-
Notifications
You must be signed in to change notification settings - Fork 10
101 lines (100 loc) · 3.27 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
---
name: Scan
on:
# Triggers the workflow on push or pull request events but
# only for the main branch
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions: read-all
jobs:
lint:
name: 'Super-linter'
runs-on: intellabs-01
container: 'ghcr.io/github/super-linter:v5.0.0'
permissions:
contents: read
packages: read
# statuses: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
with:
fetch-depth: 0
- uses: super-linter/super-linter@e0fc164bba85f4b58c6cd17ba1dfd435d01e8a06 #v6.3.0
env:
DEFAULT_BRANCH: main
# To report GitHub Actions status checks
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VALIDATE_CLANG_FORMAT: true
VALIDATE_PYTHON_PYLINT: true
VALIDATE_YAML: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_MARKDOWN: true
VALIDATE_GITLEAKS: true
VALIDATE_GITHUB_ACTIONS: true
YAML_ERROR_ON_WARNING: false
PYTHON_PYLINT_CONFIG_FILE: .pylintrc
LOG_FILE: super-linter.log
CREATE_LOG_FILE: true
FILTER_REGEX_EXCLUDE: .*/pull_request_template.md
trivy:
name: Trivy
runs-on: intellabs-01
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d #v0.18.0
with:
scan-type: 'fs'
format: 'table'
exit-code: '1'
vuln-type: 'os,library'
bandit:
name: Bandit
runs-on: intellabs-01
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
- name: Test
shell: bash
run: |
pip3 install "bandit==1.7.7"
bandit -c .github/bandit.yaml -r .
license:
name: License check
runs-on: intellabs-01
container:
image: osrf/ros:humble-desktop
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
- name: Prepare System
shell: bash
run: |
apt update
apt install -y python3-pip
pip3 install ros-license-toolkit==1.2.2
apt install -y golang-go
go version
go install github.com/google/[email protected]
- name: Check for license tags
shell: bash
run: |
find . -type f \( -name "*.py" -o -name "*.cpp" -o -name "*.h" \) -exec "$HOME"/go/bin/addlicense -check {} +
- name: Run ros_license_toolkit for each Package
shell: bash
run: |
git config --global --add safe.directory /__w/scenario_execution/scenario_execution
find . -name "package.xml" | while IFS= read -r pkg_file; do
pkg_dir=$(dirname "$pkg_file")
pkg_name=$(basename "$pkg_dir")
if [ "$pkg_name" = "scenario_execution_rviz" ]; then
echo "Skipping package $pkg_name"
continue
fi
echo "Processing package at $pkg_dir"
ros_license_toolkit "$pkg_dir"
done