From 48e2a439dced0e37544bd0cd2e402a0b749cbd1d Mon Sep 17 00:00:00 2001 From: S <2216528@cognizant.com> Date: Fri, 27 Mar 2026 16:47:45 +0530 Subject: [PATCH 1/2] [PFMENG-5074] remove aqua-security workflow from v4 branch --- .github/workflows/aqua-security.yaml | 174 --------------------------- .github/workflows/terraform.yaml | 45 ------- 2 files changed, 219 deletions(-) delete mode 100644 .github/workflows/aqua-security.yaml diff --git a/.github/workflows/aqua-security.yaml b/.github/workflows/aqua-security.yaml deleted file mode 100644 index bc45c80..0000000 --- a/.github/workflows/aqua-security.yaml +++ /dev/null @@ -1,174 +0,0 @@ -name: 'Trivy Aqua Security Scan for Docker and ECR Reusable workflow' - -on: - workflow_call: - inputs: - docker_file: - description: Name of the dockerfile - type: string - default: ./Dockerfile - required: false - docker_tag_name: - description: Provide the docker tag names - type: string - default: '' - required: false - docker_file_context: - description: Docker File Context - type: string - default: . - required: false - docker_tag_version: - description: Provide the docker tag names - type: string - default: 'latest' - required: false - docker_build_args: - description: "Multi-Line list of build args with key value" - type: string - required: false - default: '' - ecr_image_name: - description: ECR repo image to scan - type: string - required: false - ecr_tag_version: - description: ECR repo tag version to scan - type: string - required: false - default: 'latest' - aws_account_id: - description: "AWS account ID" - type: string - required: false - default: '' - aws_account_region: - description: "AWS account region" - type: string - required: false - default: '' - aws_iam_role_arn: - description: "AWS ARN IAM Role" - type: string - required: false - default: '' - trivy_format: - description: "Trivy format to log out the scan" - type: string - default: 'table' - required: false - upload_to_codeql: - description: "Upload SARIF to CodeQL" - type: boolean - default: false - required: false - default_runner_override_label: - description: "Change this to 'self-hosted' or 'ubuntu-latest'" - type: string - default: "ubuntu-latest" - required: false - runner_label: - description: "Runner label to point to self hosted runners" - type: string - default: "ubuntu-latest" - required: false - scan_type: - description: "Scan Type to be scanned" - type: string - default: 'docker' - required: false - scan_reference: - description: "Scan reference(e.g. /github/workspace/ or .)" - type: string - default: "." - required: false - skip_directories: - description: "Comma separated list of directories where traversal is skipped" - type: string - default: "" - required: false - secrets: - OAUTH_TOKEN: - description: Github Token for accessing other dependency private repo - required: false - -jobs: - trivy-scan: - runs-on: - - ${{ inputs.default_runner_override_label }} - - ${{ inputs.runner_label }} - permissions: - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v3 - - - name: Set Variable - id: set-vars - run: | - if [ "${{ inputs.docker_tag_name }}" != "" ]; then - echo "file_output=trivy-results-docker.sarif" >> "$GITHUB_OUTPUT" - elif [ "${{ inputs.ecr_image_name }}" != "" ] && [ "${{ inputs.aws_account_id }}" != "" ]; then - echo "file_output=trivy-results-ecr.sarif" >> "$GITHUB_OUTPUT" - else - echo "file_output=trivy-results-fs.sarif" >> "$GITHUB_OUTPUT" - fi - shell: bash - - - name: Configure aws credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-skip-session-tagging: true - role-to-assume: ${{ inputs.aws_iam_role_arn }} - role-session-name: gh-actions - aws-region: ${{ inputs.aws_account_region }} - if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ inputs.aws_account_id }}.dkr.ecr.${{ inputs.aws_account_region }}.amazonaws.com/${{ inputs.ecr_image_name}}:${{ inputs.ecr_tag_version }} - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') && (inputs.aws_account_id != '') }} - - - name: Docker Build and Push - uses: docker/build-push-action@v2 - with: - context: ${{ inputs.docker_file_context }} - file: ${{ inputs.docker_file }} - tags: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }} - build-args: | - GITHUB_OAUTH_TOKEN=${{ secrets.OAUTH_TOKEN }} - ${{ inputs.docker_build_args }} - push: false - if: ${{ inputs.docker_tag_name !='' }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }} - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - ignore-unfixed: false - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH,MEDIUM' - if: ${{ inputs.docker_tag_name !