-
Notifications
You must be signed in to change notification settings - Fork 0
170 lines (165 loc) · 5.34 KB
/
infra-security-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
on:
workflow_call:
inputs:
disable-sudo:
type: boolean
default: true
egress-policy-allowlist:
type: string
default: ""
enable-comments:
type: boolean
default: true
runs-on:
type: string
default: "ubuntu-latest"
upload-sarif:
type: boolean
default: true
working-directory:
type: string
default: "."
jobs:
infra-security-scan:
name: Scan with Kics
runs-on: ${{ inputs.runs-on }}
permissions:
contents: read
pull-requests: write
security-events: write
defaults:
run:
working-directory: ${{ inputs.working-directory }}
steps:
- uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
# v2.11.0
with:
disable-sudo: ${{ inputs.disable-sudo }}
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
kics.io:443
packages.wolfi.dev:443
registry.npmjs.org:443
${{ inputs.egress-policy-allowlist }}
- name: Checkout Source
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# v4.2.2
with:
persist-credentials: false
- name: Kics Scan
uses: Checkmarx/kics-github-action@3246fb456a46d1ea8848ae18793c036718b19fe0
# v2.1.5
with:
path: .
output_path: ${{ inputs.working-directory }}/kics_results.sarif
output_formats: sarif
fail_on: high,medium
token: ${{ github.token }}
enable_comments: ${{ inputs.enable-comments }}
enable_annotations: true
enable_jobs_summary: true
comments_with_queries: true
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489
# v2.20.1
with:
sarif_file: ${{ inputs.working-directory }}/kics_results.sarif
zizmor:
name: zizmor GitHub Actions Security Analysis
runs-on: ${{ inputs.runs-on }}
permissions:
contents: read
pull-requests: write
security-events: write
steps:
- uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
# v2.11.0
with:
disable-sudo: ${{ inputs.disable-sudo }}
egress-policy: block
allowed-endpoints: >
api.github.com:443
files.pythonhosted.org:443
github.com:443
objects.githubusercontent.com:443
pypi.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@1edb52594c857e2b5b13128931090f0640537287
# v5.3.0
- name: Run zizmor 🌈
run: uvx zizmor --format sarif . > zizmor_results.sarif
env:
GH_TOKEN: ${{ github.token }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@3407610120cd5656b6fc71991415cb50748b9489
# v2.20.1
with:
sarif_file: zizmor_results.sarif
category: zizmor
checkmake:
name: Check Makefile
runs-on: ${{ inputs.runs-on }}
permissions:
contents: read
pull-requests: write
security-events: write
defaults:
run:
working-directory: ${{ inputs.working-directory }}
steps:
- uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481
# v2.11.0
with:
disable-sudo: ${{ inputs.disable-sudo }}
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
proxy.golang.org:443
storage.googleapis.com:443
sum.golang.org:443
${{ inputs.egress-policy-allowlist }}
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
# v4.2.2
with:
persist-credentials: false
- uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34
# v5.3.0
with:
go-version: "oldstable"
cache: false
- id: find-files
run: |
FILES=$(find . -iname "Makefile" -o -iname "GNUmakefile" -o -iname "*.mk" -o -iname "*.make")
echo "$FILES" > "$GITHUB_WORKSPACE/files.txt"
echo "FILES=$FILES" >> $GITHUB_OUTPUT
shell: bash
- if: steps.find-files.outputs.FILES != ''
id: scan-files
continue-on-error: true
run: |
go install github.com/mrtazz/checkmake/cmd/checkmake@latest
CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug)
echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT
env:
FILES: ${{ steps.find-files.outputs.FILES }}
shell: bash
- name: PR comment with file
if: github.event_name == 'pull_request' && steps.scan-files.outputs.CHECKMAKE_OUTPUT != ''
uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b
# v3.0.1
with:
message: |
<details>
<summary>Checkmake findings</summary>
```
${{ steps.scan-files.outputs.CHECKMAKE_OUTPUT }}
```
</details>