mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-08 13:11:52 +00:00
229 lines
6.3 KiB
YAML
229 lines
6.3 KiB
YAML
name: 'API: Pull Request'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- '.github/workflows/api-pull-request.yml'
|
|
- 'api/**'
|
|
- '!api/docs/**'
|
|
- '!api/README.md'
|
|
- '!api/CHANGELOG.md'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- '.github/workflows/api-pull-request.yml'
|
|
- 'api/**'
|
|
- '!api/docs/**'
|
|
- '!api/README.md'
|
|
- '!api/CHANGELOG.md'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
POSTGRES_HOST: localhost
|
|
POSTGRES_PORT: 5432
|
|
POSTGRES_ADMIN_USER: prowler
|
|
POSTGRES_ADMIN_PASSWORD: S3cret
|
|
POSTGRES_USER: prowler_user
|
|
POSTGRES_PASSWORD: prowler
|
|
POSTGRES_DB: postgres-db
|
|
VALKEY_HOST: localhost
|
|
VALKEY_PORT: 6379
|
|
VALKEY_DB: 0
|
|
API_WORKING_DIR: ./api
|
|
IMAGE_NAME: prowler-api
|
|
|
|
jobs:
|
|
code-quality:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
strategy:
|
|
matrix:
|
|
python-version:
|
|
- '3.12'
|
|
defaults:
|
|
run:
|
|
working-directory: ./api
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Setup Python with Poetry
|
|
uses: ./.github/actions/setup-python-poetry
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
working-directory: ./api
|
|
|
|
- name: Poetry check
|
|
run: poetry check --lock
|
|
|
|
- name: Ruff lint
|
|
run: poetry run ruff check . --exclude contrib
|
|
|
|
- name: Ruff format
|
|
run: poetry run ruff format --check . --exclude contrib
|
|
|
|
- name: Pylint
|
|
run: poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/
|
|
|
|
security-scans:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
strategy:
|
|
matrix:
|
|
python-version:
|
|
- '3.12'
|
|
defaults:
|
|
run:
|
|
working-directory: ./api
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Setup Python with Poetry
|
|
uses: ./.github/actions/setup-python-poetry
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
working-directory: ./api
|
|
|
|
- name: Bandit
|
|
run: poetry run bandit -q -lll -x '*_test.py,./contrib/' -r .
|
|
|
|
- name: Safety
|
|
# 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
|
|
# TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
|
|
run: poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745
|
|
|
|
- name: Vulture
|
|
run: poetry run vulture --exclude "contrib,tests,conftest.py" --min-confidence 100 .
|
|
|
|
tests:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
strategy:
|
|
matrix:
|
|
python-version:
|
|
- '3.12'
|
|
defaults:
|
|
run:
|
|
working-directory: ./api
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres
|
|
env:
|
|
POSTGRES_HOST: ${{ env.POSTGRES_HOST }}
|
|
POSTGRES_PORT: ${{ env.POSTGRES_PORT }}
|
|
POSTGRES_USER: ${{ env.POSTGRES_USER }}
|
|
POSTGRES_PASSWORD: ${{ env.POSTGRES_PASSWORD }}
|
|
POSTGRES_DB: ${{ env.POSTGRES_DB }}
|
|
ports:
|
|
- 5432:5432
|
|
options: >-
|
|
--health-cmd pg_isready
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
valkey:
|
|
image: valkey/valkey:7-alpine3.19
|
|
env:
|
|
VALKEY_HOST: ${{ env.VALKEY_HOST }}
|
|
VALKEY_PORT: ${{ env.VALKEY_PORT }}
|
|
VALKEY_DB: ${{ env.VALKEY_DB }}
|
|
ports:
|
|
- 6379:6379
|
|
options: >-
|
|
--health-cmd "valkey-cli ping"
|
|
--health-interval 10s
|
|
--health-timeout 5s
|
|
--health-retries 5
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Setup Python with Poetry
|
|
uses: ./.github/actions/setup-python-poetry
|
|
with:
|
|
python-version: ${{ matrix.python-version }}
|
|
working-directory: ./api
|
|
|
|
- name: Run tests with pytest
|
|
run: poetry run pytest --cov=./src/backend --cov-report=xml src/backend
|
|
|
|
- name: Upload coverage reports to Codecov
|
|
uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
|
|
env:
|
|
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
|
|
with:
|
|
flags: api
|
|
|
|
dockerfile-lint:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Lint Dockerfile with Hadolint
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: api/Dockerfile
|
|
ignore: DL3013
|
|
|
|
container-build-and-scan:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
|
|
- name: Build container
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
with:
|
|
context: ${{ env.API_WORKING_DIR }}
|
|
push: false
|
|
load: true
|
|
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Scan container with Trivy
|
|
uses: ./.github/actions/trivy-scan
|
|
with:
|
|
image-name: ${{ env.IMAGE_NAME }}
|
|
image-tag: ${{ github.sha }}
|
|
fail-on-critical: 'false'
|
|
severity: 'CRITICAL'
|