Skip to content

Fix issues for the Security Scan Workflow #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sachinh-amazon merged 6 commits into from
Oct 1, 2025
Merged

Fix issues for the Security Scan Workflow #51

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
21de4b9
Fix permissions related errors in the Security Scanning workflow
sachinh-amazon Sep 30, 2025
26fb126
Fix permissions related errors in the Security Scanning workflow
sachinh-amazon Sep 30, 2025
1dcc7ec
Move head_ref to an environment variable
sachinh-amazon Sep 30, 2025
1623e51
Fix head_ref per CodeQL
sachinh-amazon Sep 30, 2025
8029d3a
Change trigger to pull_request_target
sachinh-amazon Oct 1, 2025
af6b875
Merge branch 'main' into sachinh-security-scan
sachinh-amazon Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 23 additions & 21 deletions .github/workflows/security-scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ env:

on:
# Trigger 1: PR created on main or version branches (*.*)
pull_request:
pull_request_target:
branches:
- main
- '*.*'
Expand Down Expand Up @@ -36,21 +36,21 @@ jobs:

- name: Determine branches for PR events
id: determine-pr-branches
if: github.event_name == 'pull_request'
if: github.event_name == 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HEAD_REF: ${{ github.head_ref }}
run: |
# For PR events, validate base branch and use head ref if valid
base_ref="${{ github.base_ref }}"
head_ref="${{ github.head_ref }}"
echo "Base branch: $base_ref"
echo "Head branch: $head_ref"
echo "Head branch: $HEAD_REF"

if [[ "$base_ref" =~ ^[0-9]+\.[0-9]+$ ]] || [[ "$base_ref" == "main" ]]; then
echo "Base branch matches allowed pattern (main or digit.digit)"
echo "branches=[\"$head_ref\"]" >> $GITHUB_OUTPUT
echo "branches=[\"$HEAD_REF\"]" >> $GITHUB_OUTPUT
echo "output-branch-name=$base_ref" >> $GITHUB_OUTPUT
echo "Branches to scan: [$head_ref]"
echo "Branches to scan: [$HEAD_REF]"
echo "Output files will use branch name: $base_ref"
else
echo "Base branch does not match allowed pattern - no branches to scan"
Expand All @@ -60,17 +60,17 @@ jobs:

- name: Get all upstream branches
id: get-upstream-branches
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
run: |
# Get main branch and all version branches (*.*)
branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)' | sed 's/origin\///' | tr '\n' ' ')
branches=$(git branch -r | grep -E 'origin/(main|[0-9]+\.[0-9]+)$' | sed 's/origin\///' | tr '\n' ' ')
echo "Found upstream branches: $branches"
echo "upstream-branches=$branches" >> $GITHUB_OUTPUT
echo "output-branch-name=scheduled" >> $GITHUB_OUTPUT

- name: Get completed workflows from previous day
id: get-completed-workflows
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Expand All @@ -94,7 +94,7 @@ jobs:

- name: Check for successful scan artifacts from previous day
id: check-scan-artifacts
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Expand Down Expand Up @@ -144,7 +144,7 @@ jobs:

- name: Determine security scan branches for scheduled runs
id: determine-scheduled-security-scan-branches
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
run: |
upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}"
successful_branches="${{ steps.check-scan-artifacts.outputs.successful-security-scan-branches }}"
Expand Down Expand Up @@ -181,7 +181,7 @@ jobs:

- name: Determine global dependencies branches for scheduled runs
id: determine-scheduled-global-dependencies-branches
if: github.event_name != 'pull_request'
if: github.event_name != 'pull_request_target'
run: |
upstream_branches="${{ steps.get-upstream-branches.outputs.upstream-branches }}"
successful_branches="${{ steps.check-scan-artifacts.outputs.successful-global-dependencies-branches }}"
Expand Down Expand Up @@ -257,6 +257,7 @@ jobs:
# security scan scripts. So we download the latest one from main
echo "Downloading latest security-scan.sh script from main branch"
curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh
sudo chmod +x scripts/security-scan.sh
echo "Updated security-scan.sh to latest version from main"

- name: Set up environment
Expand Down Expand Up @@ -323,7 +324,7 @@ jobs:
- name: Create Success Indicator File
run: |
# For PR events, use base_ref as output branch name, otherwise use actual branch
if [ "${{ github.event_name }}" = "pull_request" ]; then
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
else
output_branch="${{ matrix.branch }}"
Expand All @@ -333,8 +334,8 @@ jobs:
- name: Upload Success Indicator File
uses: actions/upload-artifact@v4
with:
name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
name: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: scan-success-${{ matrix.target }}-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
retention-days: 90

- name: Publish Scan Successful Metric
Expand Down Expand Up @@ -379,7 +380,7 @@ jobs:
targets=($(echo "$targets_json" | jq -r '.[]'))

# For PR events, use base_ref as output branch name, otherwise use actual branch
if [ "${{ github.event_name }}" = "pull_request" ]; then
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
check_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
else
check_branch="${{ matrix.branch }}"
Expand Down Expand Up @@ -417,8 +418,8 @@ jobs:
if: success()
uses: actions/upload-artifact@v4
with:
name: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: scan-success-branch-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
name: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: scan-success-branch-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
retention-days: 90

security-scan-global-dependencies:
Expand Down Expand Up @@ -461,6 +462,7 @@ jobs:
# security scan scripts. So we download the latest one from main
echo "Downloading latest security-scan.sh script from main branch"
curl -sSL "https://raw.githubusercontent.com/${{ github.repository }}/main/scripts/security-scan.sh" -o scripts/security-scan.sh
sudo chmod +x scripts/security-scan.sh
echo "Updated security-scan.sh to latest version from main"

- name: Install Security Scan Dependencies
Expand Down Expand Up @@ -513,7 +515,7 @@ jobs:
- name: Create Global Success Indicator File
run: |
# For PR events, use base_ref as output branch name, otherwise use actual branch
if [ "${{ github.event_name }}" = "pull_request" ]; then
if [ "${{ github.event_name }}" = "pull_request_target" ]; then
output_branch="${{ needs.get-branches-to-scan.outputs.output-branch-name }}"
else
output_branch="${{ matrix.branch }}"
Expand All @@ -523,8 +525,8 @@ jobs:
- name: Upload Global Success Indicator File
uses: actions/upload-artifact@v4
with:
name: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: global-scan-success-${{ github.event_name == 'pull_request' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
name: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}
path: global-scan-success-${{ github.event_name == 'pull_request_target' && needs.get-branches-to-scan.outputs.output-branch-name || matrix.branch }}.txt
retention-days: 90

- name: Publish Failure Metrics
Expand Down