cicd-pipeline-scan-examples/cicd-examples/github/github-remote-app-blocking-mode.yaml at main · Probely/cicd-pipeline-scan-examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Remote App in blocking mode

name: CI

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest

    steps:
      # Step 1: Install Probely CLI edit
      - name: Install Probely CLI
        run: |
          # Install Probely CLI
          pip install probely
          # Test probely GET TARGETS
          probely targets get --api-key ${{ secrets.PROBELY_API_KEY }}

      # Step 2: Start Scan
      - name: Start Scan
        run: |
          for i in {1..20}; do
            echo "-----------------------------------"
            SCAN_ID=$(probely targets start-scan ${{ vars.TARGET_ID }} -o IDS_ONLY --api-key ${{ secrets.PROBELY_API_KEY }})
            echo ${SCAN_ID}
            if [ -f ${SCAN_ID} ]; then
              echo "Scan didn't start... Retry start-scan"
            else
              echo "Scan started with SCAN ID: ${SCAN_ID}";
              echo "SCAN_ID=${SCAN_ID}" >> $GITHUB_ENV
              break;
            fi
            sleep 5
          done
          if [ -f $SCAN_ID ]; then
            echo "No Scan ID, aborting..."
            exit 1
          fi

      # Step 3: Wait for scan to end
      - name: Wait for scan to end
        run: |
          # Wait until scan ends
          while true; do
            echo "-----------------------------------"
            SCAN_OUTPUT=$(probely scans get ${SCAN_ID} --api-key ${{ secrets.PROBELY_API_KEY }} | tail -1)
            echo ${SCAN_OUTPUT}
            echo "-----------------------------------"
            SCAN_STATUS=$(probely scans get ${SCAN_ID} --api-key ${{ secrets.PROBELY_API_KEY }} -o JSON | jq -r '.status')
            if [ $SCAN_STATUS == "started" ] || [ $SCAN_STATUS == "queued" ]; then
              echo "Scan is running or queued!";
            else
              echo "Scan is not running... finishing"
              break;
            fi
            sleep 30;
          done

      # Step 4: Optional logic - abort the pipeline if there are any HIGH risk vulnerabilities.
      - name: Check for High risk vulnerabilities
        run: |
          # Wait until scan ends
          HIGH_VULNS=$(probely scans get $SCAN_ID --api-key ${{ secrets.PROBELY_API_KEY }} -o JSON | jq -r '.highs')
          echo "HIGH risk vulnerabilities ${HIGH_VULNS}"
          if [[ "$HIGH_VULNS" -gt 0 ]]; then
            echo "Scan has High risk vulnerabilities... aborting"
            exit 1
          else
            echo "Scan doesn't have High risk vulnerabilities"
          fi