updated workflow

thogue12 · thogue12 · commit d4b63046854d · 2025-02-26T20:09:16.000-05:00
diff --git a/.DS_Store b/.DS_Store
diff --git a/.github/.DS_Store b/.github/.DS_Store
diff --git a/.github/workflows/bringing-it-together.yml b/.github/workflows/bringing-it-together.yml
diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml
@@ -0,0 +1,22 @@
+name: Build Docker Image
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs: 
+     # Build Docker Image  
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker Image
+      run: |
+        docker build -t awesome-fastapi:${{ github.sha }} . 
diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml
@@ -0,0 +1,36 @@
+name: Linting and Formating checks
+on:
+   workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:  
+    # Run Pylint and Black formatter
+  lint_format:
+    name: Run lint and formatting checks with pylint and black
+    runs-on: ubuntu-latest
+    strategy:
+        matrix:
+          python-version: ["3.12.5"]
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: 'Setup Python ${{ matrix.python-version}}'
+      uses: actions/setup-python@v3
+      with:
+        python-version: '${{ matrix.python-version}}'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pylint
+        pip install pylint black
+
+    - name: Run pylint
+      run: pylint $(git ls-files '*.py')
+      
+    - name: Run black
+      run: black --check .
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -0,0 +1,22 @@
+name: Main Workflow
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs: 
+    build-image:
+        uses: ./.github/workflows/build-image.yml
+
+    lint-format:
+        uses: ./.github/workflows/lint-format.yml
+        needs: build-image
+    
+    unit-sec-scan:
+        uses: ./.github/workflows/unit-sec-test.yml
+        needs: lint-format
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -0,0 +1,25 @@
+name: PR Workflow
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs: 
+    build-image:
+        uses: ./.github/workflows/build-image.yml
+
+    lint-format:
+        uses: ./.github/workflows/lint-format.yml
+        needs: build-image
+    
+    unit-sec-scan:
+        uses: ./.github/workflows/unit-sec-test.yml
+        needs: lint-format
diff --git a/.github/workflows/push-image.yml b/.github/workflows/push-image.yml
@@ -0,0 +1,33 @@
+name: Push Contianer to Docker Hub
+on: 
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+     -
+      name: login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}      
+     -  
+      name: Set up QEMU
+      uses: docker/setup-buildx-action@v3
+     -
+      name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+     -   
+      name: Build and Push
+      uses: docker/build-push-action@v6
+      with:
+        push: true
+        tags: user/app:latest
+
diff --git a/.github/workflows/unit-sec-test.yml b/.github/workflows/unit-sec-test.yml
@@ -0,0 +1,97 @@
+name: Unit and Security Testing
+on:
+  workflow_dispatch:
+    
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs: 
+    # Run unit test cases for the Docker image
+  testing_phase:
+    name: Run unit test
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Install dependencies
+      run: pip install -r requirements.txt
+
+    - name: Run tests
+      run: pytest tests/
+
+
+  # Run snyk code scanning for vulnerabilities
+  snyk_scan:      
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.12.5"
+
+  
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+          
+      - name: Install Snyk CLI
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: Snyk Code test
+        run: snyk code test --sarif > snyk-cide.sarif
+
+      - name: Snyk Test Dependencies
+        run: snyk test
+
+
+  # Scan the contianer and lists all security vulnerabilities
+  trivy_scans:
+    name: Run Trivy security scanner against the image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: 'awesome-fastapi:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'GitHub Actions/Trivy Automation'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+  owasp_zap_scan:
+        runs-on: ubuntu-latest
+        name: app scan
+        steps:
+         - name: Checkout
+           uses: actions/checkout@v4
+           with:
+            ref: master
+        
+         - name: zap scan
+           uses: zaproxy/action-api-scan@v0.9.0
+           with:
+            token: ${{ secrets.GITHUB_TOKEN}}
+            docker_name: 'ghcr.io/zaproxy/zaproxy:stable'
+            format: openapi
+            target: '<fast-api-url>'
+            rules_file_name: '.zap/rules.tsv'
+            cmd_options: '-a'
diff --git a/DevSecOps-Pipeline.yml b/DevSecOps-Pipeline.yml
@@ -0,0 +1,124 @@
+name: DevSecOps Pipeline
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  security-events: write
+  actions: read
+
+jobs:
+
+  # Build Docker Image  
+  build:
+    name: Build Docker Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Build Docker Image
+      run: |
+        docker build -t awesome-fastapi:${{ github.sha }} .  
+
+
+  # Run Pylint and Black formatter
+  lint_format:
+    name: Run lint and formatting checks with pylint and black
+    runs-on: ubuntu-latest
+    strategy:
+        matrix:
+          python-version: ["3.12", "3.13"]
+
+    steps:
+    - uses: actions/checkout@v4
+    - name: 'Setup Python ${{ matrix.python-version}}'
+      uses: actions/setup-python@v3
+      with:
+        python-version: '${{ matrix.python-version}}'
+
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install pylint
+        pip install pylint black
+
+    - name: Run pylint
+      run: pylint $(git ls-files '*.py')
+      
+    - name: Run black
+      run: black --check .
+
+
+  # Run unit test cases for the Docker image
+  testing_phase:
+    name: Run unit test
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Install dependencies
+      run: pip install -r requirements.txt
+
+    - name: Run tests
+      run: pytest
+
+
+  # Run snyk code scanning for vulnerabilities
+  snyk_scan:      
+    permissions:
+      contents: read
+      security-events: write
+      actions: read
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: ["3.12", "3.13"]
+
+  
+      - name: Install dependencies
+        run: pip install -r requirements.txt
+          
+      - name: Install Snyk CLI
+        uses: snyk/actions/setup@806182742461562b67788a64410098c9d9b96adb
+
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      - name: Snyk Code test
+        run: snyk code test --sarif > snyk-cide.sarif
+
+      - name: Snyk Test Dependencies
+        run: snyk test
+
+
+  # Scan the contianer and lists all security vulnerabilities
+  trivy_scans:
+    name: Run Trivy security scanner against the image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
+        with:
+          image-ref: 'awesome-fastapi:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'GitHub Actions/Trivy Automation'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+
