diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..416564c --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: "docker" + directory: "/examples/dependabot-alerts-example" + schedule: + interval: "daily" diff --git a/.github/workflows/dependabot-evidence-example.yml b/.github/workflows/dependabot-evidence-example.yml new file mode 100644 index 0000000..de32117 --- /dev/null +++ b/.github/workflows/dependabot-evidence-example.yml @@ -0,0 +1,86 @@ +name: dependabot-evidence-example +on: + workflow_dispatch: + push: + branches: + - main + +permissions: + id-token: write + contents: read + +jobs: + dependabot-evidence-example: + runs-on: ubuntu-latest + env: + REPO_NAME: 'dependabot-docker-local' + IMAGE_NAME: 'dependabot-docker-image' + BUILD_NAME: 'dependabot-evidence-eg' + VERSION: ${{ github.run_number }} + REGISTRY_DOMAIN: ${{ vars.REGISTRY_DOMAIN }} + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup JFrog CLI + uses: jfrog/setup-jfrog-cli@v4 + env: + JF_URL: ${{ vars.ARTIFACTORY_URL }} + JF_ACCESS_TOKEN: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Log in to Artifactory Docker Registry + uses: docker/login-action@v3 + with: + registry: ${{ vars.ARTIFACTORY_URL }} + username: ${{ secrets.JF_USER }} + password: ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image and Push to Artifactory + run: | + docker build -f ./examples/dependabot-alerts-example/Dockerfile . --tag $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION + jf rt docker-push $REGISTRY_DOMAIN/$REPO_NAME/$IMAGE_NAME:$VERSION $REPO_NAME --build-name=$BUILD_NAME --build-number=$VERSION + + - name: Install jq + run: sudo apt-get update && sudo apt-get install -y jq + + - name: Fetch Dependabot Vulnerability Snapshot + id: dependabot_snapshot + env: + GH_TOKEN: ${{ secrets.TOKEN_GIT }} # GitHub Token with 'security_events: read' permission is required + OWNER: ${{ github.repository_owner }} + REPO: ${{ github.event.repository.name }} + run: | + gh api \ + -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + "repos/${OWNER}/${REPO}/dependabot/alerts" \ + --jq '[.[] | + { + packageName: .dependency.package.name, + ecosystem: .dependency.package.ecosystem, + vulnerableVersionRange: .security_vulnerability.vulnerable_version_range, + patchedVersion: .security_vulnerability.first_patched_version.identifier, + severity: .security_vulnerability.severity, + ghsaId: .security_advisory.ghsa_id, + cveId: .security_advisory.cve_id, + advisoryUrl: .html_url, + detectedAt: .created_at + } + ]' > result.json + + cat result.json + + - name: Create Dependabot Evidence + run: | + jf evd create \ + --package-name $IMAGE_NAME \ + --package-version $VERSION \ + --package-repo-name $REPO_NAME \ + --key "${{ secrets.TEST_PRVT_KEY }}" \ + --key-alias ${{ secrets.TEST_PUB_KEY_ALIAS }} \ + --predicate ./result.json \ + --predicate-type http://Github.com/Dependabot/static-analysis \ No newline at end of file diff --git a/examples/dependabot-alerts-example/Dockerfile b/examples/dependabot-alerts-example/Dockerfile new file mode 100644 index 0000000..d52bd3a --- /dev/null +++ b/examples/dependabot-alerts-example/Dockerfile @@ -0,0 +1,6 @@ +# Use an outdated version of the Node.js image +FROM node:24 + +COPY ./examples/dependabot-alerts-example/hello.js . + +CMD ["node", "hello.js"] \ No newline at end of file diff --git a/examples/dependabot-alerts-example/hello.js b/examples/dependabot-alerts-example/hello.js new file mode 100644 index 0000000..4f3ac02 --- /dev/null +++ b/examples/dependabot-alerts-example/hello.js @@ -0,0 +1 @@ +console.log('Hello World!') \ No newline at end of file