kusari-ci-templates/.github/workflows/kusari-scan-v1.yml at main · kusaridev/kusari-ci-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# Kusari GitHub Actions Reusable Workflow
#
# This workflow provides automated security scanning for pull requests using Kusari Inspector.
# It automatically posts scan results as comments on pull requests when issues are found.
#
# USAGE:
#   Create a workflow file in your repository (e.g., .github/workflows/kusari-scan.yml):
#
#   name: Kusari Security Scan
#   on:
#     pull_request:
#       branches: [main, master]
#
#   jobs:
#     kusari-scan:
#       uses: kusaridev/kusari-ci-templates/.github/workflows/kusari-scan-v1.yml@v1
#       permissions:
#         contents: read
#         pull-requests: write
#       secrets:
#         KUSARI_CLIENT_ID: ${{ secrets.KUSARI_CLIENT_ID }}
#         KUSARI_CLIENT_SECRET: ${{ secrets.KUSARI_CLIENT_SECRET }}
#       with:
#         fail_on_issues: false
#         post_comment: true
#
# REQUIRED SECRETS (set in GitHub repository/organization settings):
#   - KUSARI_CLIENT_ID: Your Kusari client ID
#   - KUSARI_CLIENT_SECRET: Your Kusari client secret
#
# REQUIRED PERMISSIONS:
#   The calling workflow MUST specify these permissions:
#     permissions:
#       contents: read        # Required to checkout code
#       pull-requests: write  # Required to post PR comments
#
# OPTIONAL INPUTS:
#   - kusari_cli_image: Override the default Kusari CLI image
#   - fail_on_issues: Set to true to fail workflow on security issues (default: false)
#   - post_comment: Set to true to post results as PR comment (default: true)

name: Kusari Security Scan

on:
  workflow_call:
    inputs:
      kusari_cli_image:
        description: 'Kusari CLI container image'
        required: false
        type: string
        default: 'ghcr.io/kusaridev/kusari-cli@sha256:1153b863a1849b5b0d3d42c430583d084925f778dc6ff201743fe216d090d2bc'
      fail_on_issues:
        description: 'Fail workflow if security issues are found'
        required: false
        type: boolean
        default: false
      post_comment:
        description: 'Post scan results as PR comment'
        required: false
        type: boolean
        default: true
    secrets:
      KUSARI_CLIENT_ID:
        description: 'Kusari client ID'
        required: true
      KUSARI_CLIENT_SECRET:
        description: 'Kusari client secret'
        required: true

jobs:
  kusari-scan:
    name: Kusari Security Scan
    runs-on: ubuntu-latest
    container:
      image: ${{ inputs.kusari_cli_image }}

    steps:
      - name: Install dependencies
        run: apk add --no-cache git jq gnutar bzip2 libstdc++

      - name: Checkout code
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Configure git safe directory
        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"

      - name: Fetch base branch
        env:
          BASE_REF: ${{ github.base_ref }}
        run: git fetch origin "$BASE_REF"

      - name: Authenticate with Kusari
        run: kusari auth login --client-id="${{ secrets.KUSARI_CLIENT_ID }}" --client-secret="${{ secrets.KUSARI_CLIENT_SECRET }}"

      - name: Run Kusari scan
        id: scan
        env:
          GITHUB_TOKEN: ${{ github.token }}
          POST_COMMENT: ${{ inputs.post_comment }}
          BASE_REF: ${{ github.base_ref }}
        run: |
          GITHUB_COMMENT_FLAG=""
          if [ "$POST_COMMENT" = "true" ]; then
            GITHUB_COMMENT_FLAG="--comment github"
          fi
          kusari repo scan -w --output-format sarif $GITHUB_COMMENT_FLAG . "origin/$BASE_REF" > kusari_results.sarif

      - name: Display scan results
        run: |
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
          echo "KUSARI SECURITY SCAN RESULTS"
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
          echo ""
          COMMENT_BODY=$(jq -r '.runs[0].results[0].message.markdown // "No results found"' kusari_results.sarif)
          echo "$COMMENT_BODY"
          echo ""
          echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"

      - name: Check for security issues
        if: inputs.fail_on_issues
        run: |
          SHOULD_PROCEED=$(jq -r '.runs[0].results[0].properties.should_proceed // "true"' kusari_results.sarif)
          if [ "$SHOULD_PROCEED" = "false" ]; then
            echo "Security issues found - failing workflow"
            exit 1
          fi

      - name: Upload SARIF results
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
        if: always()
        with:
          name: kusari-sarif-results
          path: kusari_results.sarif
          retention-days: 30