This repository has been archived by the owner on Nov 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
131 lines (110 loc) · 3.99 KB
/
security.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Security checks
permissions:
contents: read
security-events: write
on: # yamllint disable-line rule:truthy
pull_request:
paths-ignore:
- "doc/**"
- "*.md"
- "DCO"
- "LICENSE"
- "OWNERS"
- "PROJECT"
push:
branches: [main]
schedule:
- cron: '0 0 * * *' # run at midnight daily
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
gosec:
name: Gosec
runs-on: ubuntu-22.04
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Run gosec
uses: securego/gosec@v2.21.4
with:
args: '-exclude=G601 -no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload scan results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gosec.sarif
trivy:
name: Trivy
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
lint-sh:
name: Lint shell scripts
runs-on: ubuntu-22.04
permissions:
security-events: write
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- run: cargo install shellcheck-sarif sarif-fmt
- name: Lint shell scripts
run: |
find . -executable -type f -regex ".*\(hack\|ci\).*" -print0 | \
xargs -0 shellcheck -f json | \
shellcheck-sarif > results.sarif
sarif-fmt -c always < results.sarif
if [[ $(jq '.runs[].results | length' results.sarif) -ne "0" ]]; then
exit 1
fi
- if: ${{ always() }}
name: Upload ShellCheck defects
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
# We need to render _every_ directory that has a kustomization.yaml file,
# since that's what infra-deployments checks for. Having a check identical
# to what infra-deployments does will save us some embarassment when we make
# a release.
kubelinter:
name: Kubelinter
runs-on: ubuntu-22.04
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Render kustomize templates
run: |
mkdir out
find operator server -name 'kustomization.yaml' | \
xargs -I {} -n1 -P8 \
bash -c 'dir=$(dirname "{}"); output_file=$(realpath out/$(echo $dir | tr / -)-kustomization.yaml); if ! log=$(cd "$dir" && kustomize edit set image workspaces/rest-api:index controller:index && kustomize build . -o "$output_file" 2>&1); then echo "Error when running kustomize build for $dir: $log" && exit 1;fi'
- name: Run kube-linter
uses: stackrox/kube-linter-action@v1.0.5
id: kube-linter-action-scan
with:
version: v0.6.8
# Adjust this directory to the location where your kubernetes resources and helm charts are located.
directory: out
# The following two settings make kube-linter produce scan analysis in SARIF format which would then be
# made available in GitHub UI via upload-sarif action below.
format: sarif
output-file: out/kube-linter.sarif
# The following line prevents aborting the workflow immediately in case your files fail kube-linter checks.
# This allows the following upload-sarif action to still upload the results to your GitHub repo.
continue-on-error: true
- name: Upload sarif report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out/kube-linter.sarif