-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Enable dependabot by adding scheduled weekly tasks . Create dependency-review.yml Create dependency-review.yml workflow for dependabot scheduled actions. Create trivy.yml for enablement of trivy scanning of Dockerfiles and image. Create mock CodeQL script (to-be-done). No real job to be done currently as scripts need to be fixed. Create codeql-config.yml Create docker-build.yml Create docker-build.yml with build script for Dockerfiles and Trivy scan for results, * Update docker-build.yml Fix path issue for docker buildx build. * Update trivy.yml Fix scan-type rootfs and scan-type config as one of them performed checkout. Signed-off-by: Miłosz Linkiewicz <milosz.linkiewicz@intel.com> --------- Signed-off-by: Miłosz Linkiewicz <milosz.linkiewicz@intel.com>
- Loading branch information
Showing
6 changed files
with
208 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
name: "MCM CodeQL Config" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: github-actions | ||
directory: /.github | ||
schedule: | ||
interval: "weekly" | ||
day: "sunday" | ||
|
||
- package-ecosystem: docker | ||
directory: /docker | ||
schedule: | ||
interval: "weekly" | ||
day: "sunday" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
name: "CodeQL" | ||
|
||
on: | ||
push: | ||
branches: [ "master", "main", "dev" ] | ||
pull_request: | ||
branches: [ "master", "main", "dev" ] | ||
schedule: | ||
- cron: '42 8 * * 1' | ||
|
||
env: | ||
# Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.) | ||
BUILD_TYPE: Release | ||
PREFIX_DIR: /usr/local | ||
DEBIAN_FRONTEND: noninteractive | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ${{ matrix.runner-os }} | ||
timeout-minutes: 90 | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
runner-os: [ 'ubuntu-22.04' ] | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
defaults: | ||
run: | ||
shell: bash | ||
|
||
steps: | ||
- name: 'Harden Runner' | ||
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: 'Checkout repository' | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
|
||
- name: 'Initialize CodeQL' | ||
uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 | ||
with: | ||
languages: 'c-cpp' | ||
build-mode: autobuild | ||
# config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml | ||
|
||
- if: matrix.build-mode == 'manual' | ||
shell: bash | ||
run: | | ||
echo 'If you are using a "manual" build mode for one or more of the' \ | ||
'languages you are analyzing, replace this with the commands to build' \ | ||
'your code, for example:' | ||
echo ' make bootstrap' | ||
echo ' make release' | ||
exit 1 | ||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@v3 | ||
with: | ||
category: "/language:${{matrix.language}}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Dependency Review Action | ||
# | ||
# Source repository: https://github.com/actions/dependency-review-action | ||
name: 'Dependency Review' | ||
on: [pull_request] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
dependency-review: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: 'Harden Runner' | ||
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: 'Checkout Repository' | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
|
||
- name: 'Dependency Review' | ||
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
name: Docker Build | ||
on: | ||
push: | ||
branches: [ "master", "main" ] | ||
pull_request: | ||
branches: [ "master", "main" ] | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
docker-build: | ||
name: Dockerfiles Build | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
dockerfiles: [ 'ubuntu22.04', 'ubuntu18.04', 'centos7.9' ] | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
defaults: | ||
run: | ||
shell: bash | ||
timeout-minutes: 90 | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | ||
with: | ||
buildkitd-flags: --debug | ||
|
||
- name: 'Build Dockerfile for ${{ matrix.dockerfiles }}' | ||
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 | ||
with: | ||
file: '${{ github.workspace }}/docker/Dockerfile.${{ matrix.dockerfiles }}' | ||
context: . | ||
push: false | ||
tags: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}' | ||
|
||
- name: 'Run Trivy vulnerability scanner on result' | ||
uses: aquasecurity/trivy-action@0.20.0 | ||
with: | ||
image-ref: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}' | ||
exit-code: '1' | ||
ignore-unfixed: true | ||
vuln-type: 'os,library' | ||
severity: 'CRITICAL,HIGH' | ||
format: 'sarif' | ||
output: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif' | ||
|
||
- name: 'Upload Trivy scan results to GitHub Security tab' | ||
uses: github/codeql-action/upload-sarif@v2 | ||
with: | ||
sarif_file: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
name: Trivy | ||
on: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
scan-type-config: | ||
runs-on: ubuntu-22.04 | ||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
name: scan-type-config | ||
steps: | ||
- name: Harden Runner | ||
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 | ||
with: | ||
egress-policy: audit | ||
|
||
- name: Checkout code | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
|
||
- name: Run Trivy vulnerability scanner, scan-type=config | ||
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0 | ||
with: | ||
scan-type: 'config' | ||
hide-progress: false | ||
ignore-unfixed: true | ||
format: 'sarif' | ||
output: 'trivy-config-results.sarif' | ||
severity: 'CRITICAL,HIGH,MEDIUM' | ||
|
||
- name: Upload Trivy config scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 | ||
with: | ||
sarif_file: 'trivy-config-results.sarif' |