Skip to content

Commit

Permalink
ci: change to ko and goreleaser, add SLSA3 verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@janfuhrer
janfuhrer committed Jun 19, 2024
1 parent b98dce3 commit cc8d0f6
Show file tree
Hide file tree
Showing 31 changed files with 1,189 additions and 197 deletions.
23 changes: 23 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
name: Bug report
about: Create a report to help me improve
title: ''
labels: ''
assignees: ''

---

**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
Steps to reproduce the behavior.

**Expected behavior**
A clear and concise description of what you expected to happen.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Additional context**
Add any other context about the problem here.
20 changes: 20 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''

---

**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like**
A clear and concise description of what you want to happen.

**Describe any alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.

**Additional context**
Add any additional context or screenshots about the feature request here.
16 changes: 16 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
<!--
Thank you for contributing to natrontech/pbs-exporter.
-->

**What this PR does**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Notes for Reviewer**:


**Checklist**:

- [ ] I have read and understood the [CONTRIBUTING](https://github.com/natrontech/pbs-exporter/blob/main/CONTRIBUTING.md) and [CODE_OF_CONDUCT](https://github.com/natrontech/pbs-exporter/blob/main/CODE_OF_CONDUCT.md) documents
- [ ] Pull Request title in the format of [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) e.g. `feat|fix|chore|docs|...: Changed Something`
- [ ] Updated documentation in the `README.md` file (e.g. new parameters, environment variables, return values, ...)
92 changes: 92 additions & 0 deletions .github/publish-image/action.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Publish image

description: Publishes a docker image, SBOM, scans vulns, and signs the image.

inputs:
makefile-target:
required: true
description: makefile target to invoke for publishing image with ko
registry:
required: true
description: registry to publish image to
registry-username:
required: true
description: registry credentials username
registry-password:
required: true
description: registry credentials password
repository:
required: true
description: repository to publish image to
version:
required: true
description: published image version
sign-image:
required: true
description: sign image
sbom-name:
required: true
description: name of the cyclonedx sbom
sbom-repository:
required: true
description: sbom repository
signature-repository:
required: true
description: signature repository
main-path:
required: true
description: path to main go entry point

outputs:
digest:
value: ${{ steps.digest.outputs.digest }}
description: published image digest

runs:
using: composite
steps:
- shell: bash
id: ko-publish
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repository }}
REGISTRY_PASSWORD: ${{ inputs.registry-password }}
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
set -e
echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: v1
args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ inputs.sbom-name }}-bom-cdx
path: ${{ inputs.sbom-name }}-bom.cdx.json
- shell: bash
if: ${{ inputs.sign-image == 'true' }}
env:
COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
run: |
set -e
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
env:
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
cosign attest --yes \
--predicate ./${{ inputs.sbom-name }}-bom.cdx.json \
--type cyclonedx \
--oidc-provider github-actions \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
id: digest
run: |
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
echo "Digest from image is: $DIGEST"
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
90 changes: 90 additions & 0 deletions .github/workflows/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
# GitHub Workflows

## Overview

Following workflows are implemented in the repository.
[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.

| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |

## CodeQL

Action: https://github.com/github/codeql-action

[CodeQL](https://codeql.github.com/) is a semantic code analysis engine that can find security vulnerabilities in codebases. The workflow displays security alerts in the repository's Security tab or in pull requests.

## Dependency Review

Action: https://github.com/actions/dependency-review-action

This action scans the dependency manifest files that change as part of a pull request, revealing known-vulnerable versions of the packages declared or updated in the PR. Pull requests that introduce known-vulnerable packages will be blocked from merging.
It also allows you to define a list of licenses that are allowed or disallowed in the project, and will check if the PR introduces a dependency with a disallowed license.
It also checks the OpenSSF scorecard for all dependencies and allows to warn if a dependency has a low score.

More information can be found in the [GitHub documentation](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)

## GolangCI-Lint

Action: https://github.com/golangci/golangci-lint-action

[GolangCI-Lint](https://golangci-lint.run/) is a fast Go linters runner. It runs linters in parallel, uses caching, and works on Linux, macOS, and Windows. The workflow runs the linters on the Go code in the repository.

## Gosec

Action: https://github.com/securego/gosec

[Gosec](https://securego.io/) is a security tool that performs static code analysis of Go code. The workflow scans the Go code in the repository for security issues.

## OSV-Scan

Action: https://github.com/google/osv-scanner-action

[OSV-Scan](https://osv.dev/) is a vulnerability database and triage infrastructure for open-source projects. The [OSV-Scanner](https://google.github.io/osv-scanner/) finds vulnerabilities in dependencies of an project and uploads the results to the Security tab of the repository.

## Release

The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:

| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |

### Go Release

This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml).
For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).

### Container Release

The multi-arch container images are built using [ko](https://ko.build/) in the [publish-image](../actions/publish-image/action.yaml) action and uploaded to the GitHub Container Registry. The docker image provenance is generated using the [SLSA Container Generator](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) and uploaded to the registry. The provenance can be verified using the `slsa-verifier` or `cosign` tool (see [Release Verification](./../../SECURITY.md#release-verification)).

**Credits**: The [publish-image](../actions/publish-image/action.yaml) action is from [Kyverno](https://github.com/kyverno/kyverno).

### Container SBOM

[ko](https://ko.build/features/sboms/) only generates a "minimal" SBOM for the container images (see [comment in GitHub Issue](https://github.com/ko-build/ko/pull/587#issuecomment-1034926085)) and lacks some information (e.g. Licensing information or the `version` field which is set to `devel` instead of the actual version).

To generate a complete SBOM for the container images, the [go-gomod-generate-sbom](https://github.com/CycloneDX/gh-gomod-generate-sbom) action is used instead.

The SBOMs of the container images are uploaded to a separate package registry (see [SBOM](./../../SECURITY.md#sbom) for more information).

## Scorecards

Action: https://github.com/ossf/scorecard-action

[Scorecards](https://github.com/ossf/scorecard) is a tool that provides a security score for open-source projects. The workflow runs the scorecard on the repository and uploads the results to the Security tab of the repository. There is also a report on the OpenSSF website, the link is available in the README file by clicking on the OpenSSF Scorecard badge.

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/natrontech/pbs-exporter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/natrontech/pbs-exporter)
39 changes: 0 additions & 39 deletions .github/workflows/ci.yml
View file

This file was deleted.

73 changes: 28 additions & 45 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
@@ -1,76 +1,59 @@
# For most projects, this workflow file will not need changing; you simply need
# to commit it to your repository.
#
# You may wish to alter this file to override the set of languages analyzed,
# or to provide custom queries or build logic.
#
# ******** NOTE ********
# We have attempted to detect the languages in your repository. Please check
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '25 4 * * 3'
- cron: '00 13 * * 1'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
analyze:
name: Analyze
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
actions: read
contents: read
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read

strategy:
fail-fast: false
matrix:
language: [ 'go' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Use only 'java' to analyze code written in Java, Kotlin or both
# Use only 'javascript' to analyze code written in JavaScript, TypeScript or both
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
include:
- language: go
build-mode: manual

steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
persist-credentials: false

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.

# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality


# Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3

# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun

# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
build-mode: ${{ matrix.build-mode }}

# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- if: matrix.build-mode == 'manual'
env:
# fix "go: download go1.22 for linux/amd64: toolchain not available" error
GOTOOLCHAIN: "go1.22.2"
run: |
make go-build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
with:
category: "/language:${{matrix.language}}"
Loading

0 comments on commit cc8d0f6

Please sign in to comment.