Merge pull request #88 from uselagoon/appsec-ci

Configure application security policy in CI

.github/dependabot.yaml

@@ -0,0 +1,46 @@
+version: 2
+updates:
+- package-ecosystem: github-actions
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    github-actions:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: docker
+  commit-message:
+    prefix: chore
+    include: scope
+  directory: /
+  schedule:
+    interval: monthly
+  groups:
+    docker:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"
+- package-ecosystem: bundler
+  commit-message:
+    prefix: chore
+    include: scope
+  directories:
+  - /logs-concentrator
+  - /logs-dispatcher
+  schedule:
+    interval: monthly
+  groups:
+    bundler:
+      patterns:
+      - "*"
+      update-types:
+      - "minor"
+      - "patch"

.github/dependency-review-config.yaml

@@ -0,0 +1,12 @@
+# https://github.com/cncf/foundation/blob/main/allowed-third-party-license-policy.md
+allow-licenses:
+- 'Apache-2.0'
+- 'BSD-2-Clause'
+- 'BSD-2-Clause-FreeBSD'
+- 'BSD-3-Clause'
+- 'ISC'
+- 'MIT'
+- 'PostgreSQL'
+- 'Python-2.0'
+- 'X11'
+- 'Zlib'

.github/workflows/athenapdf-service-image.yaml

@@ -20,6 +20,11 @@ on:
 
 jobs:
   docker:
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
     runs-on: ubuntu-latest
     steps:
       -
@@ -39,25 +44,25 @@ jobs:
         name: Create SERVICE_TAG variable
         id: service_tag_var
         run: |
-          RAW_TAG=$(echo $(git describe --abbrev=0 --tags --match 'athenapdf-service-*'))
+          RAW_TAG=$(git describe --abbrev=0 --tags --match 'athenapdf-service-*')
           SERVICE_TAG=${RAW_TAG#"athenapdf-service-"}
           echo "using athenapdf-service tag $SERVICE_TAG"
-          echo "SERVICE_TAG=$SERVICE_TAG" >> $GITHUB_ENV
+          echo "SERVICE_TAG=$SERVICE_TAG" >> "$GITHUB_ENV"
       -
         name: Set version for non-tag build
         if: "!startsWith(github.ref, 'refs/tags/athenapdf-service')"
         id: version_non-tag_build
         run: |
-          DOCKER_TAG=${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          DOCKER_TAG="${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)"
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "athenapdf-service version $DOCKER_TAG"
       -
         name: Set version for tag build
         if: "startsWith(github.ref, 'refs/tags/athenapdf-service')"
         id: version_tag_build
         run: |
           DOCKER_TAG=${{ env.SERVICE_TAG }}
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "athenapdf-service version $DOCKER_TAG"
       -
         name: Docker meta
@@ -102,9 +107,35 @@ jobs:
       -
         name: Build and push
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           context: athenapdf-service
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest dockerhub image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: index.docker.io/${{ github.repository_owner }}/athenapdf-service
+          push-to-registry: true
+      - name: Attest ghcr image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: ghcr.io/${{ github.repository_owner }}/athenapdf-service
+          push-to-registry: true
+      - uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/athenapdf-service@${{steps.build-and-push.outputs.digest}}
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            sbom.spdx.json

.github/workflows/database-tools-image.yaml

@@ -7,18 +7,23 @@ on:
       - 'build-image'
     paths:
       - 'database-tools/**'
-      - '.github/workflows/database-tools.yaml'
+      - '.github/workflows/database-tools-image.yaml'
     tags:
       - 'database-tools-v*.*.*'
   pull_request:
     branches:
       - 'main'
     paths:
       - 'database-tools/**'
-      - '.github/workflows/database-tools.yaml'
+      - '.github/workflows/database-tools-image.yaml'
 
