From ea50897e32dddcb290f3d82ff5702a41d681e26a Mon Sep 17 00:00:00 2001 From: romoh Date: Wed, 3 Mar 2021 14:23:13 -0800 Subject: [PATCH 1/7] Move security audit checks to a daily schedule instead of on PRs --- .github/workflows/check-rust.yml | 5 ---- .github/workflows/security-audit.yml | 42 ++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/security-audit.yml diff --git a/.github/workflows/check-rust.yml b/.github/workflows/check-rust.yml index 9010c822a..d3d4fb810 100644 --- a/.github/workflows/check-rust.yml +++ b/.github/workflows/check-rust.yml @@ -24,11 +24,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - - uses: actions-rs/audit-check@v1 - with: - # token is only used for creating the audit report and does not impact the - # functionality or success/failure of the job in case the token is unavailable - token: ${{ secrets.GITHUB_TOKEN }} build: runs-on: ubuntu-latest timeout-minutes: 30 diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml new file mode 100644 index 000000000..80bdc2eb4 --- /dev/null +++ b/.github/workflows/security-audit.yml @@ -0,0 +1,42 @@ +# This is a security audit workflow that runs security audit checks and send an email in case any vulnerabilities are detected. + +name: Security Audit +on: + schedule: + - cron: '0 0 * * *' #runs daily at 12:00 am UTC + +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + - name: Run security audit check + id: cargo-audit + continue-on-error: true + uses: actions-rs/audit-check@v1 + with: + # token is only used for creating the audit report and does not impact the + # functionality or success/failure of the job in case the token is unavailable + token: ${{ secrets.GITHUB_TOKEN }} + + # sends an email if security audit failed + - name: Send mail + if: steps.cargo-audit.outcome != 'success' + uses: dawidd6/action-send-mail@v2 + with: + server_address: smtp-mail.outlook.com + server_port: 587 + username: ${{secrets.AKRI_BOT_EMAIL}} + password: ${{secrets.AKRI_BOT_PASSWORD}} + subject: "Security vulnerability detected in ${{github.repository}}" + body: |- + A security vulnerability was detected in one or more of Akri's. For more details, check the output of the [security audit workflow](https://github.com/${{github.repository}}/runs/actions) + + Hint: In most cases, running the [auto-update dependencies](https://github.com/deislabs/akri/actions/workflows/auto-update-dependencies.yml) workflow will fix the issue. + + -Your friendly Akri bot 🤖 + to: ${{secrets.AKRI_TEAM_EMAIL}} + from: ${{secrets.AKRI_BOT_EMAIL}} + content_type: text/html + convert_markdown: true + From 2b71b6db833159ea90efeb431a0c85febf4bf19c Mon Sep 17 00:00:00 2001 From: romoh Date: Wed, 3 Mar 2021 14:26:14 -0800 Subject: [PATCH 2/7] Fix typo --- .github/workflows/security-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 80bdc2eb4..a5fa83639 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -30,7 +30,7 @@ jobs: password: ${{secrets.AKRI_BOT_PASSWORD}} subject: "Security vulnerability detected in ${{github.repository}}" body: |- - A security vulnerability was detected in one or more of Akri's. For more details, check the output of the [security audit workflow](https://github.com/${{github.repository}}/runs/actions) + A security vulnerability was detected in one or more of Akri's dependencies. For more details, check the output of the [security audit workflow](https://github.com/${{github.repository}}/runs/actions) Hint: In most cases, running the [auto-update dependencies](https://github.com/deislabs/akri/actions/workflows/auto-update-dependencies.yml) workflow will fix the issue. From d6cd65badea96ef3b22769471f3f6e344a007d0e Mon Sep 17 00:00:00 2001 From: romoh Date: Wed, 3 Mar 2021 15:20:28 -0800 Subject: [PATCH 3/7] Link to specific github run url from github context --- .github/workflows/security-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index a5fa83639..79d275565 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -30,7 +30,7 @@ jobs: password: ${{secrets.AKRI_BOT_PASSWORD}} subject: "Security vulnerability detected in ${{github.repository}}" body: |- - A security vulnerability was detected in one or more of Akri's dependencies. For more details, check the output of the [security audit workflow](https://github.com/${{github.repository}}/runs/actions) + A security vulnerability was detected in one or more of Akri's dependencies. For more details, check the output of the [security audit workflow](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}) Hint: In most cases, running the [auto-update dependencies](https://github.com/deislabs/akri/actions/workflows/auto-update-dependencies.yml) workflow will fix the issue. From 65527b4a164de6455d0a3d35147fc2d6878a68d5 Mon Sep 17 00:00:00 2001 From: romoh Date: Wed, 3 Mar 2021 15:25:23 -0800 Subject: [PATCH 4/7] rename rust jobs --- .github/workflows/check-rust.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-rust.yml b/.github/workflows/check-rust.yml index d3d4fb810..99d7542b5 100644 --- a/.github/workflows/check-rust.yml +++ b/.github/workflows/check-rust.yml @@ -20,7 +20,7 @@ env: CARGO_TERM_COLOR: always jobs: - security_audit: + rust_checks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 From 7113e27186e3437038e7038856e8be6084a35dc7 Mon Sep 17 00:00:00 2001 From: romoh Date: Wed, 3 Mar 2021 15:29:01 -0800 Subject: [PATCH 5/7] remove unnecessary job --- .github/workflows/check-rust.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/check-rust.yml b/.github/workflows/check-rust.yml index 99d7542b5..a0c36d113 100644 --- a/.github/workflows/check-rust.yml +++ b/.github/workflows/check-rust.yml @@ -20,10 +20,6 @@ env: CARGO_TERM_COLOR: always jobs: - rust_checks: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 build: runs-on: ubuntu-latest timeout-minutes: 30 From 5b38781c4ae1fd1ab2b66889d83e6a2f70adf7b1 Mon Sep 17 00:00:00 2001 From: romoh Date: Mon, 8 Mar 2021 00:17:43 -0800 Subject: [PATCH 6/7] only run on main and not forks --- .github/workflows/security-audit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 79d275565..c3a6b3b4b 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -12,6 +12,7 @@ jobs: - uses: actions/checkout@v1 - name: Run security audit check id: cargo-audit + if: github.repository == 'deislabs/akri' # only run on main repo and not forks continue-on-error: true uses: actions-rs/audit-check@v1 with: From 10224f76f2ed990a9c5fbd540d1b6f97ee9b14b5 Mon Sep 17 00:00:00 2001 From: Roaa Sakr Date: Tue, 9 Mar 2021 10:34:03 -0800 Subject: [PATCH 7/7] Update security-audit.yml Restrict the action to main repo and not forks --- .github/workflows/security-audit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index c3a6b3b4b..efb05c301 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -22,7 +22,7 @@ jobs: # sends an email if security audit failed - name: Send mail - if: steps.cargo-audit.outcome != 'success' + if: steps.cargo-audit.outcome != 'success' && github.repository == 'deislabs/akri' # only run on main repo and not forks uses: dawidd6/action-send-mail@v2 with: server_address: smtp-mail.outlook.com