Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b55cb0c

Browse files
deansheatherdeansheather
authored
chore: add trivy vulnerability scanning (#5729)
1 parent f3bbf62 commit b55cb0c

File tree

5 files changed

+177
-99
lines changed

5 files changed

+177
-99
lines changed

.github/workflows/codeql.yml

Lines changed: 0 additions & 67 deletions
This file was deleted.

.github/workflows/coder.yaml

Lines changed: 26 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -198,19 +198,19 @@ jobs:
198198
- name: Echo Go Cache Paths
199199
id: go-cache-paths
200200
run: |
201-
echo "::set-output name=go-build::$(go env GOCACHE)"
202-
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
201+
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
202+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
203203
204204
- name: Go Build Cache
205205
uses: actions/cache@v3
206206
with:
207-
path: ${{ steps.go-cache-paths.outputs.go-build }}
207+
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
208208
key: ${{ github.job }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
209209

210210
- name: Go Mod Cache
211211
uses: actions/cache@v3
212212
with:
213-
path: ${{ steps.go-cache-paths.outputs.go-mod }}
213+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
214214
key: ${{ github.job }}-go-mod-${{ hashFiles('**/go.sum') }}
215215

216216
- name: Install sqlc
@@ -296,22 +296,25 @@ jobs:
296296
with:
297297
go-version: "~1.19"
298298

299+
# Sadly the new "set output" syntax (of writing env vars to
300+
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
301+
# deprecated syntax here.
299302
- name: Echo Go Cache Paths
300303
id: go-cache-paths
301304
run: |
302-
echo "::set-output name=go-build::$(go env GOCACHE)"
303-
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
305+
echo "::set-output name=GOCACHE::$(go env GOCACHE)"
306+
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
304307
305308
- name: Go Build Cache
306309
uses: actions/cache@v3
307310
with:
308-
path: ${{ steps.go-cache-paths.outputs.go-build }}
311+
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
309312
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
310313

311314
- name: Go Mod Cache
312315
uses: actions/cache@v3
313316
with:
314-
path: ${{ steps.go-cache-paths.outputs.go-mod }}
317+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
315318
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
316319

317320
- name: Install gotestsum
@@ -335,10 +338,10 @@ jobs:
335338
# prevents test caching, so we disable it on alternate operating
336339
# systems.
337340
if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
338-
echo ::set-output name=cover::true
341+
echo "cover=true" >> $GITHUB_OUTPUT
339342
export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
340343
else
341-
echo ::set-output name=cover::false
344+
echo "cover=false" >> $GITHUB_OUTPUT
342345
fi
343346
344347
gotestsum --junitfile="gotests.xml" --packages="./..." -- -parallel=8 -timeout=5m -short -failfast $COVERAGE_FLAGS
@@ -380,19 +383,19 @@ jobs:
380383
- name: Echo Go Cache Paths
381384
id: go-cache-paths
382385
run: |
383-
echo "::set-output name=go-build::$(go env GOCACHE)"
384-
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
386+
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
387+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
385388
386389
- name: Go Build Cache
387390
uses: actions/cache@v3
388391
with:
389-
path: ${{ steps.go-cache-paths.outputs.go-build }}
392+
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
390393
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
391394

392395
- name: Go Mod Cache
393396
uses: actions/cache@v3
394397
with:
395-
path: ${{ steps.go-cache-paths.outputs.go-mod }}
398+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
396399
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
397400

398401
- name: Install gotestsum
@@ -429,7 +432,7 @@ jobs:
429432
with:
430433
token: ${{ secrets.CODECOV_TOKEN }}
431434
files: ./gotests.coverage
432-
flags: unittest-go-postgres-${{ matrix.os }}
435+
flags: unittest-go-postgres-linux
433436

434437
deploy:
435438
name: "deploy"
@@ -463,19 +466,19 @@ jobs:
463466
- name: Echo Go Cache Paths
464467
id: go-cache-paths
465468
run: |
466-
echo "::set-output name=go-build::$(go env GOCACHE)"
467-
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
469+
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
470+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
468471
469472
- name: Go Build Cache
470473
uses: actions/cache@v3
471474
with:
472-
path: ${{ steps.go-cache-paths.outputs.go-build }}
475+
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
473476
key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
474477

475478
- name: Go Mod Cache
476479
uses: actions/cache@v3
477480
with:
478-
path: ${{ steps.go-cache-paths.outputs.go-mod }}
481+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
479482
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
480483

481484
- name: Cache Node
@@ -607,19 +610,19 @@ jobs:
607610
- name: Echo Go Cache Paths
608611
id: go-cache-paths
609612
run: |
610-
echo "::set-output name=go-build::$(go env GOCACHE)"
611-
echo "::set-output name=go-mod::$(go env GOMODCACHE)"
613+
echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
614+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
612615
613616
- name: Go Build Cache
614617
uses: actions/cache@v3
615618
with:
616-
path: ${{ steps.go-cache-paths.outputs.go-build }}
619+
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
617620
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
618621