 jobs:
   docker:
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
     runs-on: ubuntu-latest
     steps:
       -
@@ -38,25 +43,25 @@ jobs:
         name: Create SERVICE_TAG variable
         id: service_tag_var
         run: |
-          RAW_TAG=$(echo $(git describe --abbrev=0 --tags --match 'database-tools-*'))
+          RAW_TAG=$(git describe --abbrev=0 --tags --match 'database-tools-*')
           SERVICE_TAG=${RAW_TAG#"database-tools-"}
           echo "using database-tools tag $SERVICE_TAG"
-          echo "SERVICE_TAG=$SERVICE_TAG" >> $GITHUB_ENV
+          echo "SERVICE_TAG=$SERVICE_TAG" >> "$GITHUB_ENV"
       -
         name: Set version for non-tag build
         if: "!startsWith(github.ref, 'refs/tags/database-tools')"
         id: version_non-tag_build
         run: |
-          DOCKER_TAG=${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          DOCKER_TAG="${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)"
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "database-tools version $DOCKER_TAG"
       -
         name: Set version for tag build
         if: "startsWith(github.ref, 'refs/tags/database-tools')"
         id: version_tag_build
         run: |
           DOCKER_TAG=${{ env.SERVICE_TAG }}
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "database-tools version $DOCKER_TAG"
       -
         name: Docker meta
@@ -101,9 +106,35 @@ jobs:
       -
         name: Build and push
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           context: database-tools
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest dockerhub image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: index.docker.io/${{ github.repository_owner }}/database-tools
+          push-to-registry: true
+      - name: Attest ghcr image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: ghcr.io/${{ github.repository_owner }}/database-tools
+          push-to-registry: true
+      - uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/database-tools@${{steps.build-and-push.outputs.digest}}
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            sbom.spdx.json

.github/workflows/dependency-review.yaml

@@ -0,0 +1,16 @@
+name: dependency review
+on:
+  pull_request:
+    branches:
+    - main
+permissions: {}
+jobs:
+  dependency-review:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+    - uses: actions/dependency-review-action@5a2ce3f5b92ee19cbb1541a4984c76d921601d7c # v4.3.4
+      with:
+        config-file: .github/dependency-review-config.yaml

.github/workflows/docker-host-image.yaml

@@ -19,6 +19,11 @@ on:
 
 jobs:
   docker:
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
     runs-on: ubuntu-latest
     steps:
       -
@@ -38,25 +43,25 @@ jobs:
         name: Create SERVICE_TAG variable
         id: service_tag_var
         run: |
-          RAW_TAG=$(echo $(git describe --abbrev=0 --tags --match 'docker-host-*'))
+          RAW_TAG=$(git describe --abbrev=0 --tags --match 'docker-host-*')
           SERVICE_TAG=${RAW_TAG#"docker-host-"}
           echo "using docker-host tag $SERVICE_TAG"
-          echo "SERVICE_TAG=$SERVICE_TAG" >> $GITHUB_ENV
+          echo "SERVICE_TAG=$SERVICE_TAG" >> "$GITHUB_ENV"
       -
         name: Set version for non-tag build
         if: "!startsWith(github.ref, 'refs/tags/docker-host')"
         id: version_non-tag_build
         run: |
-          DOCKER_TAG=${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          DOCKER_TAG="${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)"
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "docker-host version $DOCKER_TAG"
       -
         name: Set version for tag build
         if: "startsWith(github.ref, 'refs/tags/docker-host')"
         id: version_tag_build
         run: |
           DOCKER_TAG=${{ env.SERVICE_TAG }}
-          echo "DOCKER_TAG=$DOCKER_TAG" >> $GITHUB_ENV
+          echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV"
           echo "docker-host version $DOCKER_TAG"
       -
         name: Docker meta
@@ -101,9 +106,35 @@ jobs:
       -
         name: Build and push
         uses: docker/build-push-action@v6
+        id: build-and-push
         with:
           context: docker-host
           platforms: linux/amd64,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+      - name: Attest dockerhub image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: index.docker.io/${{ github.repository_owner }}/docker-host
+          push-to-registry: true
+      - name: Attest ghcr image
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        with:
+          subject-digest: ${{steps.build-and-push.outputs.digest}}
+          subject-name: ghcr.io/${{ github.repository_owner }}/docker-host
+          push-to-registry: true
+      - uses: anchore/sbom-action@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/docker-host@${{steps.build-and-push.outputs.digest}}
+          output-file: sbom.spdx.json
+          upload-artifact: false
+          upload-release-assets: false
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            sbom.spdx.json