='' }} - - - name: Run Trivy vulnerability scanner for Github Repo - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: ${{ inputs.scan_reference }} - ignore-unfixed: false - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - severity: 'HIGH,CRITICAL,MEDIUM' - skip-dirs: ${{ inputs.skip_directories }} - if: ${{ inputs.scan_type == 'fs' }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.set-vars.outputs.file_output }} - if: ${{ inputs.upload_to_codeql }} diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index ed91410..6131d12 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -7,21 +7,6 @@ on: type: boolean default: true required: false - trivy_format: - description: Output format (table, json, sarif, github) - type: string - default: sarif - required: false - trivy_output: - description: Save results to a file - type: string - default: 'trivy-results.sarif' - required: false - trivy_inspect_output: - description: Print trivy output for inspection, set to 'true' for debugging purposes - type: string - default: 'false' - required: false main_branch: description: Name of the main branch type: string @@ -337,36 +322,6 @@ jobs: # run: | # docker build -t docker.io/my-organization/my-app:${{ github.sha }} . --network host - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@v0.35.0 - with: - scan-type: 'config' - hide-progress: false - format: ${{ inputs.trivy_format }} - output: ${{ inputs.trivy_output }} - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy scan results to Github for inspection - if: ${{ inputs.trivy_inspect_output == 'true' }} - uses: actions/upload-artifact@v4 - with: - path: ${{ inputs.trivy_output }} - retention-days: 1 - - # https://github.com/aquasecurity/trivy/issues/5003 - - name: Remove git from url for sarif uploading - if: ${{ inputs.trivy_format == 'sarif' && inputs.trivy_output != '' }} - shell: bash - run: | - sed -i 's#git::https:/##g' ${{ inputs.trivy_output }} - - - name: Upload Trivy scan results to GitHub Security tab - if: inputs.upload_sarif == true - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ inputs.trivy_output }} - - name: Get changed files id: changed-files uses: tj-actions/changed-files@v44 From 4fcfee21fc9752cb5c665b65d9cce217be24cd98 Mon Sep 17 00:00:00 2001 From: S <2216528@cognizant.com> Date: Fri, 27 Mar 2026 17:13:20 +0530 Subject: [PATCH 2/2] fix tf linting issues and remove trivy scan example file --- .github/workflows/fortify-android.yaml | 4 +- .github/workflows/fortify-sarif-export.yaml | 5 +- .github/workflows/fortify.yaml | 7 ++- .github/workflows/meta.yaml | 2 +- .github/workflows/package-creation-ecr.yaml | 10 +-- .../workflows/postman-integration-testing.yml | 2 +- .github/workflows/prisma.yaml | 8 +-- .github/workflows/sonarqube.yaml | 2 +- .github/workflows/terraform.yaml | 4 +- examples/aqua-trivy-runners.yaml | 63 ------------------- 10 files changed, 23 insertions(+), 84 deletions(-) delete mode 100644 examples/aqua-trivy-runners.yaml diff --git a/.github/workflows/fortify-android.yaml b/.github/workflows/fortify-android.yaml index 46640a1..f419c1d 100644 --- a/.github/workflows/fortify-android.yaml +++ b/.github/workflows/fortify-android.yaml @@ -52,7 +52,7 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. fetch-depth: 2 @@ -111,7 +111,7 @@ jobs: ### Clean up of build folder - name: Save sourceanalyzer Logs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 if: failure() with: name: scancentral-logs diff --git a/.github/workflows/fortify-sarif-export.yaml b/.github/workflows/fortify-sarif-export.yaml index 542bec3..3d3c538 100644 --- a/.github/workflows/fortify-sarif-export.yaml +++ b/.github/workflows/fortify-sarif-export.yaml @@ -41,14 +41,15 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. fetch-depth: 2 - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: java-version: 11 + distribution: 'temurin' # Pull SAST issues from Fortify on Demand and generate GitHub-optimized SARIF output - name: Export Results uses: fortify/gha-export-vulnerabilities@v1 diff --git a/.github/workflows/fortify.yaml b/.github/workflows/fortify.yaml index a737504..2e863e9 100644 --- a/.github/workflows/fortify.yaml +++ b/.github/workflows/fortify.yaml @@ -54,7 +54,7 @@ jobs: steps: # Check out source code - name: Check Out Source Code - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: # Fetch at least the immediate parents so that if this is a pull request then we can checkout the head. fetch-depth: 2 @@ -66,9 +66,10 @@ jobs: # Java version to use depends on the Java version required to run your build (if any), # and the Java version supported by the ScanCentral Client version that you are running - name: Setup Java - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: java-version: 11 + distribution: 'temurin' ### Set up Fortify ScanCentral Client ### - name: Download Fortify ScanCentral Client @@ -93,7 +94,7 @@ jobs: ### Archive ScanCentral Client logs on failure ### - name: Save ScanCentral Logs - uses: actions/upload-artifact@v2 + uses: actions/upload-artifact@v4 if: failure() with: name: scancentral-logs diff --git a/.github/workflows/meta.yaml b/.github/workflows/meta.yaml index 1217b93..ec8db58 100644 --- a/.github/workflows/meta.yaml +++ b/.github/workflows/meta.yaml @@ -9,7 +9,7 @@ jobs: actionlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - uses: reviewdog/action-actionlint@v1 if: github.event_name == 'pull_request' - name: Check workflow