619622
- name: Go Mod Cache
620623
uses: actions/cache@v3
621624
with:
622-
path: ${{ steps.go-cache-paths.outputs.go-mod }}
625+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
623626
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
624627

625628
- name: Build

.github/workflows/dogfood.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
tag=${{ steps.branch-name.outputs.current_branch }}
2626
# Replace / with --, e.g. user/feature => user--feature.
2727
tag=${tag//\//--}
28-
echo "::set-output name=tag::${tag}"
28+
echo "tag=${tag}" >> $GITHUB_OUTPUT
2929
3030
- name: Set up QEMU
3131
uses: docker/setup-qemu-action@v2
@@ -54,7 +54,7 @@ jobs:
5454
uses: actions/checkout@v3
5555
- name: Get short commit SHA
5656
id: vars
57-
run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
57+
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
5858
- name: "Install latest Coder"
5959
run: |
6060
curl -L https://coder.com/install.sh | sh

.github/workflows/security.yaml

Lines changed: 135 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,135 @@
1+
name: "Security"
2+
3+
permissions:
4+
actions: read
5+
contents: read
6+
security-events: write
7+
8+
on:
9+
push:
10+
branches: ["main"]
11+
12+
pull_request:
13+
branches: ["main"]
14+
15+
workflow_dispatch:
16+
17+
schedule:
18+
# Run every week at 10:24 on Thursday.
19+
- cron: "24 10 * * 4"
20+
21+
# Cancel in-progress runs for pull requests when developers push
22+
# additional changes
23+
concurrency:
24+
group: ${{ github.workflow }}-${{ github.ref }}-security
25+
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
26+
27+
jobs:
28+
codeql:
29+
name: CodeQL
30+
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
31+
strategy:
32+
fail-fast: false
33+
matrix:
34+
language: ["go", "javascript"]
35+
36+
steps:
37+
- name: Checkout repository
38+
uses: actions/checkout@v3
39+
40+
- name: Initialize CodeQL
41+
uses: github/codeql-action/init@v2
42+
with:
43+
languages: ${{ matrix.language }}
44+
45+
- name: Setup Go
46+
if: matrix.language == 'go'
47+
uses: actions/setup-go@v3
48+
with:
49+
go-version: "~1.19"
50+
51+
- name: Go Cache Paths
52+
if: matrix.language == 'go'
53+
id: go-cache-paths
54+
run: |
55+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
56+
57+
- name: Go Mod Cache
58+
if: matrix.language == 'go'
59+
uses: actions/cache@v3
60+
with:
61+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
62+
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
63+
64+
# Workaround to prevent CodeQL from building the dashboard.
65+
- name: Remove Makefile
66+
if: matrix.language == 'go'
67+
run: |
68+
rm Makefile
69+
70+
- name: Perform CodeQL Analysis
71+
uses: github/codeql-action/analyze@v2
72+
with:
73+
category: "/language:${{matrix.language}}"
74+
75+
trivy:
76+
name: Trivy
77+
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
78+
steps:
79+
- uses: actions/checkout@v3
80+
with:
81+
fetch-depth: 0
82+
83+
- uses: actions/setup-go@v3
84+
with:
85+
go-version: "~1.19"
86+
87+
- name: Go Cache Paths
88+
id: go-cache-paths
89+
run: |
90+
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
91+
92+
- name: Go Mod Cache
93+
uses: actions/cache@v3
94+
with:
95+
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
96+
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
97+
98+
- name: Cache Node
99+
id: cache-node
100+
uses: actions/cache@v3
101+
with:
102+
path: |
103+
**/node_modules
104+
.eslintcache
105+
key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
106+
restore-keys: |
107+
js-${{ runner.os }}-
108+
109+
- name: Build Coder linux amd64 Docker image
110+
id: build
111+
run: |
112+
set -euo pipefail
113+
image_job="build/coder_$(./scripts/version.sh)_linux_amd64.tag"
114+
DOCKER_IMAGE_NO_PREREQUISITES=true make -j "$image_job"
115+
echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
116+
117+
- name: Run Trivy vulnerability scanner
118+
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
119+
with:
120+
image-ref: ${{ steps.build.outputs.image }}
121+
format: sarif
122+
output: trivy-results.sarif
123+
severity: "CRITICAL,HIGH"
124+
125+
- name: Upload Trivy scan results to GitHub Security tab
126+
uses: github/codeql-action/upload-sarif@v2
127+
with:
128+
sarif_file: trivy-results.sarif
129+
130+
- name: Upload Trivy scan results as an artifact
131+
uses: actions/upload-artifact@v2
132+
with:
133+
name: trivy
134+
path: trivy-results.sarif
135+
retention-days: 7

0 commit comments

Comments
 (0)