mirror of https://github.com/coder/coder.git
122 lines
3.3 KiB
YAML
122 lines
3.3 KiB
YAML
name: "security"
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
on:
|
|
push:
|
|
branches: ["main"]
|
|
|
|
pull_request:
|
|
branches: ["main"]
|
|
|
|
workflow_dispatch:
|
|
|
|
schedule:
|
|
# Run every week at 10:24 on Thursday.
|
|
- cron: "24 10 * * 4"
|
|
|
|
# Cancel in-progress runs for pull requests when developers push
|
|
# additional changes
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-security
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
jobs:
|
|
codeql:
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v2
|
|
with:
|
|
languages: go, javascript
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@v3
|
|
with:
|
|
go-version: "~1.20"
|
|
|
|
- name: Go Cache Paths
|
|
id: go-cache-paths
|
|
run: |
|
|
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Go Mod Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
|
|
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
|
|
|
|
# Workaround to prevent CodeQL from building the dashboard.
|
|
- name: Remove Makefile
|
|
run: |
|
|
rm Makefile
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v2
|
|
|
|
trivy:
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
|
|
steps:
|
|
- uses: actions/checkout@v3
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- uses: actions/setup-go@v3
|
|
with:
|
|
go-version: "~1.20"
|
|
|
|
- name: Go Cache Paths
|
|
id: go-cache-paths
|
|
run: |
|
|
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Go Mod Cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
|
|
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
|
|
|
|
- name: Cache Node
|
|
id: cache-node
|
|
uses: actions/cache@v3
|
|
with:
|
|
path: |
|
|
**/node_modules
|
|
.eslintcache
|
|
key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
|
|
restore-keys: |
|
|
js-${{ runner.os }}-
|
|
|
|
- name: Build Coder linux amd64 Docker image
|
|
id: build
|
|
run: |
|
|
set -euo pipefail
|
|
image_job="build/coder_$(./scripts/version.sh)_linux_amd64.tag"
|
|
DOCKER_IMAGE_NO_PREREQUISITES=true make -j "$image_job"
|
|
echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
|
|
with:
|
|
image-ref: ${{ steps.build.outputs.image }}
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
severity: "CRITICAL,HIGH"
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
with:
|
|
sarif_file: trivy-results.sarif
|
|
|
|
- name: Upload Trivy scan results as an artifact
|
|
uses: actions/upload-artifact@v2
|
|
with:
|
|
name: trivy
|
|
path: trivy-results.sarif
|
|
retention-days: 7
|