From cab9b63bc91bcd145043dfc3006aeb846ae14099 Mon Sep 17 00:00:00 2001 From: JonJagger Date: Fri, 20 Feb 2026 12:46:46 +0000 Subject: [PATCH 1/4] Harden the runner at the start of each workflow job --- .github/workflows/main.yml | 45 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4f3db27..3acd742 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -34,6 +34,11 @@ jobs: image_name: ${{ steps.vars.outputs.image_name }} kosli_trail: ${{ steps.vars.outputs.kosli_trail }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 1 @@ -89,6 +94,11 @@ jobs: contents: read pull-requests: read steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 1 @@ -109,6 +119,11 @@ jobs: runs-on: ubuntu-latest needs: [setup] steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 1 @@ -137,6 +152,11 @@ jobs: env: SARIF_FILENAME: snyk.code.scan.json steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 1 @@ -194,6 +214,11 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Download docker image uses: cyber-dojo/download-artifact@main with: @@ -243,6 +268,11 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Download docker image uses: cyber-dojo/download-artifact@main with: @@ -292,6 +322,11 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 0 @@ -322,6 +357,11 @@ jobs: env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Setup Kosli CLI uses: kosli-dev/setup-cli-action@v2 with: @@ -346,6 +386,11 @@ jobs: name: staging url: https://beta.cyber-dojo.org steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - uses: actions/checkout@v4 with: fetch-depth: 0 From cf6d893c257a5ed0275bf993bb1199ec3bb66cce Mon Sep 17 00:00:00 2001 From: JonJagger Date: Fri, 20 Feb 2026 12:47:04 +0000 Subject: [PATCH 2/4] Collapse kosli-setup using composite action --- .github/workflows/main.yml | 25 ++++--------------------- 1 file changed, 4 insertions(+), 21 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3acd742..7f01d0e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -60,29 +60,12 @@ jobs: echo "kosli_trail=${KOSLI_TRAIL}" } > ${GITHUB_OUTPUT} - - name: Setup Kosli CLI - if: ${{ github.ref == 'refs/heads/main' }} - uses: kosli-dev/setup-cli-action@v2 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} - - - name: Create Kosli Flow - if: ${{ github.ref == 'refs/heads/main' }} - run: - kosli create flow "${KOSLI_FLOW}" - --description="Diff files from two traffic-lights" - - name: Begin Kosli Trail if: ${{ github.ref == 'refs/heads/main' }} - run: - kosli begin trail "${KOSLI_TRAIL}" - --template-file=.kosli.yml - - - name: Write Trail URL to GitHub Step Summary - if: ${{ github.ref == 'refs/heads/main' }} - run: | - url="https://app.kosli.com/${KOSLI_ORG}/flows/${KOSLI_FLOW}/trails/${KOSLI_TRAIL}" - echo "[Kosli Trail](${url})" > "${GITHUB_STEP_SUMMARY}" + uses: cyber-dojo/kosli-begin-trail@main + with: + cli_version: "${{ vars.KOSLI_CLI_VERSION }}" + flow_description: "Diff files from two traffic-lights" pull-request: From 47ad45449a5d79358ec9726c4e809de7dd510cd3 Mon Sep 17 00:00:00 2001 From: JonJagger Date: Fri, 20 Feb 2026 12:48:38 +0000 Subject: [PATCH 3/4] Remove snyk-code-scan --- .github/workflows/main.yml | 44 -------------------------------------- .kosli.yml | 2 -- 2 files changed, 46 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7f01d0e..538a59d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -129,49 +129,6 @@ jobs: --results-dir=./reports/rubocop - snyk-code-scan: - runs-on: ubuntu-latest - needs: [setup] - env: - SARIF_FILENAME: snyk.code.scan.json - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit - - - uses: actions/checkout@v4 - with: - fetch-depth: 