From abcc65f21278bd6c157f41e783434248d4ea0c6f Mon Sep 17 00:00:00 2001
From: Matt <34448412+mattops@users.noreply.github.com>
Date: Wed, 16 Oct 2024 10:51:16 +0100
Subject: [PATCH] Move security jobs from circleci to github actions (#243)

---
 .github/workflows/rename_template_project_pr.yml    |  4 ++--
 .github/workflows/security_owasp.yml                | 12 ++++++++++++
 .github/workflows/security_trivy.yml                | 12 ++++++++++++
 .../workflows/security_veracode_pipeline_scan.yml   | 12 ++++++++++++
 .github/workflows/security_veracode_policy_scan.yml | 12 ++++++++++++
 rename-project.bash                                 | 13 ++++++++-----
 6 files changed, 58 insertions(+), 7 deletions(-)
 create mode 100644 .github/workflows/security_owasp.yml
 create mode 100644 .github/workflows/security_trivy.yml
 create mode 100644 .github/workflows/security_veracode_pipeline_scan.yml
 create mode 100644 .github/workflows/security_veracode_policy_scan.yml

diff --git a/.github/workflows/rename_template_project_pr.yml b/.github/workflows/rename_template_project_pr.yml
index 907d888..cc85dd2 100644
--- a/.github/workflows/rename_template_project_pr.yml
+++ b/.github/workflows/rename_template_project_pr.yml
@@ -9,7 +9,7 @@ on:
       slack_releases_channel:
         description: 'Slack channel for release notifications.'
         required: true
-      pipeline_security_slack_channel:
+      security_alerts_slack_channel_id:
         description: 'Slack channel for pipeline security notifications.'
         required: true
       non_prod_alerts_prometheus_severity_label:
@@ -28,7 +28,7 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Run rename-project script
-        run: ./rename-project.bash ${{ github.event.repository.name }} ${{ inputs.slack_releases_channel }} ${{ inputs.pipeline_security_slack_channel }} ${{ inputs.non_prod_alerts_prometheus_severity_label }} ${{ inputs.prod_alerts_prometheus_severity_label }} ${{ inputs.product_id }}
+        run: ./rename-project.bash ${{ github.event.repository.name }} ${{ inputs.slack_releases_channel }} ${{ inputs.security_alerts_slack_channel_id }} ${{ inputs.non_prod_alerts_prometheus_severity_label }} ${{ inputs.prod_alerts_prometheus_severity_label }} ${{ inputs.product_id }}
 
