Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions .github/actions/security/fossa-container-scan/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,114 @@
name: "FOSSA Container Scan"
description: "Scan a single container image with FOSSA for license compliance and vulnerability analysis"

inputs:
imageFile:
description: "Path to container image file for docker load"
required: true
image:
description: "Image name for artifact naming and categorization"
required: true
scanName:
description: "Name used as FOSSA project name. Defaults to the image name if not set."
required: false
default: ""
fossaTest:
description: "Whether to also run 'fossa container test' for policy compliance checking"
required: false
default: "false"
fossaTeam:
description: "Team name that is used for uploading results."
required: false
default: "Strimzi"
branch:
description: "Branch name to associate with this scan in FOSSA (e.g., branch name or image tag)"
required: false
default: ""

runs:
using: "composite"
steps:
- name: Install FOSSA CLI
shell: bash
run: |
curl -H 'Cache-Control: no-cache' \
https://raw.githubusercontent.com/fossas/fossa-cli/f9cd35ff5d917672d5433c46603de4ed92c53a0d/install-latest.sh | bash # v3.17.12

- name: Load container image
shell: bash
env:
IMAGE_FILE: ${{ inputs.imageFile }}
IMAGE_NAME: ${{ inputs.image }}
run: |
if [ ! -f "$IMAGE_FILE" ]; then
echo "::error::Image file not found: $IMAGE_FILE"
exit 1
fi

LOAD_OUTPUT=$(docker load < "$IMAGE_FILE")
echo "$LOAD_OUTPUT"
LOADED_IMAGE=$(echo "$LOAD_OUTPUT" | grep "Loaded image" | sed 's/Loaded image: //')

if [ -z "$LOADED_IMAGE" ]; then
echo "::error::Could not determine loaded image tag for $IMAGE_NAME"
exit 1
fi

echo "LOADED_IMAGE=$LOADED_IMAGE" >> "$GITHUB_ENV"

- name: Run FOSSA Container Analyze
shell: bash
continue-on-error: true
run: |
ANALYZE_LOG=$(mktemp)
set +e
SCAN_NAME="${{ inputs.scanName }}"
if [ -z "$SCAN_NAME" ]; then
SCAN_NAME="${{ inputs.image }}"
fi
fossa container analyze \
--project "$SCAN_NAME" \
--team "${{ inputs.fossaTeam }}" \
--branch "${{ inputs.branch }}" \
"$LOADED_IMAGE" > "$ANALYZE_LOG" 2>&1
set -e
cat "$ANALYZE_LOG"
FOSSA_URL=$(grep -o 'https://app.fossa.com[^ ]*' "$ANALYZE_LOG" | head -1 || true)
echo "FOSSA_URL=$FOSSA_URL" >> "$GITHUB_ENV"
rm -f "$ANALYZE_LOG"

- name: Run FOSSA Test and Write Summary
if: always()
shell: bash
run: |
set +e
SCAN_NAME="${{ inputs.scanName }}"
if [ -z "$SCAN_NAME" ]; then
SCAN_NAME="${{ inputs.image }}"
fi
TEST_OUTPUT=$(fossa container test --project "$SCAN_NAME" "$LOADED_IMAGE" 2>&1)
TEST_EXIT_CODE=$?
set -e
echo "$TEST_OUTPUT"

if [ "${{ inputs.fossaTest }}" == "true" ]; then
if [ "$TEST_EXIT_CODE" -eq 0 ]; then
TEST_RESULT="✅ passed"
else
TEST_RESULT="❌ failed"
fi
else
TEST_RESULT="⏭️ skipped"
fi

echo "## FOSSA Scan Summary" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| Type | Image | Report | Test |" >> "$GITHUB_STEP_SUMMARY"
echo "|------|-------|--------|------|" >> "$GITHUB_STEP_SUMMARY"
if [ -n "$FOSSA_URL" ]; then
echo "| Container | ${{ inputs.image }} | [View in FOSSA]($FOSSA_URL) | $TEST_RESULT |" >> "$GITHUB_STEP_SUMMARY"
else
echo "| Container | ${{ inputs.image }} | ❌ upload failed | $TEST_RESULT |" >> "$GITHUB_STEP_SUMMARY"
echo "::error::FOSSA container analyze failed — no report URL found in output"
exit 1
fi
6 changes: 6 additions & 0 deletions .github/actions/security/fossa-maven-scan/.fossa.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
version: 3