1 - - - name: Setup Snyk - uses: snyk/actions/setup@master - - - name: Run Snyk code scan - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: - snyk code test - --policy-path=.snyk - --sarif - --sarif-file-output="${SARIF_FILENAME}" - . - - - name: Setup Kosli CLI - if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} - uses: kosli-dev/setup-cli-action@v2 - with: - version: ${{ vars.KOSLI_CLI_VERSION }} - - - name: Attest evidence to Kosli - if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} - run: - kosli attest snyk - --attachments=.snyk - --name=differ.snyk-code-scan - --scan-results="${SARIF_FILENAME}" - - build-image: needs: [setup] uses: cyber-dojo/reusable-actions-workflows/.github/workflows/secure-docker-build.yml@main @@ -335,7 +292,6 @@ jobs: - rubocop-lint - unit-tests - integration-tests - - snyk-code-scan - sonarcloud-scan env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} diff --git a/.kosli.yml b/.kosli.yml index 9be5a19..e95a744 100644 --- a/.kosli.yml +++ b/.kosli.yml @@ -9,8 +9,6 @@ trail: attestations: - name: rubocop-lint type: junit - - name: snyk-code-scan - type: snyk - name: unit-test type: junit - name: unit-test-metrics From aa4acbf3ccd9b98b3a62249879a5cbaf7f170347 Mon Sep 17 00:00:00 2001 From: JonJagger Date: Fri, 20 Feb 2026 12:51:15 +0000 Subject: [PATCH 4/4] Add snyk-container-test to workflow --- .github/workflows/main.yml | 63 ++++++++++++++++++++++++++++++++++++++ .kosli.yml | 2 ++ 2 files changed, 65 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 538a59d..1bb5f5a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -283,6 +283,68 @@ jobs: -Dsonar.analysis.kosli_attestation=differ.sonarcloud-scan + snyk-container-scan: + needs: [build-image] + runs-on: ubuntu-latest + permissions: + id-token: write + contents: write + env: + IMAGE_NAME: ${{ needs.build-image.outputs.tagged_image_name }} + KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} + SARIF_FILENAME: snyk.container.scan.json + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - uses: actions/checkout@v4 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_BETA }}:role/gh_actions_services + aws-region: ${{ env.AWS_REGION }} + role-duration-seconds: 2400 + role-session-name: ${{ github.event.repository.name }} + + - name: Login to Amazon ECR + uses: aws-actions/amazon-ecr-login@v2 + + - name: Pull the docker image + run: + docker pull --platform=linux/amd64 "${IMAGE_NAME}" + + - name: Setup Snyk + uses: snyk/actions/setup@master + with: + snyk-version: v1.1300.2 + + - name: Run Snyk container scan + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: + snyk container test "${IMAGE_NAME}" + --policy-path=.snyk + --sarif + --sarif-file-output="${SARIF_FILENAME}" + + - name: Setup Kosli CLI + if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} + uses: kosli-dev/setup-cli-action@v2 + with: + version: ${{ vars.KOSLI_CLI_VERSION }} + + - name: Attest evidence to Kosli + if: ${{ github.ref == 'refs/heads/main' && (success() || failure()) }} + run: + kosli attest snyk + --attachments=.snyk + --name=differ.snyk-container-scan + --scan-results="${SARIF_FILENAME}" + + sdlc-control-gate: if: ${{ github.ref == 'refs/heads/main' }} runs-on: ubuntu-latest @@ -293,6 +355,7 @@ jobs: - unit-tests - integration-tests - sonarcloud-scan + - snyk-container-scan env: KOSLI_FINGERPRINT: ${{ needs.build-image.outputs.digest }} steps: diff --git a/.kosli.yml b/.kosli.yml index e95a744..d2c00e7 100644 --- a/.kosli.yml +++ b/.kosli.yml @@ -23,3 +23,5 @@ trail: type: custom:coverage-metrics - name: sonarcloud-scan type: sonar + - name: snyk-container-scan + type: snyk