From 24e77b2acf8e7846a5e93a1604336843dff01039 Mon Sep 17 00:00:00 2001 From: mbruzda Date: Fri, 24 Oct 2025 09:35:28 +0200 Subject: [PATCH 1/8] feat: integrate GS Scorecard workflow --- .../workflows/reusable-build-test-release.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 749c981f..890c1b9c 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -97,6 +97,12 @@ on: SPL_COM_PASSWORD: description: password to splunk.com required: true + GSSA_AWS_ACCESS_KEY_ID: + description: GSSA AWS access key id + required: true + GSSA_AWS_SECRET_ACCESS_KEY: + description: GSSA AWS secret access key + required: true permissions: contents: read packages: read @@ -812,6 +818,57 @@ jobs: name: appinspect-api-html-report-${{ matrix.tags }} path: AppInspect_response.html + run-gs-scorecard: + name: quality-gs-scorecard + needs: build + if: ${{ !cancelled() && needs.build.result == 'success' }} + runs-on: ubuntu-latest + permissions: + contents: read + packages: read + steps: + - uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-access-key-id: ${{ secrets.GSSA_AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }} + aws-region: us-west-2 + + - name: Login to Amazon ECR + run: | + aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 956110764581.dkr.ecr.us-west-2.amazonaws.com + + - name: Pull GS Scorecard image + run: | + docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 + + - name: Run GS Scorecard + env: + GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} + GITHUB_USERNAME: ${{ secrets.SA_GH_USER_NAME }} + APPINSPECT_USER: ${{ secrets.SPL_COM_USER }} + APPINSPECT_PASS: ${{ secrets.SPL_COM_PASSWORD }} + run: | + docker run --rm \ + -e GITHUB_TOKEN \ + -e GITHUB_USERNAME \ + -e AWS_ACCESS_KEY_ID="${{ secrets.GSSA_AWS_ACCESS_KEY_ID }}" \ + -e AWS_SECRET_ACCESS_KEY="${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }}" \ + -e AWS_DEFAULT_REGION="us-west-2" \ + -e APPINSPECT_USER \ + -e APPINSPECT_PASS \ + -v $(pwd):/addon \ + 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 + + - name: Upload GS Scorecard report + uses: actions/upload-artifact@v4 + if: always() + with: + name: gs-scorecard-report + path: ./gs_scorecard.html + setup: needs: - setup-workflow From 47aac1b3212f1f92f872b34edd106343d91e9c55 Mon Sep 17 00:00:00 2001 From: mbruzda Date: Mon, 27 Oct 2025 22:11:13 +0100 Subject: [PATCH 2/8] chore: remove unnecessary permissions from reusable workflow --- .github/workflows/reusable-build-test-release.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 890c1b9c..35397936 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -823,9 +823,6 @@ jobs: needs: build if: ${{ !cancelled() && needs.build.result == 'success' }} runs-on: ubuntu-latest - permissions: - contents: read - packages: read steps: - uses: actions/checkout@v4 From 4de3ea52acddac928f7c5c9135a1cf6890060c29 Mon Sep 17 00:00:00 2001 From: mbruzda Date: Mon, 27 Oct 2025 22:12:06 +0100 Subject: [PATCH 3/8] chore: clean up reusable workflow by removing unnecessary line breaks --- .github/workflows/reusable-build-test-release.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 35397936..a4efbc7f 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -825,22 +825,18 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.GSSA_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - - name: Login to Amazon ECR run: | aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 956110764581.dkr.ecr.us-west-2.amazonaws.com - - name: Pull GS Scorecard image run: | docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 - - name: Run GS Scorecard env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} From e4dec7ae81888f0151487b3d3f627b1be17318b2 Mon Sep 17 00:00:00 2001 From: mbruzda Date: Mon, 27 Oct 2025 22:22:48 +0100 Subject: [PATCH 4/8] chore: add GS Scorecard versioning and improve ECR login process --- .github/workflows/reusable-build-test-release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index a4efbc7f..98e9c893 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -113,6 +113,7 @@ env: PYTHON_VERSION: "3.9" POETRY_VERSION: "2.1.4" POETRY_EXPORT_PLUGIN_VERSION: "1.9.0" + GS_SCORECARD_VERSION: "1.0.0" jobs: validate-custom-version: runs-on: ubuntu-latest @@ -832,11 +833,10 @@ jobs: aws-secret-access-key: ${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }} aws-region: us-west-2 - name: Login to Amazon ECR - run: | - aws ecr get-login-password --region us-west-2 | docker login --username AWS --password-stdin 956110764581.dkr.ecr.us-west-2.amazonaws.com + uses: aws-actions/amazon-ecr-login@v2 - name: Pull GS Scorecard image - run: | - docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 + run: + docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:${{ env.GS_SCORECARD_VERSION }} - name: Run GS Scorecard env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} From a526fa025b21828a9fd8f93ee4cc7ab2f50b17b0 Mon Sep 17 00:00:00 2001 From: mbruzda Date: Mon, 27 Oct 2025 22:38:34 +0100 Subject: [PATCH 5/8] chore: update