Enable dependabot (#9)

Enable dependabot by adding scheduled weekly tasks . Create dependency-review.yml Create dependency-review.yml workflow for dependabot scheduled actions. Create trivy.yml for enablement of trivy scanning of Dockerfiles and image. Create mock CodeQL script (to-be-done). No real job to be done currently as scripts need to be fixed. Create codeql-config.yml Create docker-build.yml Create docker-build.yml with build script for Dockerfiles and Trivy scan for results, * Update docker-build.yml Fix path issue for docker buildx build. * Update trivy.yml Fix scan-type rootfs and scan-type config as one of them performed checkout. Signed-off-by: Miłosz Linkiewicz <milosz.linkiewicz@intel.com> --------- Signed-off-by: Miłosz Linkiewicz <milosz.linkiewicz@intel.com>
OpenVisualCloud · Sep 2, 2024 · 98ecddb · 98ecddb
1 parent 0f0b217
commit 98ecddb
Show file tree

Hide file tree

Showing 6 changed files with 208 additions and 0 deletions.
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1 @@
+name: "MCM CodeQL Config"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+version: 2
+updates:
+ - package-ecosystem: github-actions
+ directory: /.github
+ schedule:
+ interval: "weekly"
+ day: "sunday"
+
+ - package-ecosystem: docker
+ directory: /docker
+ schedule:
+ interval: "weekly"
+ day: "sunday"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,66 @@
+name: "CodeQL"
+
+on:
+ push:
+ branches: [ "master", "main", "dev" ]
+ pull_request:
+ branches: [ "master", "main", "dev" ]
+ schedule:
+ - cron: '42 8 * * 1'
+
+env:
+ # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+ BUILD_TYPE: Release
+ PREFIX_DIR: /usr/local
+ DEBIAN_FRONTEND: noninteractive
+
+permissions:
+ contents: read
+
+jobs:
+ analyze:
+ name: Analyze
+ runs-on: ${{ matrix.runner-os }}
+ timeout-minutes: 90
+ strategy:
+ fail-fast: false
+ matrix:
+ runner-os: [ 'ubuntu-22.04' ]
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ defaults:
+ run:
+ shell: bash
+
+ steps:
+ - name: 'Harden Runner'
+ uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
+
+ - name: 'Checkout repository'
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: 'Initialize CodeQL'
+ uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+ with:
+ languages: 'c-cpp'
+ build-mode: autobuild
+ # config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml
+
+ - if: matrix.build-mode == 'manual'
+ shell: bash
+ run: |
+ echo 'If you are using a "manual" build mode for one or more of the' \
+ 'languages you are analyzing, replace this with the commands to build' \
+ 'your code, for example:'
+ echo ' make bootstrap'
+ echo ' make release'
+ exit 1
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v3
+ with:
+ category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,23 @@
+# Dependency Review Action
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+ contents: read
+
+jobs:
+ dependency-review:
+ runs-on: ubuntu-latest
+ steps:
+ - name: 'Harden Runner'
+ uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
+
+ - name: 'Checkout Repository'
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: 'Dependency Review'
+ uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,66 @@
+name: Docker Build
+on:
+ push:
+ branches: [ "master", "main" ]
+ pull_request:
+ branches: [ "master", "main" ]
+
+permissions:
+ contents: read
+
+jobs:
+ docker-build:
+ name: Dockerfiles Build
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ dockerfiles: [ 'ubuntu22.04', 'ubuntu18.04', 'centos7.9' ]
+ permissions:
+ actions: read
+ contents: read
+ security-events: write
+ defaults:
+ run:
+ shell: bash
+ timeout-minutes: 90
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
+
+ - name: Checkout
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+ with:
+ buildkitd-flags: --debug
+
+ - name: 'Build Dockerfile for ${{ matrix.dockerfiles }}'
+ uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+ with:
+ file: '${{ github.workspace }}/docker/Dockerfile.${{ matrix.dockerfiles }}'
+ context: .
+ push: false
+ tags: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}'
+
+ - name: 'Run Trivy vulnerability scanner on result'
+ uses: aquasecurity/trivy-action@0.20.0
+ with:
+ image-ref: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}'
+ exit-code: '1'
+ ignore-unfixed: true
+ vuln-type: 'os,library'
+ severity: 'CRITICAL,HIGH'
+ format: 'sarif'
+ output: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif'
+
+ - name: 'Upload Trivy scan results to GitHub Security tab'
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif'
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,39 @@
+name: Trivy
+on:
+ push:
+ branches:
+ - main
+ pull_request:
+permissions:
+ contents: read
+
+jobs:
+ scan-type-config:
+ runs-on: ubuntu-22.04
+ permissions:
+ contents: read # for actions/checkout to fetch code
+ security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+ name: scan-type-config
+ steps:
+ - name: Harden Runner
+ uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+ with:
+ egress-policy: audit
+
+ - name: Checkout code
+ uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+ - name: Run Trivy vulnerability scanner, scan-type=config
+ uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+ with:
+ scan-type: 'config'
+ hide-progress: false
+ ignore-unfixed: true
+ format: 'sarif'
+ output: 'trivy-config-results.sarif'
+ severity: 'CRITICAL,HIGH,MEDIUM'
+
+ - name: Upload Trivy config scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+ with:
+ sarif_file: 'trivy-config-results.sarif'