Skip to content
This repository has been archived by the owner on Nov 27, 2024. It is now read-only.
Security checks

build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.2 in /server #1442

Sign in to view logs

build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.2 in /server

build(deps): bump sigs.k8s.io/controller-runtime from 0.19.0 to 0.19.2 in /server #1442

Workflow file for this run

.github/workflows/security.yaml at 96f4697
name: Security checks
permissions:
contents: read
security-events: write
on: # yamllint disable-line rule:truthy
pull_request:
paths-ignore:
- "doc/**"
- "*.md"
- "DCO"
- "LICENSE"
- "OWNERS"
- "PROJECT"
push:
branches: [main]
schedule:
- cron: '0 0 * * *' # run at midnight daily
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
gosec:
name: Gosec
runs-on: ubuntu-22.04
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Run gosec
uses: securego/[email protected]
with:
args: '-exclude=G601 -no-fail -fmt sarif -out gosec.sarif ./...'
- name: Upload scan results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: gosec.sarif
trivy:
name: Trivy
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
lint-sh:
name: Lint shell scripts
runs-on: ubuntu-22.04
permissions:
security-events: write
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- run: cargo install shellcheck-sarif sarif-fmt
- name: Lint shell scripts
run: |
find . -executable -type f -regex ".*\(hack\|ci\).*" -print0 | \
xargs -0 shellcheck -f json | \
shellcheck-sarif > results.sarif
sarif-fmt -c always < results.sarif
if [[ $(jq '.runs[].results | length' results.sarif) -ne "0" ]]; then
exit 1
fi
- if: ${{ always() }}
name: Upload ShellCheck defects
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
# We need to render _every_ directory that has a kustomization.yaml file,
# since that's what infra-deployments checks for. Having a check identical
# to what infra-deployments does will save us some embarassment when we make
# a release.
kubelinter:
name: Kubelinter
runs-on: ubuntu-22.04
steps:
- name: Checkout Git Repository
uses: actions/checkout@v4
- name: Render kustomize templates
run: |
mkdir out
find operator server -name 'kustomization.yaml' | \
xargs -I {} -n1 -P8 \
bash -c 'dir=$(dirname "{}"); output_file=$(realpath out/$(echo $dir | tr / -)-kustomization.yaml); if ! log=$(cd "$dir" && kustomize edit set image workspaces/rest-api:index controller:index && kustomize build . -o "$output_file" 2>&1); then echo "Error when running kustomize build for $dir: $log" && exit 1;fi'
- name: Run kube-linter
uses: stackrox/[email protected]
id: kube-linter-action-scan
with:
version: v0.6.8
# Adjust this directory to the location where your kubernetes resources and helm charts are located.
directory: out
# The following two settings make kube-linter produce scan analysis in SARIF format which would then be
# made available in GitHub UI via upload-sarif action below.
format: sarif
output-file: out/kube-linter.sarif
# The following line prevents aborting the workflow immediately in case your files fail kube-linter checks.
# This allows the following upload-sarif action to still upload the results to your GitHub repo.
continue-on-error: true
- name: Upload sarif report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: out/kube-linter.sarif