From 98c391fdb43982f94b4b5ef27dba8e3b2750b150 Mon Sep 17 00:00:00 2001
From: Kyle Harding <kyle@balena.io>
Date: Fri, 15 Nov 2024 12:05:15 -0500
Subject: [PATCH] Run octoscan as part of Flowzone workflows

Change-type: minor
Signed-off-by: Kyle Harding <kyle@balena.io>
---
 .github/workflows/flowzone.yml | 69 ++++++++++++++++-------------
 flowzone.yml                   | 79 +++++++++++++++++++++++++++++-----
 2 files changed, 108 insertions(+), 40 deletions(-)

diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
index 4f8d10dc3..8654e5264 100644
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@@ -923,41 +923,22 @@ jobs:
           issue-number: ${{ github.event.pull_request.number }}
           token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
           reactions: hooray
-  lint_workflows:
-    name: Lint workflows
+  actionlint:
+    name: actionlint
     runs-on: ${{ fromJSON(inputs.runs_on) }}
-    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
+    timeout-minutes: 5
     needs:
-      - versioned_source
-    defaults:
-      run:
-        working-directory: ${{ inputs.working_directory }}
-        shell: bash --noprofile --norc -eo pipefail -x {0}
-    permissions: {}
+      - event_types
+    permissions:
+      contents: read
     steps:
-      - name: Generate GitHub App installation token
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
-        if: inputs.app_id
-        id: gh_app_token
-        with:
-          app_id: ${{ inputs.app_id }}
-          installation_retrieval_mode: organization
-          installation_retrieval_payload: ${{ github.repository_owner }}
-          private_key: ${{ secrets.GH_APP_PRIVATE_KEY }}
-          permissions: |-
-            {
-              "contents": "read",
-              "metadata": "read"
-            }
-      - name: Checkout versioned commit
+      - name: Checkout event ref
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         with:
-          fetch-depth: ${{ needs.versioned_source.outputs.depth || 0 }}
-          fetch-tags: true
-          submodules: recursive
-          ref: ${{ needs.versioned_source.outputs.sha || '¯ (ツ)_/¯' }}
-          token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
+          fetch-depth: 1
+          submodules: false
           persist-credentials: false
+          token: ${{ github.token }}
       - name: Add problem matcher
         run: |
           curl -fsSL https://raw.githubusercontent.com/rhysd/actionlint/main/.github/actionlint-matcher.json > ${{ runner.temp }}/actionlint-matcher.json
@@ -966,6 +947,33 @@ jobs:
         uses: docker://rhysd/actionlint:1.7.4
         with:
           args: -color -ignore="custom label for self-hosted runner" -ignore=":info:" -ignore=":style:"
+  octoscan:
+    name: octoscan
+    runs-on: ${{ fromJSON(inputs.runs_on) }}
+    timeout-minutes: 5
+    needs:
+      - event_types
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout event ref
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          fetch-depth: 1
+          submodules: false
+          persist-credentials: false
+          token: ${{ github.token }}
+      - id: octoscan
+        name: Run octoscan
+        uses: synacktiv/action-octoscan@v1.0.0
+        with:
+          filter_triggers: allnopr
+          disable_rules: shellcheck,local-action,runner-label
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{steps.octoscan.outputs.sarif_output}}
+          category: octoscan
   is_npm:
     name: Is npm
     runs-on: ${{ fromJSON(inputs.runs_on) }}
@@ -4880,7 +4888,8 @@ jobs:
       - cargo_test
       - custom_test
       - cloudformation_test
-      - lint_workflows
+      - actionlint
+      - octoscan
     if: |
       always() &&
       github.event.pull_request.state == 'open'
diff --git a/flowzone.yml b/flowzone.yml
index a2fc58e0b..73d2db28d 100644
--- a/flowzone.yml
+++ b/flowzone.yml
@@ -1610,20 +1610,31 @@ jobs:
           token: ${{ steps.gh_app_token.outputs.token || secrets.FLOWZONE_TOKEN }}
           reactions: hooray
 
-  lint_workflows:
-    name: Lint workflows
+  actionlint:
+    name: actionlint
     runs-on: ${{ fromJSON(inputs.runs_on) }}
-    timeout-minutes: ${{ fromJSON(inputs.jobs_timeout_minutes) }}
+    timeout-minutes: 5
+    # Run this early in the workflow, as soon as we've validated event types
     needs:
-      - versioned_source
-
-    <<: *customWorkingDirectory
+      - event_types
 
-    permissions: {}
+    permissions:
+      contents: read # Used for checkout
 
     steps:
-      - *getGitHubAppToken
-      - *checkoutVersionedSha
+      # No need for the Flowzone Installation App token here as we are not cloning
+      # submodules so the automatic actions token scoped to the repo is fine.
+
+      # https://github.com/actions/checkout
+      - name: Checkout event ref
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # We only need to scan workflow files, so disable submodules and deep cloning
+          fetch-depth: 1
+          submodules: false
+          persist-credentials: false
+          # Use the automatic actions token with contents:read permissions
+          token: ${{ github.token }}
 
       # https://github.com/actions/toolkit/blob/master/docs/problem-matchers.md
       - name: Add problem matcher
@@ -1640,6 +1651,53 @@ jobs:
           # Ignore shellcheck info and style messages for now
           args: -color -ignore="custom label for self-hosted runner" -ignore=":info:" -ignore=":style:"
 
+  # https://github.com/synacktiv/octoscan
+  # https://github.com/synacktiv/action-octoscan
+  octoscan:
+    name: octoscan
+    runs-on: ${{ fromJSON(inputs.runs_on) }}
+    timeout-minutes: 5
+    # Run this early in the workflow, as soon as we've validated event types
+    needs:
+      - event_types
+
+    permissions:
+      # security-events: write # used to push the output of octoscan to GitHub code scanning.
+      contents: read # Used for checkout
+
+    steps:
+      # No need for the Flowzone Installation App token here as we are not cloning
+      # submodules so the automatic actions token scoped to the repo is fine.
+
+      # https://github.com/actions/checkout
+      - name: Checkout event ref
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          # We only need to scan workflow files, so disable submodules and deep cloning
+          fetch-depth: 1
+          submodules: false
+          persist-credentials: false
+          # Use the automatic actions token with contents:read permissions
+          token: ${{ github.token }}
+
+      # https://github.com/synacktiv/octoscan
+      # https://github.com/synacktiv/action-octoscan
+      - id: octoscan
+        name: Run octoscan
+        uses: synacktiv/action-octoscan@v1.0.0
+        with:
+          # Filter on all workflow triggers as the default of "external" does not include workflow_call
+          # external: https://github.com/synacktiv/octoscan/blob/3f7fd6e563be43432cef874c82a7714f67a8ef92/common/helpers.go#L69
+          # allnopr: https://github.com/synacktiv/octoscan/blob/3f7fd6e563be43432cef874c82a7714f67a8ef92/common/helpers.go#L76
+          filter_triggers: allnopr
+          disable_rules: shellcheck,local-action,runner-label
+
+      - name: Upload SARIF file to GitHub
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "${{steps.octoscan.outputs.sarif_output}}"
+          category: octoscan
+
   # check if the repository has a package.json file and which engine versions are supported
   is_npm:
     name: Is npm
@@ -4399,7 +4457,8 @@ jobs:
       - cargo_test
       - custom_test
       - cloudformation_test
-      - lint_workflows
+      - actionlint
+      - octoscan
     if: |
       always() &&
       github.event.pull_request.state == 'open'