chore: updating workflows

Author: kadraman

.github/workflows/ci.yml

@@ -67,3 +67,18 @@ jobs:
           tags: |
             ghcr.io/${{ github.repository_owner }}/insecurewebapp:${{ github.sha }}
             ghcr.io/${{ github.repository_owner }}/insecurewebapp:latest
+
+  cleanup-images:
+    name: Cleanup old GHCR images
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete old GHCR package versions (keep last 5)
+        uses: actions/delete-package-versions@v5
+        with:
+          package-name: insecurewebapp
+          owner: ${{ github.repository_owner }}
+          min-versions-to-keep: 5
+          package-type: container
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/codeql.yml

@@ -85,7 +85,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@v4
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -114,7 +114,7 @@ jobs:
 
     - name: Perform CodeQL Analysis
       id: analyze
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@v4
       with:
         category: "/language:${{matrix.language}}"
         output: sarif-out/${{ matrix.language }}
@@ -139,3 +139,37 @@ jobs:
         path: export/*.sarif
         if-no-files-found: error
         retention-days: 30
+
+  merge-sarif:
+    name: Merge SARIF files
+    needs: analyze
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Download all SARIF artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Install jq
+        run: sudo apt-get update && sudo apt-get install -y jq
+
+      - name: Merge SARIF files
+        run: |
+          set -euo pipefail
+          mkdir -p export
+          # Find all SARIF files downloaded from matrix jobs and merge their `runs` arrays.
+          find artifacts -type f -name '*.sarif' -print0 | xargs -0 jq -s '{version: (.[0].version), "$schema": (.[0]."$schema"), runs: map(.runs) | add}' > export/combined_${{ github.run_id }}.sarif
+          # Also copy individual SARIF files into export/ for convenience
+          find artifacts -type f -name '*.sarif' -exec cp {} export/ \;
+          echo "Prepared $(ls -1 export | wc -l) SARIF files in export/"
+
+      - name: Upload merged SARIF artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sarif-combined-${{ github.run_id }}
+          path: export/*.sarif
+          if-no-files-found: error
+          retention-days: 30

.github/workflows/fod.yml

@@ -38,11 +38,11 @@ on:
       - 'tests/**'
       - '*.md'
       - 'LICENSE'
-    #branches-ignore:
-    #  - main
-    #  - develop
     branches:
-      - '**'        # matches every branch
+      - main
+      - develop
+      - feature/**
+      - bugfix/**
   pull_request:
     branches: [ main, develop ]
 
@@ -56,11 +56,7 @@ on:
       runFoDOSSScan:
         description: 'Carry out OSS scan using OpenText Core Application Security'
         required: false
-        default: 'true'       
-      deployApp:
-        description: 'Deploy App to Azure'
-        required: false
-        default: 'true'           
+        default: 'true'                
       runFoDDASTScan:
         description: 'Carry out DAST scan using OpenText Core Application Security'
         required: false
@@ -94,48 +90,7 @@ jobs:
             echo "Running in a branch pipeline ..."
             echo "FOD_RELEASE=${{ env.DEFAULT_APP_NAME }}${{ vars.FORTIFY_APP_NAME_POSTFIX }}:${{ github.ref_name }}" >> $GITHUB_OUTPUT
             echo "FOD_PARENT_RELEASE=${{ env.DEFAULT_APP_NAME }}${{ vars.FORTIFY_APP_NAME_POSTFIX }}:${{ env.DEFAULT_PARENT_RELEASE_NAME }}" >> $GITHUB_OUTPUT
-          fi
-
-  Build-And-Unit-Test:
-    runs-on: ubuntu-latest
-    needs: [ Env-Prepare ]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Python
-        uses: actions/setup-python@v5
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-          cache: 'pip'
-      - name: Create and start virtual environment
-        run: |
-          python -m venv venv
-          source venv/bin/activate          
-      - name: Install dependencies
-        run: |
-          pip install -r requirements.txt
-          pip install pytest pytest-md pytest-emoji
-      - uses: pavelzw/pytest-action@v2
-        with:
-          emoji: false
-          verbose: false
-          job-summary: true
-      # Publish test results
-      #- name: Publish Test Results
-      #  uses: EnricoMi/publish-unit-test-result-action@v2
-      #  if: always()
-      #  with:
-      #    files: |
-      #      build/test-results/**/*.xml
-      #      build/test-results/**/*.trx
-      #      build/test-results/**/*.json
-      - name: Upload artifact for deployment jobs
-        uses: actions/upload-artifact@v4
-        with:
-          name: python-app
-          path: |
-            .
-            !venv/     
+          fi   
 
