Build

chore(deps): update dependency cypress to v14 (#3265) #13404

Summary
Jobs
- build
- checkov
- scap
Run details
- Usage
- Workflow file

Workflow file for this run

	---
	name: Build

	permissions: {}

	# Run this workflow every time a new commit pushed to your repository
	on: # yamllint disable-line rule:truthy
	- push

	env:
	IMAGE_NAME: ghcr.io/${{ github.repository }}:${{ ( github.ref_name == github.event.repository.default_branch ) && 'latest' \|\| format('ci-{0}', github.sha ) }}

	jobs:
	build:
	permissions:
	packages: write
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	- uses: DavidAnson/markdownlint-cli2-action@a23dae216ce3fee4db69da41fed90d2a4af801cf # v19
	with:
	globs: \|
	*/.md
	#**/node_modules
	#**/.gradle
	#**/.git
	- uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3
	with:
	strict: true
	- run: \|
	# shellcheck shell=sh
	sudo apt-get install -y git shellcheck
	sudo curl --fail -Ls "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64" -o /usr/local/bin/yq
	sudo chmod +x /usr/local/bin/yq
	git ls-files --exclude='*.sh' --ignored -c -z \| xargs -0r shellcheck -P SCRIPTDIR -x
	git ls-files --exclude='.github/*/.yml' --ignored -c \| while IFS= read -r file; do
	yq eval '.[] \| select(tag=="!!map").[].steps.[].run \| select(. != null ) \| path \| ".[\"" + join("\"].[\"") + "\"]"' "${file}" \| while IFS= read -r selector; do
	set +e
	script=$(yq eval "${selector}" "${file}")
	status=$?
	set -e
	if [ $status -ne 0 ]; then
	>&2 printf "\nError getting the contents of the selector %s in the file %s:\n\nThe YAML may be malformed." "${selector}" "${file}"
	exit 1
	fi
	if ! printf '%s' "${script}" \| shellcheck -x -; then
	>&2 printf "\nError in %s in the script specified in %s:\n%s\n" "${file}" "${selector}" "${script}"
	exit 1
	fi
	done
	done
	- name: Validate Gradle wrapper
	uses: gradle/actions/wrapper-validation@0bdd871935719febd78681f197cd39af5b6e16a6 # v4
	- uses: actions/setup-java@7a6d8a8234af8eb26422e24e3006232cccaa061b # v4
	with:
	java-version: "21"
	distribution: "liberica"
	cache: "gradle"
	- name: Setup Gradle
	uses: gradle/actions/setup-gradle@0bdd871935719febd78681f197cd39af5b6e16a6 # v4
	- name: Build with Gradle
	run: \|
	# shellcheck shell=sh
	# gradle's build task will build, assemble, and test the project.
	./gradlew build bootBuildImage --imageName "${IMAGE_NAME}" --publishImage
	env:
	DOCKER_USERNAME: ${{ github.actor }}
	DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
	- name: upload build reports
	if: success() \|\| failure() # always run even if the previous step fails
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
	with:
	name: build-reports
	path: build/reports/
	- name: upload build jar
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
	with:
	name: jar
	path: build/libs/jumpstart.jar
	checkov:
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
	- name: Checkov GitHub Action
	uses: bridgecrewio/checkov-action@7e385e047f08facd4bc29345786743742edbee1f # v12
	with:
	directory: .
	# This will add both a CLI output to the console and create a results.sarif file
	quiet: true # optional: display only failed checks
	output_format: cli,sarif
	output_file_path: console,results.sarif
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3
	# Results are generated only on a success or failure
	# this is required since GitHub by default won't run the next step
	# when the previous one has failed. Security checks that do not pass will 'fail'.
	# An alternative is to add `continue-on-error: true` to the previous step
	# Or 'soft_fail: true' to checkov.
	if: success() \|\| failure()
	with:
	sarif_file: results.sarif
	scap:
	needs: build
	permissions:
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	runs-on: ubuntu-latest
	container:
	image: alpine:3.21.2@sha256:56fa17d2a7e7f168a043a2712e63aed1f8543aeafdcee47c58dcffe38ed51099
	env:
	SCAP_SECURITY_GUIDE_VERSION: "0.1.75"
	MICROSOFT_SARIF_MULTITOOL_VERSION: "4.5.4"
	MITRE_SAF_VERSION: "1.4.17"
	SSG_DIR: "ssg"
	steps:
	- name: Install prerequisites
	run: \|
	# shellcheck shell=sh
	set -eu
	apk add curl docker jq openscap-docker npm gcompat unzip
	npm install -g "@microsoft/sarif-multitool@${MICROSOFT_SARIF_MULTITOOL_VERSION}"
	# Specify the sinon version to use.
	# Remove sinon from this line when sinon 16.1.2 (or later) is released, or when using MITRE_SAF_VERSION that includes https://github.com/mitre/saf/pull/1919
	npm install -g [email protected] "@mitre/saf@${MITRE_SAF_VERSION}"
	mkdir -p "${SSG_DIR}"
	curl "https://github.com/ComplianceAsCode/content/releases/download/v${SCAP_SECURITY_GUIDE_VERSION}/scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}.zip" -Lso "${SSG_DIR}/ssg.zip"
	unzip "${SSG_DIR}/ssg.zip" -d "${SSG_DIR}"
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Pull the docker image to scan
	run: \|
	# shellcheck shell=sh
	set -eu
	# oscap-docker requires the image to have been pulled
	docker pull "${IMAGE_NAME}"
	- name: Run openscap
	run: \|
	# shellcheck shell=sh
	set -eu
	# extract /etc/os-release
	container_id=$(docker create "${IMAGE_NAME}")
	if ! docker export "${container_id}" \| tar -tvf - \| grep -E '\setc/os-release( ->.*)?$' > /dev/null 2>&1 ; then
	>&2 echo "The operating system used by ${IMAGE_NAME} could not be detected."
	>&2 echo "Images that are not based on an operating system (such as distroless images) cannot be scanned by SCAP."
	exit 1
	fi
	docker cp -L "$container_id:/etc/os-release" .
	docker rm "$container_id"
	unset container_id
	# determine which ssg to use based on /etc/os-release
	# see https://www.freedesktop.org/software/systemd/man/os-release.html
	version_id=$(awk -F= '$1=="VERSION_ID" { print $2 ;}' os-release \| sed 's/"//g')
	id=$(awk -F= '$1=="ID" { print $2 ;}' os-release \| sed 's/"//g')
	if [ "${id}" = "ubuntu" ] && echo "${version_id}" \| grep -qE '^18\.04(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu1804-ds.xml"
	elif [ "${id}" = "ubuntu" ] && echo "${version_id}" \| grep -qE '^20\.04(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu2004-ds.xml"
	elif [ "${id}" = "ubuntu" ] && echo "${version_id}" \| grep -qE '^22\.04(\..*)?$' ; then\
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ubuntu2204-ds.xml"
	elif [ "${id}" = "centos" ] && echo "${version_id}" \| grep -qE '^7(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-centos7-ds.xml"
	elif [ "${id}" = "centos" ] && echo "${version_id}" \| grep -qE '^8(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-centos8-ds.xml"
	elif [ "${id}" = "ol" ] && echo "${version_id}" \| grep -qE '^7(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol7-ds.xml"
	elif [ "${id}" = "ol" ] && echo "${version_id}" \| grep -qE '^8(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol8-ds.xml"
	elif [ "${id}" = "ol" ] && echo "${version_id}" \| grep -qE '^9(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-ol9-ds.xml"
	elif [ "${id}" = "rhel" ] && echo "${version_id}" \| grep -qE '^7(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel7-ds.xml"
	elif [ "${id}" = "rhel" ] && echo "${version_id}" \| grep -qE '^8(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel8-ds.xml"
	elif [ "${id}" = "rhel" ] && echo "${version_id}" \| grep -qE '^9(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-rhel9-ds.xml"
	elif [ "${id}" = "sles" ] && echo "${version_id}" \| grep -qE '^12(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-sle12-ds.xml"
	elif [ "${id}" = "sles" ] && echo "${version_id}" \| grep -qE '^15(\..*)?$' ; then
	ssg="scap-security-guide-${SCAP_SECURITY_GUIDE_VERSION}/ssg-sle15-ds.xml"
	else
	>&2 echo "There is no configuration available for ${id} ${version_id}"
	exit 1
	fi
	# Select the profile to use. The first profile that exists in the ssg is used.
	for profile in xccdf_org.ssgproject.content_profile_cis_level2_server xccdf_org.ssgproject.content_profile_cis xccdf_org.ssgproject.content_profile_standard; do
	if oscap info --profiles "${SSG_DIR}/${ssg}" \| grep -qF "${profile}:"; then
	echo "Selected profile: ${profile}"
	break;
	fi
	done