files diff --git a/.github/workflows/package-creation-ecr.yaml b/.github/workflows/package-creation-ecr.yaml index b90c878..8ea633d 100644 --- a/.github/workflows/package-creation-ecr.yaml +++ b/.github/workflows/package-creation-ecr.yaml @@ -46,10 +46,10 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v1 + uses: aws-actions/configure-aws-credentials@v4 with: role-skip-session-tagging: true role-to-assume: ${{ inputs.iam_role_arn }} @@ -66,10 +66,10 @@ jobs: shell: bash - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build and push Docker mutable image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ inputs.ecr_repository }} @@ -82,7 +82,7 @@ jobs: if: inputs.tag_mutability - name: Build and push Docker immutable image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 env: REGISTRY: ${{ steps.login-ecr.outputs.registry }} REPOSITORY: ${{ inputs.ecr_repository }} diff --git a/.github/workflows/postman-integration-testing.yml b/.github/workflows/postman-integration-testing.yml index a2dfdae..24de6c2 100644 --- a/.github/workflows/postman-integration-testing.yml +++ b/.github/workflows/postman-integration-testing.yml @@ -42,7 +42,7 @@ jobs: node-version: [18.x] steps: - name: Checkout newshub-postman collection - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: ${{inputs.repository_name}} ref: ${{inputs.repository_branch}} # main branch uses the github.ref_name diff --git a/.github/workflows/prisma.yaml b/.github/workflows/prisma.yaml index f2326e9..eb5f5bd 100644 --- a/.github/workflows/prisma.yaml +++ b/.github/workflows/prisma.yaml @@ -45,7 +45,7 @@ jobs: steps: - name: Check out the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup image tag run: | @@ -57,10 +57,10 @@ jobs: shell: bash - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Build the image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: push: false load: true @@ -72,7 +72,7 @@ jobs: if: inputs.action_cache != true - name: Build the image with cache - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: push: false load: true diff --git a/.github/workflows/sonarqube.yaml b/.github/workflows/sonarqube.yaml index dc58afc..218367c 100644 --- a/.github/workflows/sonarqube.yaml +++ b/.github/workflows/sonarqube.yaml @@ -26,7 +26,7 @@ jobs: - ${{ inputs.default_runner_override_label }} - ${{ inputs.runner_label }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - uses: sonarsource/sonarqube-scan-action@master diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index 6131d12..98b9369 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -98,7 +98,7 @@ jobs: python-version: '3.11' - name: Setup Node only for self-hosted runners - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 19 @@ -197,7 +197,7 @@ jobs: python-version: '3.11' - name: Setup Node only for self-hosted runners - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: 19 diff --git a/examples/aqua-trivy-runners.yaml b/examples/aqua-trivy-runners.yaml deleted file mode 100644 index b63db4c..0000000 --- a/examples/aqua-trivy-runners.yaml +++ /dev/null @@ -1,63 +0,0 @@ -name: aqua-trivy-runners -on: - pull_request: - branches: - - dev - push: - branches: - - dev - -jobs: - scan-docker-container: - name: Trivy Scan for scanning Docker Container - permissions: - # required for all workflows - security-events: write - # only required for workflows in private repositories - actions: read - contents: read - uses: SPHTech-Platform/reusable-workflows/.github/workflows/aqua-security.yaml@v2 - with: - docker_file: - docker_tag_name: - docker_build_args: | - - trivy_format: #default the format is table.Possible options [table, json, sarif, github] - upload_to_codeql: #If needed to upload the sarif report to CodeQL - secrets: - oauth_token: ${{ secrets.ORG_GITHUB_TOKEN }} - scan-ecr-repo: - name: Trivy Scan for scanning ECR Repo - permissions: - # required for all workflows - security-events: write - # only required for workflows in private repositories - actions: read - contents: read - uses: SPHTech-Platform/reusable-workflows/.github/workflows/aqua-security.yaml@v2 - with: - aws_account_id: - aws_account_region: - aws_iam_role_arn: - trivy_format: #default the format is table.Possible options [table, json, sarif, github] - upload_to_codeql: #If needed to upload the sarif report to CodeQL - ecr_image_name: - ecr_tag_version: - secrets: - oauth_token: ${{ secrets.ORG_GITHUB_TOKEN }} - scan-github-repo: - name: Trivy Scan for scanning Github Repo - permissions: - # required for all workflows - security-events: write - # only required for workflows in private repositories - actions: read - contents: read - uses: SPHTech-Platform/reusable-workflows/.github/workflows/aqua-security.yaml@v2 - with: - scan_type: 'fs' - scan_reference: # default its /github/workspace/ or . - trivy_format: #default the format is table.Possible options [table, json, sarif, github] - upload_to_codeql: #If needed to upload the sarif report to CodeQL - secrets: - oauth_token: ${{ secrets.ORG_GITHUB_TOKEN }}