   FoD-SAST-Scan:
     runs-on: ubuntu-latest
@@ -194,7 +149,7 @@ jobs:
   FoD-OSS-Scan:
     runs-on: ubuntu-latest
     if: ${{ (github.event_name == 'push') || (github.event_name == 'pull_request') || (github.event.inputs.runFoDOSSScan == 'true') }}
-    needs: [ Env-Prepare, FoD-SAST-Scan ] # for creating new FoD release (if required)
+    needs: [ Env-Prepare ]
     env: 
       FOD_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_RELEASE }}
       FOD_PARENT_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_PARENT_RELEASE }}
@@ -227,46 +182,11 @@ jobs:
           FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
           PACKAGE_FILE: "fortifypackage.zip"
           FOD_RELEASE: ${{ env.FOD_RELEASE }}
-
-  Deploy-App:
-    permissions:
-      contents: none
-    runs-on: ubuntu-latest
-    needs: [ Build-And-Unit-Test, FoD-SAST-Scan, FoD-OSS-Scan ]
-    environment:
-      name: 'Development'
-      #url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
-    if: ${{ success() && github.ref_name == github.event.repository.default_branch }}
-    steps:
-      - name: Download artifact from build job
-        uses: actions/download-artifact@v4
-        with:
-          name: python-app
-          path: .
-      # Example deployment to azure web app
-      # This is commented out as it is done in workflows/azure_webapp..yml
-      #- name: 'Deploy to Azure Web App'
-      #  id: deploy-to-webapp
-      #   uses: azure/webapps-deploy@v3
-      #  with:
-      #    app-name: ${{ env.AZURE_WEBAPP_NAME }}
-      #    publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_94429323A56E479BA44DAB94865DCF4A }}
-
-  Functional-Test:
-    runs-on: ubuntu-latest
-    if: ${{ always() }}
-    needs: [ Env-Prepare, Deploy-App ]
-    env:
-      FOD_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_RELEASE }}
-      FOD_PARENT_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_PARENT_RELEASE }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-   
+  
   FoD-DAST-Scan:
     runs-on: ubuntu-latest
     if: ${{ (github.ref_name == github.event.repository.default_branch) && (github.event.inputs.runFoDDASTScan == 'true') }}
-    needs: [ Env-Prepare, Deploy-App ]
+    needs: [ Env-Prepare, FoD-SAST-Scan, FoD-OSS-Scan ]
     env: 
       FOD_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_RELEASE }}
       FOD_PARENT_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_PARENT_RELEASE }}
@@ -323,13 +243,3 @@ jobs:
           FOD_CLIENT_ID: ${{ secrets.FOD_CLIENT_ID }}
           FOD_CLIENT_SECRET: ${{ secrets.FOD_CLIENT_SECRET }}
           FOD_RELEASE: ${{ env.FOD_RELEASE }}
-
-  #Release-To-Prod:
-  #  runs-on: ubuntu-latest
-  #  needs: [ Env-Prepare, Verify-Security-Policy ]
-  #  env: 
-  #    FOD_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_RELEASE }}
-  #    FOD_PARENT_RELEASE: ${{ needs.Env-Prepare.outputs.FOD_PARENT_RELEASE }}
-  #  steps:
-  #    - name: Checkout
-  #      uses: actions/checkout@v4

.github/workflows/semgrep.yml

@@ -1,14 +1,14 @@
 name: Semgrep (SARIF export)
 
 on:
-  push:
-    branches: [ "main" ]
-  pull_request:
-    branches: [ "main" ]
   workflow_dispatch:
     inputs:
       upload_sarif:
-        description: 'Set to "true" to upload SARIF to GitHub Code Scanning'
+        description: 'Set to "true" to upload SARIF artifact to GitHub'
+        required: false
+        default: 'true'
+      import_sarif:
+        description: 'Set to "true" to import SARIF results to GitHub Code Scanning'
         required: false
         default: 'false'
 
@@ -19,8 +19,6 @@ permissions:
 
 jobs:
   semgrep:
-    # only run this job if the repository is origin 'kadraman/InsecureWeb not forked repositories
-    if: ${{ github.repository == 'kadraman/InsecureWebApp' }}
     runs-on: ubuntu-latest
 
     steps:
@@ -49,9 +47,9 @@ jobs:
           # Optional Semgrep App token if you use Semgrep Cloud Platform features
           # SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
 
-      - name: Upload SARIF to GitHub Code Scanning
-        if: ${{ github.event.inputs.upload_sarif == 'true' }}
-        uses: github/codeql-action/upload-sarif@v3
+      - name: Import SARIF results to GitHub Code Scanning
+        if: ${{ github.event.inputs.import_sarif == 'true' }}
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: sarif-out/semgrep.sarif
           category: "semgrep"
@@ -64,6 +62,7 @@ jobs:
           cp sarif-out/semgrep.sarif "export/semgrep_${ts}.sarif"
 
       - name: Upload SARIF artifact
+        if: ${{ github.event.inputs.upload_sarif == 'true' }}
         uses: actions/upload-artifact@v4
         with:
           name: sarif-semgrep-${{ github.run_id }}

.github/workflows/trivy.yml

@@ -0,0 +1,51 @@
+name: Trivy container SARIF scan
+
+on:
+  workflow_dispatch:
+    inputs:
+      upload_sarif:
+        description: 'Set to "true" to upload SARIF artifact to GitHub'
+        required: false
+        default: 'true'
+      import_sarif:
+        description: 'Set to "true" to import SARIF results to GitHub Code Scanning'
+        required: false
+        default: 'false'
+
+permissions:
+  contents: read
+  security-events: write   # required to upload SARIF to Code Scanning
+  actions: read
+
+jobs:
+  scan:
+    name: Scan GHCR image with Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set image
+        run: echo "IMAGE=ghcr.io/${{ github.repository_owner }}/insecurewebapp:latest" >> $GITHUB_ENV
+
+      - name: Pull image
+        run: docker pull $IMAGE
+
+      - name: Run Trivy (SARIF)
+        run: |
+          set -euo pipefail
+          # Run Trivy in a container and output SARIF to a file
+          docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$PWD:/work" aquasecurity/trivy:latest image --format sarif -o /work/trivy.sarif "$IMAGE"
+
+      - name: Import SARIF results to GitHub Code Scanning
+        if: ${{ github.event.inputs.import_sarif == 'true' }}
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: trivy.sarif
+          category: "trivy"
+
+      - name: Upload SARIF artifact
+        if: ${{ github.event.inputs.upload_sarif == 'true' }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-sarif-${{ github.run_id }}
+          path: trivy.sarif
+          if-no-files-found: error
+          retention-days: 30