maven:
scope-exclude:
- test
- provided
100 changes: 100 additions & 0 deletions .github/actions/security/fossa-maven-scan/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: "FOSSA Maven Scan"
description: "Run FOSSA scan on Maven dependencies with license compliance and vulnerability analysis"

inputs:
fossaTest:
description: "Whether to also run 'fossa test' for policy compliance checking"
required: false
default: "false"
scanName:
description: "Name used for artifact naming (e.g., 'strimzi')"
required: true
exclude:
description: "Comma-separated list of directories to exclude from scanning (e.g., 'mockkube,test')"
required: false
default: ""
fossaTeam:
description: "Team name that is used for uploading results."
required: false
default: "Strimzi"
branch:
description: "Branch name to associate with this scan in FOSSA (e.g., branch name or image tag)"
required: false
default: ""

runs:
using: "composite"
steps:
- name: Install FOSSA CLI
shell: bash
run: |
curl -H 'Cache-Control: no-cache' \
https://raw.githubusercontent.com/fossas/fossa-cli/f9cd35ff5d917672d5433c46603de4ed92c53a0d/install-latest.sh | bash # v3.17.12

- name: Configure FOSSA
shell: bash
run: |
if [ -f .fossa.yml ]; then
echo "::warning::Existing .fossa.yml found in workspace — using project configuration instead of action defaults"
else
cp "${{ github.action_path }}/.fossa.yml" .fossa.yml
fi

if [ -n "${{ inputs.exclude }}" ]; then
echo "" >> .fossa.yml
echo "paths:" >> .fossa.yml
echo " exclude:" >> .fossa.yml
IFS=',' read -ra DIRS <<< "${{ inputs.exclude }}"
for dir in "${DIRS[@]}"; do
dir=$(echo "$dir" | xargs)
echo " - $dir/" >> .fossa.yml
done
fi

- name: Run FOSSA Analyze
shell: bash
continue-on-error: true
run: |
ANALYZE_LOG=$(mktemp)
set +e
fossa analyze \
--project "${{ inputs.scanName }}" \
--team "${{ inputs.fossaTeam }}" \
--branch "${{ inputs.branch }}" > "$ANALYZE_LOG" 2>&1
set -e
cat "$ANALYZE_LOG"
FOSSA_URL=$(grep -o 'https://app.fossa.com[^ ]*' "$ANALYZE_LOG" | head -1 || true)
echo "FOSSA_URL=$FOSSA_URL" >> "$GITHUB_ENV"
rm -f "$ANALYZE_LOG"

- name: Run FOSSA Test and Write Summary
if: always()
shell: bash
run: |
set +e
TEST_OUTPUT=$(fossa test --project "${{ inputs.scanName }}" 2>&1)
TEST_EXIT_CODE=$?
set -e
echo "$TEST_OUTPUT"

if [ "${{ inputs.fossaTest }}" == "true" ]; then
if [ "$TEST_EXIT_CODE" -eq 0 ]; then
TEST_RESULT="✅ passed"
else
TEST_RESULT="❌ failed"
fi
else
TEST_RESULT="⏭️ skipped"
fi

echo "## FOSSA Scan Summary" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| Type | Project | Report | Test |" >> "$GITHUB_STEP_SUMMARY"
echo "|------|---------|--------|------|" >> "$GITHUB_STEP_SUMMARY"
if [ -n "$FOSSA_URL" ]; then
echo "| Maven | ${{ inputs.scanName }} | [View in FOSSA]($FOSSA_URL) | $TEST_RESULT |" >> "$GITHUB_STEP_SUMMARY"
else
echo "| Maven | ${{ inputs.scanName }} | ❌ upload failed | $TEST_RESULT |" >> "$GITHUB_STEP_SUMMARY"
echo "::error::FOSSA analyze failed — no report URL found in output"
exit 1
fi
Loading
Loading