From 35e578a6f0acb1e54de44a48d25b9593a428028d Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Thu, 12 Jun 2025 19:49:54 -0400 Subject: [PATCH 1/5] [BRE-831] Updating to use AKV with OIDC --- .github/workflows/scan.yml | 48 ++++++++++++++++++++++++++++++++++---- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index dedbafa15..a44e4fb98 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -18,6 +18,8 @@ jobs: check-run: name: Check PR run uses: bitwarden/gh-actions/.github/workflows/check-run.yml@main + permissions: + contents: read sast: name: SAST scan @@ -27,6 +29,7 @@ jobs: contents: read pull-requests: write security-events: write + id-token: write steps: - name: Check out repo @@ -34,6 +37,24 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} + - name: Azure Login + id: azure-login + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get KV secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" + + - name: Azure Logout + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with Checkmarx uses: checkmarx/ast-github-action@ef93013c95adc60160bc22060875e90800d3ecfc # 2.3.19 env: @@ -41,10 +62,10 @@ jobs: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}" with: project_name: ${{ github.repository }} - cx_tenant: ${{ secrets.CHECKMARX_TENANT }} + cx_tenant: ${{ steps.get-kv-secrets.outputs.CHECKMARX-TENANT }} base_uri: https://ast.checkmarx.net/ - cx_client_id: ${{ secrets.CHECKMARX_CLIENT_ID }} - cx_client_secret: ${{ secrets.CHECKMARX_SECRET }} + cx_client_id: ${{ steps.get-kv-secrets.outputs.CHECKMARX-CLIENT-ID }} + cx_client_secret: ${{ steps.get-kv-secrets.outputs.CHECKMARX-SECRET }} additional_params: | --report-format sarif \ --filter "state=TO_VERIFY;PROPOSED_NOT_EXPLOITABLE;CONFIRMED;URGENT" \ @@ -68,6 +89,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write steps: - name: Check out repo @@ -76,10 +98,28 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} + - name: Azure Login + id: azure-login + uses: bitwarden/gh-actions/azure-login@main + with: + subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + tenant_id: ${{ secrets.AZURE_TENANT_ID }} + client_id: ${{ secrets.AZURE_CLIENT_ID }} + + - name: Get KV secrets + id: get-kv-secrets + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: gh-org-bitwarden + secrets: "SONAR-TOKEN" + + - name: Azure Logout + uses: bitwarden/gh-actions/azure-logout@main + - name: Scan with SonarCloud uses: sonarsource/sonarqube-scan-action@aa494459d7c39c106cc77b166de8b4250a32bb97 # v5.1.0 env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_TOKEN: ${{ steps.get-kv-secrets.outputs.SONAR-TOKEN }} with: args: > -Dsonar.organization=${{ github.repository_owner }} -Dsonar.projectKey=${{ From ce0a28f53a3a3fe1e6cf5fb6cd7e15168559a158 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Thu, 12 Jun 2025 19:55:16 -0400 Subject: [PATCH 2/5] [BRE-831] Updating to use AKV with OIDC --- .github/workflows/scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index a44e4fb98..c77139522 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -10,7 +10,7 @@ on: branches-ignore: - main pull_request_target: - types: [opened, synchronize, reopend] + types: [opened, synchronize, reopened] branches: - "main" From 118d1dc824e7d9f0a6ee20684b196ab4803c09c8 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Mon, 16 Jun 2025 23:36:03 -0400 Subject: [PATCH 3/5] [BRE-831] Renaming azure login/get/logout step names --- .github/workflows/scan.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index a424b6ad6..695be516f 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -39,7 +39,7 @@ jobs: with: ref: ${{ github.event.pull_request.head.sha }} - - name: Azure Login + - name: Log in to Azure id: azure-login uses: bitwarden/gh-actions/azure-login@main with: @@ -47,14 +47,14 @@ jobs: tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - - name: Get KV secrets + - name: Get Azure Key Vault Secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-org-bitwarden secrets: "CHECKMARX-TENANT,CHECKMARX-CLIENT-ID,CHECKMARX-SECRET" - - name: Azure Logout + - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Scan with Checkmarx @@ -100,7 +100,7 @@ jobs: fetch-depth: 0 ref: ${{ github.event.pull_request.head.sha }} - - name: Azure Login + - name: Log in to Azure id: azure-login uses: bitwarden/gh-actions/azure-login@main with: @@ -108,14 +108,14 @@ jobs: tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - - name: Get KV secrets + - name: Get Azure Key Vault Secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: keyvault: gh-org-bitwarden secrets: "SONAR-TOKEN" - - name: Azure Logout + - name: Log out from Azure uses: bitwarden/gh-actions/azure-logout@main - name: Scan with SonarCloud From d989574ea245c2ef4ac3bf623526777528ae8c0e Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Tue, 17 Jun 2025 11:53:54 -0400 Subject: [PATCH 4/5] [BRE-831] Updating to use AKV with OIDC --- .github/workflows/scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 695be516f..393ecdec2 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -47,7 +47,7 @@ jobs: tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - - name: Get Azure Key Vault Secrets + - name: Get Azure Key Vault secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: @@ -108,7 +108,7 @@ jobs: tenant_id: ${{ secrets.AZURE_TENANT_ID }} client_id: ${{ secrets.AZURE_CLIENT_ID }} - - name: Get Azure Key Vault Secrets + - name: Get Azure Key Vault secrets id: get-kv-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main with: From d3db48660c9d310453f3e090e87ea680aa38e194 Mon Sep 17 00:00:00 2001 From: Andy Pixley <3723676+pixman20@users.noreply.github.com> Date: Mon, 30 Jun 2025 19:20:16 -0400 Subject: [PATCH 5/5] Removing unused azure-login id --- .github/workflows/scan.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 393ecdec2..8d9d55972 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -40,7 +40,6 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - name: Log in to Azure - id: azure-login uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} @@ -101,7 +100,6 @@ jobs: ref: ${{ github.event.pull_request.head.sha }} - name: Log in to Azure - id: azure-login uses: bitwarden/gh-actions/azure-login@main with: subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}