forked from coder/coder
-
Notifications
You must be signed in to change notification settings - Fork 0
173 lines (143 loc) · 5.39 KB
/
security.yaml
File metadata and controls
173 lines (143 loc) · 5.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: "security"
permissions:
actions: read
contents: read
security-events: write
on:
push:
branches: ["main"]
pull_request:
branches: ["main"]
workflow_dispatch:
schedule:
# Run every week at 10:24 on Thursday.
- cron: "24 10 * * 4"
# Cancel in-progress runs for pull requests when developers push
# additional changes
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-security
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
codeql:
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: go, javascript
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: "~1.20"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
# Workaround to prevent CodeQL from building the dashboard.
- name: Remove Makefile
run: |
rm Makefile
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
trivy:
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-go@v3
with:
go-version: "~1.20"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Cache Node
id: cache-node
uses: actions/cache@v3
with:
path: |
**/node_modules
.eslintcache
key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
js-${{ runner.os }}-
- name: Install yq
run: go run github.com/mikefarah/yq/v4@v4.30.6
- name: Build Coder linux amd64 Docker image
id: build
run: |
set -euo pipefail
version="$(./scripts/version.sh)"
image_job="build/coder_${version}_linux_amd64.tag"
# This environment variable force make to not build packages and
# archives (which the Docker image depends on due to technical reasons
# related to concurrent FS writes).
export DOCKER_IMAGE_NO_PREREQUISITES=true
# This environment variables forces scripts/build_docker.sh to build
# the base image tag locally instead of using the cached version from
# the registry.
export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
make -j "$image_job"
echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
- name: Build Coder linux amd64 Docker image (ironbank)
id: build-ironbank
run: |
set -euo pipefail
# NOTE: This is not a real image tag we publish.
image_tag="${{ steps.build.outputs.image }}-ironbank"
./scripts/ironbank/build_ironbank.sh \
--target "$image_tag" \
"build/coder_$(./scripts/version.sh)_linux_amd64"
echo "image=$image_tag" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
with:
image-ref: ${{ steps.build.outputs.image }}
format: sarif
output: trivy-results.sarif
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
category: "Trivy"
- name: Run Trivy vulnerability scanner (ironbank)
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: ${{ steps.build-ironbank.outputs.image }}
format: sarif
output: trivy-results-ironbank.sarif
severity: "CRITICAL,HIGH"
# Update the tool name field in the ironbank SARIF file so it's not
# indistinguishable from findings in the non-ironbank SARIF file in the
# GitHub UI. Without this, findings from both scans would show up as
# "Trivy".
- name: Update tool name in SARIF file (ironbank)
run: |
set -euo pipefail
yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif
- name: Upload Trivy scan results to GitHub Security tab (ironbank)
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results-ironbank.sarif
category: "Trivy Ironbank"
- name: Upload Trivy scan results as an artifact
uses: actions/upload-artifact@v2
with:
name: trivy
path: |
trivy-results.sarif
trivy-results-ironbank.sarif
retention-days: 7