condition for running GS Scorecard to only trigger on push to main --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 98e9c893..408ab0fa 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -822,7 +822,7 @@ jobs: run-gs-scorecard: name: quality-gs-scorecard needs: build - if: ${{ !cancelled() && needs.build.result == 'success' }} + if: ${{ !cancelled() && needs.build.result == 'success' && (github.ref_name == 'main' && github.event_name == 'push') }} runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 4b0b8f26e1b693c735784135542b5cf35b0189db Mon Sep 17 00:00:00 2001 From: mbruzda Date: Thu, 30 Oct 2025 14:36:34 +0100 Subject: [PATCH 6/8] chore: fix volume mount syntax in reusable build workflow --- .github/workflows/reusable-build-test-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 408ab0fa..76cbd596 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -852,7 +852,7 @@ jobs: -e AWS_DEFAULT_REGION="us-west-2" \ -e APPINSPECT_USER \ -e APPINSPECT_PASS \ - -v $(pwd):/addon \ + -v "$(pwd)":/addon \ 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 - name: Upload GS Scorecard report From 2dd0d72dcc29545d77e14fd33bf4b2aed30fd7ad Mon Sep 17 00:00:00 2001 From: mbruzda Date: Thu, 30 Oct 2025 15:02:55 +0100 Subject: [PATCH 7/8] docs: add documentation for the new run-gs-scorecard job in README.md --- README.md | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/README.md b/README.md index 42bc717d..a5513a63 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ * [[Job] build](#job-build) * [[Job] AppInspect](#job-appinspect) * [[Job] AppInspect API](#job-appinspect-api) + * [[Job] run-gs-scorecard](#job-run-gs-scorecard) * [[Job] setup](#job-setup) * [[Job] test-unit-python3](#job-test-unit-python3) * [[Job] run-btool-check](#job-run-btool-check) @@ -523,6 +524,46 @@ appinspect-api-html-report-self-service ``` +## [Job] run-gs-scorecard + +**Description** + +- This job runs the Gold Standard Scorecard quality assessment tool to evaluate the add-on against security and quality standards. + +- The GS Scorecard tool is containerized and runs in a Docker container, analyzing the repository and generating a comprehensive quality report. + +- This job only runs on push events to the `main` branch after a successful build. + +**Action used:** +- AWS ECR (Elastic Container Registry) for Docker image storage +- Custom Docker image: `ta-automation/gs-scorecard` pushed from GitLab GS Scorecard repository + +**Pass/fail behaviour:** + +- The job executes the GS Scorecard analysis and generates a quality report. + +- The job requires proper AWS credentials for accessing the ECR registry and GitHub credentials for repository analysis. + +**Troubleshooting steps for failures if any:** + +- Verify that the required secrets are properly configured in GitHub Actions: + - `GSSA_AWS_ACCESS_KEY_ID` and `GSSA_AWS_SECRET_ACCESS_KEY` for AWS ECR access + - `GH_TOKEN_ADMIN` and `SA_GH_USER_NAME` for GitHub access + - `SPL_COM_USER` and `SPL_COM_PASSWORD` for AppInspect integration + +- Check that the Docker image version specified in `GS_SCORECARD_VERSION` environment variable exists in the ECR registry. + +- Review the job logs for specific error messages from the GS Scorecard tool. + +- Ensure the build job completed successfully before this job runs, as it depends on the build artifacts. + +**Artifacts:** + +``` +gs-scorecard-report (gs_scorecard.html) +``` + + ## [Job] setup **Description:** From 258577b5c85b48f89d823f85079bdf22089db82d Mon Sep 17 00:00:00 2001 From: mbruzda Date: Fri, 7 Nov 2025 14:50:18 +0100 Subject: [PATCH 8/8] chore: update GS Scorecard versioning and environment variable names in reusable build workflow --- .github/workflows/reusable-build-test-release.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-build-test-release.yml b/.github/workflows/reusable-build-test-release.yml index 76cbd596..b4052dc5 100644 --- a/.github/workflows/reusable-build-test-release.yml +++ b/.github/workflows/reusable-build-test-release.yml @@ -113,7 +113,8 @@ env: PYTHON_VERSION: "3.9" POETRY_VERSION: "2.1.4" POETRY_EXPORT_PLUGIN_VERSION: "1.9.0" - GS_SCORECARD_VERSION: "1.0.0" + GS_IMAGE_VERSION: "1.0.0" + GS_VERSION: "0.3" jobs: validate-custom-version: runs-on: ubuntu-latest @@ -836,7 +837,7 @@ jobs: uses: aws-actions/amazon-ecr-login@v2 - name: Pull GS Scorecard image run: - docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:${{ env.GS_SCORECARD_VERSION }} + docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:${{ env.GS_IMAGE_VERSION }} - name: Run GS Scorecard env: GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }} @@ -852,8 +853,9 @@ jobs: -e AWS_DEFAULT_REGION="us-west-2" \ -e APPINSPECT_USER \ -e APPINSPECT_PASS \ + -e GS_VERSION="${{ env.GS_VERSION }}" \ -v "$(pwd)":/addon \ - 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:1.0.0 + 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:"${{ env.GS_IMAGE_VERSION }}" - name: Upload GS Scorecard report uses: actions/upload-artifact@v4