	set +e
	oscap-docker image "${IMAGE_NAME}" xccdf eval --verbose ERROR --fetch-remote-resources --profile "${profile}" --results "openscap-report.xml" --report "openscap-report.html" "${SSG_DIR}/${ssg}"
	OSCAP_EXIT_CODE=$?
	set -e

	case "${OSCAP_EXIT_CODE}" in
	0)
	echo "All rules passed"
	;;
	1)
	>&2 echo "An error occurred during evaluation"
	exit 2
	;;
	2)
	echo "There is at least one rule with either fail or unknown result"
	;;
	*)
	>&2 echo "openscap returned an unexpected exit status of $OSCAP_EXIT_CODE"
	exit "$OSCAP_EXIT_CODE"
	;;
	esac
	- name: Convert xml to hdf
	run: \|
	# shellcheck shell=sh
	set -eu
	saf convert xccdf_results2hdf -i "openscap-report.xml" -o openscap-report.hdf
	- name: Convert hdf to sarif
	run: \|
	# shellcheck shell=sh
	set -eu
	DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=1 sarif-multitool convert -t Hdf -o openscap-report.sarif openscap-report.hdf.json
	- name: filter results that shouldn't be GitHub security alerts
	# Hopefully GitHub adds support for SARIF's "kind" eliminating the need for this step: https://github.com/orgs/community/discussions/65477
	run: \|
	# shellcheck shell=sh
	set -eu
	jq 'del(.runs[].results[] \| select(.kind == "notApplicable" or .kind == "pass" or .kind == "informational" ))' openscap-report.sarif > filtered.sarif
	mv filtered.sarif openscap-report.sarif
	- name: Upload reports
	if: success() \|\| failure() # always run even if the previous step fails
	uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
	with:
	name: openscap-reports
	path: \|
	openscap-report.html
	openscap-report.xml
	openscap-report.hdf.json
	openscap-report.sarif
	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3
	# Results are generated only on a success or failure
	# this is required since GitHub by default won't run the next step
	# when the previous one has failed. Security checks that do not pass will 'fail'.
	# An alternative is to add `continue-on-error: true` to the previous step
	if: success() \|\| failure()
	with:
	sarif_file: openscap-report.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency cypress to v14 (#3265) #13404

Workflow file

chore(deps): update dependency cypress to v14 (#3265) #13404

Jobs

Run details

Workflow file for this run