chore: improve cicd security

hazcod · Sep 7, 2022 · ac26694 · ac26694
1 parent 2bbcbac
commit ac26694
Show file tree

Hide file tree

Showing 7 changed files with 130 additions and 45 deletions.
diff --git a/.github/go/Dockerfile b/.github/go/Dockerfile
@@ -0,0 +1 @@
+FROM golang:1.19
diff --git a/.github/workflows/approve.yml b/.github/workflows/approve.yml
@@ -3,12 +3,12 @@ name: approve
 
 jobs:
 
-  approve-dependabot:
+  approve:
     name: dependabot
     if: github.actor == 'dependabot[bot]' || github.actor == 'dependabot-preview[bot]'
     runs-on: ubuntu-latest
     steps:
-    -
-      uses: hmarr/auto-approve-action@v2.2.1
-      with:
-        github-token: "${{ secrets.GITHUB_TOKEN }}"
+      -
+        uses: hmarr/auto-approve-action@v2.2.1
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,29 +7,36 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     steps:
-    -
-      name: Checkout
-      uses: actions/checkout@v3
-    -
-      name: Unshallow
-      run: git fetch --prune --unshallow
-    -
-      name: Set up Go
-      uses: actions/setup-go@v3
-    -
-      name: Install syft
-      run: |
-        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
-    -
-      name: Build
-      uses: goreleaser/goreleaser-action@v3.0.0
-      with:
-        version: latest
-        args: release --config=.github/goreleaser.yml --rm-dist
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    -
-      name: Scan dependencies
-      uses: anchore/sbom-action@v0
-      with:
-        dependency-snapshot: true
+      -
+        name: Checkout
+        uses: actions/checkout@v2
+      -
+        name: Unshallow
+        run: git fetch --prune --unshallow
+      -
+        id: vars
+        run: |
+          echo ::set-output name=go_version::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+          echo "Using Go version ${{ steps.vars.outputs.go_version }}"
+      -
+        name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ steps.vars.outputs.go_version }}
+      -
+        name: Install syft
+        run: |
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      -
+        name: Build
+        uses: goreleaser/goreleaser-action@v3.0.0
+        with:
+          version: latest
+          args: release --config=.github/goreleaser.yml --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      -
+        name: Scan dependencies
+        uses: anchore/sbom-action@v0
+        with:
+          dependency-snapshot: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -8,9 +8,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     -
-      uses: actions/checkout@v3
+      uses: actions/checkout@v3.0.2
     -
       name: golangci-lint
-      uses: golangci/golangci-lint-action@v3
+      uses: reviewdog/action-golangci-lint@master
       with:
-        args: "--config=.github/golangci.yml"
+        github_token: ${{ secrets.github_token }}
+        golangci_lint_flags: "--config=.github/golangci.yml"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,28 +13,42 @@ jobs:
       uses: actions/checkout@v3
       with:
         fetch-depth: 0
+    -
+      id: vars
+      run: |
+        echo ::set-output name=go_version::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "Using Go version ${{ steps.vars.outputs.go_version }}"
     -
       name: Set up Go
       uses: actions/setup-go@v3
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
     -
-      name: Install syft
-      run: |
-        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+      name: Set up Go
+      uses: actions/setup-go@v3
     -
-      name: Upload SBOM to GitHub
-      uses: anchore/sbom-action@v0
+      name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      uses: aquasecurity/trivy-action@master
       with:
-        dependency-snapshot: true
+        scan-type: 'fs'
+        format: 'github'
+        output: 'dependency-results.sbom.json'
+        image-ref: '.'
+        github-pat: ${{ secrets.GH_PRIVATEREPO_TOKEN }}
+    -
+      name: Setup git for private go module access
+      run: |
+        go env -w GOPRIVATE=github.com/intigriti
+        echo "machine github.com login ${{ secrets.GH_PRIVATEREPO_TOKEN }}" >> ~/.netrc
     -
       name: Create release tag
       uses: go-semantic-release/action@v1
       id: semrel
       with:
         github-token: ${{ secrets.GITHUB_TOKEN }}
-        force-bump-patch-version: false
     -
-      if: steps.semrel.outputs.version != ''
       run: git fetch -a
+      if: steps.semrel.outputs.version != ''
     -
       name: Release
       uses: goreleaser/goreleaser-action@v3

diff --git a/.github/workflows/securityscan.yml b/.github/workflows/securityscan.yml
@@ -1,4 +1,4 @@
-name: "security"
+name: security
 
 on:
   push:
@@ -9,7 +9,8 @@ on:
     - cron: '0 5 * * 6'
 
 jobs:
-  codescan:
+
+  codeql:
 
     name: code-scan
     runs-on: ubuntu-latest
@@ -26,3 +27,54 @@ jobs:
     -
       name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2
+
+  govulncheck:
+
+    name: code-scan
+    runs-on: ubuntu-latest
+
+    steps:
+    -
+      name: Checkout repository
+      uses: actions/checkout@v3
+    -
+      id: vars
+      run: |
+        echo ::set-output name=go_version::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "Using Go version ${{ steps.vars.outputs.go_version }}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+    -
+      name: check for go vulnerabilities
+      uses: kmulvey/govulncheck-action@main
+      with:
+        packages: '.'
+
+  trivy:
+
+    name: code-scan
+    runs-on: ubuntu-latest
+
+    steps:
+    -
+      uses: actions/checkout@v3
+    -
+      name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@master
+      with:
+        hide-progress: false
+        exit-code: '1'
+        ignore-unfixed: true
+        scan-type: 'fs'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+        severity: 'CRITICAL,HIGH,MEDIUM'
+    -
+      name: Upload Trivy scan results to GitHub Security tab
+      if: always()
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,10 +8,20 @@ jobs:
     steps:
     -
       name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v3.0.2
     -
       name: Unshallow
       run: git fetch --prune --unshallow
+    -
+      id: vars
+      run: |
+        echo ::set-output name=go_version::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "Using Go version ${{ steps.vars.outputs.go_version }}"
+    -
+      name: Set up Go
+      uses: actions/setup-go@v3
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
     -
       name: Set up Go
       uses: actions/setup-go@v3