process

cmd: yq e --inplace '.appVersion = "${{env.release}}"' ./scanners/${{ matrix.scanner }}/Chart.yaml

# Updating Helm Docs

- name: Download Helm Docs

run: |

mkdir helm-docs

cd helm-docs

curl --output helm-docs.tar.gz --location https://github.com/norwoodj/helm-docs/releases/download/v1.6.0/helm-docs_1.6.0_Linux_x86_64.tar.gz

# Checksum must be extracted from the checksum file every time helm-docs gets updated.

echo "286723d931c18581fc324985cb96e9cce639e521fa63b57ac04ebe9d497e60fb helm-docs.tar.gz" | shasum --check

tar -xvf helm-docs.tar.gz

# Verify installation

./helm-docs --version

sudo mv helm-docs /usr/local/bin/helm-docs

- name: Generate README

run: make readme

- name: Generate Demo Target Docs

run: make demo-target-docs

- name: Generate Hooks Docs

run: make hook-docs

- name: Generate Scanner Docs

run: make scanner-docs

- name: Generate Operator Docs

run: make operator-docs

- name: Generate AutoDiscovery Docs

run: make auto-discovery-docs

- name: Remove Helm Docs Files

run: |

# Remove helm-docs download to ensure they don't get committed back

rm -rf helm-docs

- name: Create Pull Request

if: ${{ env.release != env.local && env.prExists == 0 && env.release != null }}

uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0

with:

token: ${{ secrets.SCB_BOT_USER_TOKEN }}

committer: secureCodeBoxBot <securecodebox@iteratec.com>

author: secureCodeBoxBot <securecodebox@iteratec.com>

title: ${{ env.pullRequest }}

body: |

This is an automated Pull Request by the SCB-Bot. It upgrades ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}

### Release changes : [here](${{env.releaseChangelog}})

branch: "dependencies/upgrading-${{ matrix.scanner }}-to-${{env.release}}"

labels: scanner

commit-message: "Upgrading ${{ matrix.scanner }} from ${{env.local}} to ${{env.release}}"

signoff: true

base: main