coder/.github/workflows/security.yaml

name: "security"

permissions:
  actions: read
  contents: read
  security-events: write

on:
  push:
    branches: ["main"]

  pull_request:
    branches: ["main"]

  workflow_dispatch:

  schedule:
    # Run every week at 10:24 on Thursday.
    - cron: "24 10 * * 4"

# Cancel in-progress runs for pull requests when developers push
# additional changes
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}-security
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
  codeql:
    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
    steps:
      - uses: actions/checkout@v3

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v2
        with:
          languages: go, javascript

      - name: Setup Go
        uses: actions/setup-go@v3
        with:
          go-version: "~1.20"

      - name: Go Cache Paths
        id: go-cache-paths
        run: |
          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT          

      - name: Go Mod Cache
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

      # Workaround to prevent CodeQL from building the dashboard.
      - name: Remove Makefile
        run: |
          rm Makefile          

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v2

  trivy:
    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - uses: actions/setup-go@v3
        with:
          go-version: "~1.20"

      - name: Go Cache Paths
        id: go-cache-paths
        run: |
          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT          

      - name: Go Mod Cache
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

      - name: Cache Node
        id: cache-node
        uses: actions/cache@v3
        with:
          path: |
            **/node_modules
            .eslintcache            
          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            js-${{ runner.os }}-            

      - name: Install yq
        run: go run github.com/mikefarah/yq/v4@v4.30.6

      - name: Build Coder linux amd64 Docker image
        id: build
        run: |
          set -euo pipefail

          version="$(./scripts/version.sh)"
          image_job="build/coder_${version}_linux_amd64.tag"

          # This environment variable force make to not build packages and
          # archives (which the Docker image depends on due to technical reasons
          # related to concurrent FS writes).
          export DOCKER_IMAGE_NO_PREREQUISITES=true
          # This environment variables forces scripts/build_docker.sh to build
          # the base image tag locally instead of using the cached version from
          # the registry.
          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"

          make -j "$image_job"
          echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT          

      - name: Build Coder linux amd64 Docker image (ironbank)
        id: build-ironbank
        run: |
          set -euo pipefail
          # NOTE: This is not a real image tag we publish.
          image_tag="${{ steps.build.outputs.image }}-ironbank"
          ./scripts/ironbank/build_ironbank.sh \
            --target "$image_tag" \
            "build/coder_$(./scripts/version.sh)_linux_amd64"
          echo "image=$image_tag" >> $GITHUB_OUTPUT          

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
        with:
          image-ref: ${{ steps.build.outputs.image }}
          format: sarif
          output: trivy-results.sarif
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results.sarif
          category: "Trivy"

      - name: Run Trivy vulnerability scanner (ironbank)
        uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
        with:
          image-ref: ${{ steps.build-ironbank.outputs.image }}
          format: sarif
          output: trivy-results-ironbank.sarif
          severity: "CRITICAL,HIGH"

      # Update the tool name field in the ironbank SARIF file so it's not
      # indistinguishable from findings in the non-ironbank SARIF file in the
      # GitHub UI. Without this, findings from both scans would show up as
      # "Trivy".
      - name: Update tool name in SARIF file (ironbank)
        run: |
          set -euo pipefail
          yq eval -i '.runs[0].tool.driver.name = "Trivy Ironbank"' trivy-results-ironbank.sarif          

      - name: Upload Trivy scan results to GitHub Security tab (ironbank)
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: trivy-results-ironbank.sarif
          category: "Trivy Ironbank"

      - name: Upload Trivy scan results as an artifact
        uses: actions/upload-artifact@v2
        with:
          name: trivy
          path: |
            trivy-results.sarif
            trivy-results-ironbank.sarif            
          retention-days: 7