Add automated security scanning workflows #124
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
- Scan LOW,MEDIUM,HIGH,CRITICAL instead of only HIGH,CRITICAL - Remove Docker image scan (no :latest tag exists)
Enable vuln, secret, and misconfig scanners explicitly
- Build Go binary for linux/amd64 - Build Docker image with buildx - Scan the built image (not filesystem) - Matches coder/coder scanning approach
- Add table format scan to show results in workflow logs - Upload SARIF as artifact for manual inspection - Matches coder/coder artifact upload pattern
There was a problem hiding this comment.
Pull Request Overview
This PR adds comprehensive automated security scanning workflows to improve supply chain security for air-gapped deployments. The changes include CodeQL vulnerability scanning, Trivy image scanning, OpenSSF Scorecard security assessment, and enhanced Dependabot configuration.
- Automated daily security scanning with CodeQL and Trivy
- Weekly OpenSSF Scorecard security best practices assessment
- Enhanced Dependabot with commit prefixes and patch update filtering
Reviewed Changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| CHANGELOG.md | Documents the addition of security scanning workflows and Dependabot enhancements |
| .github/workflows/security.yaml | Main security workflow with CodeQL and Trivy scanning jobs |
| .github/workflows/scorecard.yml | OpenSSF Scorecard workflow for security best practices assessment |
| .github/dependabot.yaml | Enhanced configuration with commit prefixes and patch update filtering |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
|
||
| TAG=$(shell git describe --always) | ||
|
|
||
| build/linux/amd64: |
There was a problem hiding this comment.
| build/linux/amd64: | |
| bin/coder-marketplace-linux-amd64: |
You can keep the PHONY (after editing the target name) for simplicity's sake though, otherwise you'll need to specify every Go-related file as a dependency
|
|
||
| TAG=$(shell git describe --always) | ||
|
|
||
| build/linux/amd64: |
There was a problem hiding this comment.
I think every OS/arch should be turned into a target just like this, and the build job should depend on all of them and have no content
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 |
There was a problem hiding this comment.
actions/checkout is currently at v5.0.0
| persist-credentials: false | ||
|
|
||
| - name: Run analysis | ||
| uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 |
There was a problem hiding this comment.
ossf/scorecard-action is currently at v2.4.3
| echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" | ||
| - name: Run Trivy vulnerability scanner (table output for logs) | ||
| uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 |
There was a problem hiding this comment.
aquasecurity/trivy-action is currently at v0.33.1. Also missing the v in the comment
| severity: "LOW,MEDIUM,HIGH,CRITICAL" | ||
|
|
||
| - name: Run Trivy vulnerability scanner (SARIF output for GitHub) | ||
| uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 |
| contents: read | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 |
|
@code-asher could you give this a review and flag anything that's weird for you? I haven't contributed to this repo before so maybe I'm missing something in my reviews |
| # Ignore patch updates for all dependencies to reduce PR noise | ||
| - dependency-name: "*" | ||
| update-types: | ||
| - version-update:semver-patch |
There was a problem hiding this comment.
Do we need this? So far the number of updates seem to have been pretty mild. Or we could group updates weekly or something.
| commit-message: | ||
| prefix: "ci" |
There was a problem hiding this comment.
Not a huge deal, but I think the prefixes may have no use, the changelog is manually curated.
| commit-message: | ||
| prefix: "chore" |
3 participants
Closes #123
Adds automated security scanning to improve supply chain security for air-gapped deployments:
Changes
All scan results are uploaded to GitHub Security tab for centralized monitoring.
Testing