This repository has been archived by the owner on Nov 27, 2024. It is now read-only.
Security checks #1447
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security checks | |
permissions: | |
contents: read | |
security-events: write | |
on: # yamllint disable-line rule:truthy | |
pull_request: | |
paths-ignore: | |
- "doc/**" | |
- "*.md" | |
- "DCO" | |
- "LICENSE" | |
- "OWNERS" | |
- "PROJECT" | |
push: | |
branches: [main] | |
schedule: | |
- cron: '0 0 * * *' # run at midnight daily | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
gosec: | |
name: Gosec | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Git Repository | |
uses: actions/checkout@v4 | |
- name: Run gosec | |
uses: securego/gosec@v2.21.4 | |
with: | |
args: '-exclude=G601 -no-fail -fmt sarif -out gosec.sarif ./...' | |
- name: Upload scan results | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: gosec.sarif | |
trivy: | |
name: Trivy | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
lint-sh: | |
name: Lint shell scripts | |
runs-on: ubuntu-22.04 | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout Git Repository | |
uses: actions/checkout@v4 | |
- run: cargo install shellcheck-sarif sarif-fmt | |
- name: Lint shell scripts | |
run: | | |
find . -executable -type f -regex ".*\(hack\|ci\).*" -print0 | \ | |
xargs -0 shellcheck -f json | \ | |
shellcheck-sarif > results.sarif | |
sarif-fmt -c always < results.sarif | |
if [[ $(jq '.runs[].results | length' results.sarif) -ne "0" ]]; then | |
exit 1 | |
fi | |
- if: ${{ always() }} | |
name: Upload ShellCheck defects | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: results.sarif | |
# We need to render _every_ directory that has a kustomization.yaml file, | |
# since that's what infra-deployments checks for. Having a check identical | |
# to what infra-deployments does will save us some embarassment when we make | |
# a release. | |
kubelinter: | |
name: Kubelinter | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Git Repository | |
uses: actions/checkout@v4 | |
- name: Render kustomize templates | |
run: | | |
mkdir out | |
find operator server -name 'kustomization.yaml' | \ | |
xargs -I {} -n1 -P8 \ | |
bash -c 'dir=$(dirname "{}"); output_file=$(realpath out/$(echo $dir | tr / -)-kustomization.yaml); if ! log=$(cd "$dir" && kustomize edit set image workspaces/rest-api:index controller:index && kustomize build . -o "$output_file" 2>&1); then echo "Error when running kustomize build for $dir: $log" && exit 1;fi' | |
- name: Run kube-linter | |
uses: stackrox/kube-linter-action@v1.0.5 | |
id: kube-linter-action-scan | |
with: | |
version: v0.6.8 | |
# Adjust this directory to the location where your kubernetes resources and helm charts are located. | |
directory: out | |
# The following two settings make kube-linter produce scan analysis in SARIF format which would then be | |
# made available in GitHub UI via upload-sarif action below. | |
format: sarif | |
output-file: out/kube-linter.sarif | |
# The following line prevents aborting the workflow immediately in case your files fail kube-linter checks. | |
# This allows the following upload-sarif action to still upload the results to your GitHub repo. | |
continue-on-error: true | |
- name: Upload sarif report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: out/kube-linter.sarif |