       - name: Delete this github actions workflow
         run: rm .github/workflows/rename_template_project*
diff --git a/.github/workflows/security_owasp.yml b/.github/workflows/security_owasp.yml
new file mode 100644
index 0000000..6abf635
--- /dev/null
+++ b/.github/workflows/security_owasp.yml
@@ -0,0 +1,12 @@
+name: Security OWASP dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "19 6 * * MON-FRI" # Every weekday
+jobs:
+  security-kotlin-owasp-check:
+    name: Kotlin security OWASP dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_owasp.yml@v0.7 # WORKFLOW_VERSION
+    with:
+      channel_id: C05J915DX0Q
+    secrets: inherit
diff --git a/.github/workflows/security_trivy.yml b/.github/workflows/security_trivy.yml
new file mode 100644
index 0000000..4e80707
--- /dev/null
+++ b/.github/workflows/security_trivy.yml
@@ -0,0 +1,12 @@
+name: Security trivy dependency check
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "19 6 * * MON-FRI" # Every weekday
+jobs:
+  security-kotlin-trivy-check:
+    name: Project security trivy dependency check
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_trivy.yml@v0.7 # WORKFLOW_VERSION
+    with:
+      channel_id: C05J915DX0Q
+    secrets: inherit
diff --git a/.github/workflows/security_veracode_pipeline_scan.yml b/.github/workflows/security_veracode_pipeline_scan.yml
new file mode 100644
index 0000000..c825bdd
--- /dev/null
+++ b/.github/workflows/security_veracode_pipeline_scan.yml
@@ -0,0 +1,12 @@
+name: Security veracode pipeline scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "19 6 * * MON-FRI" # Every weekday
+jobs:
+  security-veracode-pipeline-scan:
+    name: Project security veracode pipeline scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_pipeline_scan.yml@v0.7 # WORKFLOW_VERSION
+    with:
+      channel_id: C05J915DX0Q
+    secrets: inherit
diff --git a/.github/workflows/security_veracode_policy_scan.yml b/.github/workflows/security_veracode_policy_scan.yml
new file mode 100644
index 0000000..f574796
--- /dev/null
+++ b/.github/workflows/security_veracode_policy_scan.yml
@@ -0,0 +1,12 @@
+name: Security veracode policy scan
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "34 6 * * 1" # Every Monday
+jobs:
+  security-veracode-policy-check:
+    name: Project security veracode policy scan
+    uses: ministryofjustice/hmpps-github-actions/.github/workflows/security_veracode_policy_scan.yml@v0.7 # WORKFLOW_VERSION
+    with:
+      channel_id: C05J915DX0Q
+    secrets: inherit
diff --git a/rename-project.bash b/rename-project.bash
index 741d2b8..292e988 100755
--- a/rename-project.bash
+++ b/rename-project.bash
@@ -11,14 +11,14 @@ fi
 if [[ $# -ge 1 ]]; then
   PROJECT_INPUT=$1
   SLACK_RELEASES_CHANNEL=$2
-  PIPELINE_SECURITY_SLACK_CHANNEL=$3
+  SECURITY_ALERTS_SLACK_CHANNEL_ID=$3
   NON_PROD_ALERTS_SEVERITY_LABEL=$4
   PROD_ALERTS_SEVERITY_LABEL=$5
   PRODUCT_ID=$6
 else
   read -rp "New project name e.g. prison-visits >" PROJECT_INPUT
   read -rp "Slack channel for release notifications >" SLACK_RELEASES_CHANNEL
-  read -rp "Slack channel for pipeline security notifications >" PIPELINE_SECURITY_SLACK_CHANNEL
+  read -rp "Slack channel for pipeline security notifications >" SECURITY_ALERTS_SLACK_CHANNEL_ID
   echo "For configurating alert severity labels, please first see https://user-guide.cloud-platform.service.justice.gov.uk/documentation/monitoring-an-app/how-to-create-alarms.html#creating-your-own-custom-alerts"
   read -rp "Non-prod kubernetes alerts. The severity label used by prometheus to route alert notifications to slack >" NON_PROD_ALERTS_SEVERITY_LABEL
   read -rp "Production kubernetes alerts. The severity label used by prometheus to route alert notifications to slack >" PROD_ALERTS_SEVERITY_LABEL
@@ -87,12 +87,15 @@ RANDOM_HOUR=$((RANDOM % (9 - 3 + 1) + 3))
 RANDOM_MINUTE=$(($RANDOM%60))
 RANDOM_MINUTE2=$(($RANDOM%60))
 sed -i -z -E \
-  -e "s/security:\n    triggers:\n      - schedule:\n          cron: \"15 7/security:\n    triggers:\n      - schedule:\n          cron: \"$RANDOM_MINUTE $RANDOM_HOUR/" \
-  -e "s/security-weekly:\n    triggers:\n      - schedule:\n          cron: \"0 5/security-weekly:\n    triggers:\n      - schedule:\n          cron: \"$RANDOM_MINUTE2 $RANDOM_HOUR/" \
   -e "s/SLACK_RELEASES_CHANNEL/$SLACK_RELEASES_CHANNEL/" \
-  -e "s/PIPELINE_SECURITY_SLACK_CHANNEL/$PIPELINE_SECURITY_SLACK_CHANNEL/" \
   .circleci/config.yml
 
+sed -i -z -E \
+  -e "s/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"19 6/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"$RANDOM_MINUTE $RANDOM_HOUR/" \
+  -e "s/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"34 6/on:\n  workflow_dispatch:\n  schedule:\n    - cron: \"$RANDOM_MINUTE2 $RANDOM_HOUR/" \
+  -e "s/C05J915DX0Q/$SECURITY_ALERTS_SLACK_CHANNEL_ID/" \
+  .github/workflows/*
+
 # lastly remove ourselves
 rm rename-project.bash