name: "security"

permissions:

actions: read

contents: read

security-events: write

on:

push:

branches: ["main"]

pull_request:

branches: ["main"]

workflow_dispatch:

schedule:

# Run every week at 10:24 on Thursday.

- cron: "24 10 * * 4"

# Cancel in-progress runs for pull requests when developers push

# additional changes

concurrency:

group: ${{ github.workflow }}-${{ github.ref }}-security

cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:

codeql:

runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}

steps:

- uses: actions/checkout@v3

- name: Initialize CodeQL

uses: github/codeql-action/init@v2

with:

languages: go, javascript

- name: Setup Go

uses: actions/setup-go@v3

with:

go-version: "~1.20"

- name: Go Cache Paths

id: go-cache-paths

run: |

echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

- name: Go Mod Cache

uses: actions/cache@v3

with:

path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}

key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

# Workaround to prevent CodeQL from building the dashboard.

- name: Remove Makefile

run: |

rm Makefile

- name: Perform CodeQL Analysis

uses: github/codeql-action/analyze@v2

trivy:

runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}

steps:

- uses: actions/checkout@v3

with:

fetch-depth: 0

- uses: actions/setup-go@v3

with:

go-version: "~1.20"

- name: Go Cache Paths

id: go-cache-paths

run: |

echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT

- name: Go Mod Cache

uses: actions/cache@v3

with:

path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}

key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

- name: Cache Node

id: cache-node

uses: actions/cache@v3

with:

path: |

**/node_modules

.eslintcache

key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}

restore-keys: |

js-${{ runner.os }}-

- name: Install yq

run: go run github.com/mikefarah/yq/v4@v4.30.6

- name: Build Coder linux amd64 Docker image

id: build

run: |

set -euo pipefail

version="$(./scripts/version.sh)"

image_job="build/coder_${version}_linux_amd64.tag"

# This environment variable force make to not build packages and

# archives (which the Docker image depends on due to technical reasons

# related to concurrent FS writes).

export DOCKER_IMAGE_NO_PREREQUISITES=true

# This environment variables forces scripts/build_docker.sh to build

# the base image tag locally instead of using the cached version from

# the registry.

export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"

make -j "$image_job"

echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT

- name: Run Trivy vulnerability scanner

uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252

with:

image-ref: ${{ steps.build.outputs.image }}

format: sarif

output: trivy-results.sarif

severity: "CRITICAL,HIGH"

- name: Upload Trivy scan results to GitHub Security tab

uses: github/codeql-action/upload-sarif@v2

with:

sarif_file: trivy-results.sarif

category: "Trivy"

- name: Upload Trivy scan results as an artifact

uses: actions/upload-artifact@v3

with:

name: trivy

path: trivy-results.sarif

retention-days: 7