Skip to content

Commit 70a26a9

Browse files
author
J1 Security
committed
Added Security Files
1 parent 43df5d2 commit 70a26a9

File tree

1 file changed

+90
-0
lines changed

1 file changed

+90
-0
lines changed

.github/workflows/peril.yml

+90
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
name: "Peril"
2+
3+
on:
4+
pull_request:
5+
6+
env:
7+
TRANSPONDER_DOCKER_IMAGE: 081157560428.dkr.ecr.us-east-1.amazonaws.com/transponder:1
8+
SECURITY_SCAN_IMAGE: ghcr.io/jupiterone/security-scan:latest
9+
10+
jobs:
11+
Peril:
12+
name: Peril
13+
permissions:
14+
id-token: write
15+
contents: read
16+
packages: read
17+
runs-on: ubuntu-latest
18+
19+
steps:
20+
- name: Checkout
21+
uses: actions/checkout@v3
22+
23+
- name: Setup Node
24+
uses: actions/setup-node@v1
25+
with:
26+
node-version: 14.x
27+
28+
- name: Run build
29+
run: yarn install
30+
31+
- name: Get Variables
32+
id: get-vars
33+
run: |
34+
if [[ "${GITHUB_REF}" == 'ref/head/main' && "${GITHUB_EVENT_NAME}" == 'push' ]];
35+
then
36+
echo ::set-output name=aws-oidc-role::arn:aws:iam::081157560428:role/github-main-role
37+
else
38+
echo ::set-output name=aws-oidc-role::arn:aws:iam::081157560428:role/github-pull-request-role
39+
fi
40+
41+
- name: Configure aws credentials
42+
uses: aws-actions/configure-aws-credentials@v1
43+
with:
44+
role-to-assume: ${{ steps.get-vars.outputs.aws-oidc-role }}
45+
role-session-name: pr-role-session
46+
aws-region: us-east-1
47+
48+
- name: ECR login
49+
uses: aws-actions/amazon-ecr-login@v1
50+
id: amazon-ecr-login
51+
52+
- name: Login to GHCR
53+
uses: docker/login-action@v2
54+
with:
55+
registry: ghcr.io
56+
username: ${{ github.actor }}
57+
password: ${{ secrets.GITHUB_TOKEN }}
58+
59+
- name: Pull security-scan
60+
run: |
61+
docker pull $SECURITY_SCAN_IMAGE
62+
63+
- name: Run security-scan
64+
run: |
65+
docker run \
66+
--user root \
67+
-v /var/run/docker.sock:/var/run/docker.sock \
68+
-v `pwd`:`pwd` \
69+
-e AWS_ACCESS_KEY_ID=${{ env.AWS_ACCESS_KEY_ID }} \
70+
-e AWS_SECRET_ACCESS_KEY=${{ env.AWS_SECRET_ACCESS_KEY }} \
71+
-e AWS_SESSION_TOKEN=${{ env.AWS_SESSION_TOKEN }} \
72+
-e GITHUB_REPOSITORY=$GITHUB_REPOSITORY \
73+
-e GITHUB_REF_NAME=$GITHUB_REF_NAME \
74+
-e GITHUB_RUN_NUMBER=$GITHUB_RUN_NUMBER \
75+
-e GITHUB_SERVER_URL=$GITHUB_SERVER_URL \
76+
-e GITHUB_RUN_ID=$GITHUB_RUN_ID \
77+
-e MODE=ci \
78+
-w `pwd` $SECURITY_SCAN_IMAGE
79+
80+
- name: Pull transponder
81+
run: |
82+
docker pull $TRANSPONDER_DOCKER_IMAGE
83+
84+
- name: Run transponder
85+
run: |
86+
docker run --rm -v `pwd`:`pwd` -w `pwd` \
87+
-e J1_API_KEY=${{ secrets.J1_API_KEY_TRANSPONDER }} \
88+
-e J1_API_DOMAIN=${{ secrets.J1_API_DOMAIN_TRANSPONDER }} \
89+
-e J1_ACCOUNT_ID=${{ secrets.J1_ACCOUNT_ID_TRANSPONDER }} \
90+
$TRANSPONDER_DOCKER_IMAGE

0 commit comments

Comments
 (0)