Add automated security scanning workflows #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: security | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
schedule: | |
# Run every day at 10:00 UTC (6:00 AM ET / 3:00 AM PT) | |
- cron: "0 10 * * *" | |
workflow_dispatch: | |
permissions: | |
contents: read | |
# Cancel in-progress runs for pull requests when developers push | |
# additional changes | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
jobs: | |
codeql: | |
name: CodeQL Analysis | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
actions: read | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Setup Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: go | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
with: | |
category: "/language:go" | |
trivy: | |
name: Trivy Docker Image Scan | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
contents: read | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- name: Setup Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: "go.mod" | |
- name: Build binary for linux/amd64 | |
run: | | |
TAG=$(git describe --always) | |
mkdir -p bin | |
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ | |
-ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=${TAG}" \ | |
-o bin/code-marketplace-linux-amd64 \ | |
./cmd/marketplace/main.go | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Build Docker image | |
id: build | |
run: | | |
docker buildx build \ | |
--platform linux/amd64 \ | |
--tag code-marketplace:scan \ | |
--load \ | |
--build-arg TARGETARCH=amd64 \ | |
. | |
echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ steps.build.outputs.image }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
severity: "LOW,MEDIUM,HIGH,CRITICAL" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" | |
category: "Trivy" |