diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 000000000..f470e262d --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,13 @@ +name: Manually Run CodeQL Analysis + +on: + workflow_dispatch: + +jobs: + codeql: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-codeql.yaml" + with: + export-report: true diff --git a/.github/workflows/common-codeql.yaml b/.github/workflows/common-codeql.yaml new file mode 100644 index 000000000..d47f57aa0 --- /dev/null +++ b/.github/workflows/common-codeql.yaml @@ -0,0 +1,42 @@ +name: CodeQL +on: + workflow_call: + inputs: + export-report: + default: false + required: false + type: boolean + +permissions: + contents: read + +jobs: + codeql-scan: + runs-on: ubuntu-22.04 + permissions: + security-events: write + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 + with: + languages: go + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 + + - name: Generate CodeQL Security Report + if: ${{ inputs.export-report }} + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 + with: + template: report + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload PDF report as an artifact + if: ${{ inputs.export-report }} + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: codeql-report + path: report.pdf diff --git a/.github/workflows/common-trivy.yaml b/.github/workflows/common-trivy.yaml new file mode 100644 index 000000000..99c122eb0 --- /dev/null +++ b/.github/workflows/common-trivy.yaml @@ -0,0 +1,95 @@ +name: Trivy +on: + workflow_call: + inputs: + upload-to-github-security-tab: + default: false + required: false + type: boolean + export-csv: + default: false + required: false + type: boolean + +permissions: + contents: read + +jobs: + trivy-scan-licenses: + runs-on: ubuntu-22.04 + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Run Trivy in fs mode + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + scan-type: fs + scan-ref: . + exit-code: 1 + scanners: license + severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL" + + trivy-scan-vulns: + runs-on: ubuntu-22.04 + permissions: + security-events: write + steps: + - name: Checkout + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + + - name: Run Trivy in fs mode + continue-on-error: true + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + scan-type: fs + scan-ref: . + exit-code: 1 + list-all-pkgs: true + format: json + output: trivy-report.json + + - name: Show report in human-readable format + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + scan-type: convert + vuln-type: '' + severity: '' + image-ref: trivy-report.json + format: table + + - name: Convert report to sarif format + if: ${{ inputs.upload-to-github-security-tab }} + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + scan-type: convert + vuln-type: '' + severity: '' + image-ref: trivy-report.json + format: sarif + output: trivy-report.sarif + + - name: Upload sarif report to GitHub Security tab + if: ${{ inputs.upload-to-github-security-tab }} + uses: github/codeql-action/upload-sarif@3d8036cf7fe7433e4a725cf513a6ea56c7fd0f14 # codeql-bundle-v2.25.0 + with: + sarif_file: trivy-report.sarif + + - name: Convert report to csv + if: ${{ inputs.export-csv }} + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + scan-type: convert + vuln-type: '' + severity: '' + image-ref: trivy-report.json + format: template + template: "@.github/workflows/trivy-csv.tpl" + output: trivy-report.csv + + - name: Upload CSV report as an artifact + if: ${{ inputs.export-csv }} + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 + with: + name: trivy-report + path: trivy-report.csv diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 000000000..ea855b3de --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,29 @@ +name: Release + +on: + push: + tags: [ 'v*' ] + +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref_name }} + cancel-in-progress: true + +jobs: + trivy: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-trivy.yaml" + with: + export-csv: true + + codeql: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-codeql.yaml" + with: + export-report: true diff --git a/.github/workflows/scan-periodic.yaml b/.github/workflows/scan-periodic.yaml new file mode 100644 index 000000000..109fb554e --- /dev/null +++ b/.github/workflows/scan-periodic.yaml @@ -0,0 +1,16 @@ +name: Scan periodic +on: + schedule: + - cron: '15 3 * * *' + +permissions: + contents: read + +jobs: + trivy: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-trivy.yaml" + with: + upload-to-github-security-tab: true diff --git a/.github/workflows/trivy-csv.tpl b/.github/workflows/trivy-csv.tpl new file mode 100644 index 000000000..0c1e50744 --- /dev/null +++ b/.github/workflows/trivy-csv.tpl @@ -0,0 +1,29 @@ +{{ range . }} +Trivy Vulnerability Scan Results ({{- .Target -}}) +VulnerabilityID,Severity,CVSS Score,Title,Library,Vulnerable Version,Fixed Version,Information URL,Triage Information +{{ range .Vulnerabilities }} + {{- .VulnerabilityID }}, + {{- .Severity }}, + {{- range $key, $value := .CVSS }} + {{- if (eq $key "nvd") }} + {{- .V3Score -}} + {{- end }} + {{- end }}, + {{- quote .Title }}, + {{- quote .PkgName }}, + {{- quote .InstalledVersion }}, + {{- quote .FixedVersion }}, + {{- .PrimaryURL }} +{{ else -}} + No vulnerabilities found at this time. +{{ end }} +Trivy Dependency Scan Results ({{ .Target }}) +ID,Name,Version,Notes +{{ range .Packages -}} + {{- quote .ID }}, + {{- quote .Name }}, + {{- quote .Version }} +{{ else -}} + No dependencies found at this time. +{{ end }} +{{ end }} diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml index 55b01ddb6..32fcfa955 100644 --- a/.github/workflows/verify.yaml +++ b/.github/workflows/verify.yaml @@ -104,3 +104,17 @@ jobs: - run: | make install-go-licenses make verify-licenses + + trivy: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-trivy.yaml" + with: + upload-to-github-security-tab: true + + codeql: + permissions: + contents: read + security-events: write + uses: "./.github/workflows/common-codeql.yaml"