implement basic automatic security audit

rcambrj · rcambrj · commit 03ab92cfbe60 · 2025-10-08T09:41:58.000+02:00
diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml
@@ -22,9 +22,66 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
+  scan-codeql:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - uses: actions/dependency-review-action@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: actions,go
+      - uses: github/codeql-action/analyze@v3
+
+  scan-go:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Check Go dependencies
+        uses: golang/govulncheck-action@v1
+        with:
+          go-package: ./...
+          output-format: sarif
+          output-file: govulncheck.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: govulncheck.sarif
+
+      - name: Check Go source code
+        uses: securego/gosec@master
+        with:
+          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gosec.sarif
+
+  scan-nix:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@main
+        with:
+          send-statistics: false
+
   build-go:
+    needs: [ scan-codeql, scan-go, scan-nix ]
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -68,8 +125,10 @@ jobs:
         with:
           name: multigres-operator-${{matrix.arch}}
           path: dist/*
+          if-no-files-found: error
+          retention-days: 7
 
-  build-push-container:
+  build-scan-push-container:
     needs: [ build-go ]
     runs-on: ubuntu-latest
     steps:
@@ -79,49 +138,123 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
-      - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log into registry
-        uses: docker/login-action@v3
+      - name: Set up Docker for multi-platform
+        uses: docker/setup-docker-action@v4
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
 
-      - name: Extract container metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=ref,event=branch,prefix=
-            type=ref,event=tag,prefix=
-            type=sha,format=short,prefix=
-            type=sha,format=long,prefix=
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v3
 
       - uses: actions/download-artifact@v5
         with:
           pattern: multigres-operator-*
           path: dist/
 
-      - name: Build and push container image
-        id: build-and-push
+      - name: Build container image
         uses: docker/build-push-action@v5
         with:
           context: .
           file: Containerfile
           platforms: linux/${{ join(fromJson(inputs.architectures), ',linux/') }}
-          push: ${{ inputs.push-container-image }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          push: false
+          tags: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
           provenance: false
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          outputs: type=oci,dest=container-image.tar
+
+      - name: Scan image with grype
+        id: scan
+        # requires that the container image be built already
+        # keep simple by running this in the same job as build
+        uses: anchore/scan-action@v6
+        with:
+          image: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+      - name: Log into registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push to registry
+        if: ${{ inputs.push-container-image }}
+        run: |
+          IMAGE="ghcr.io/${{ github.repository }}"
+          docker load --input container-image.tar
+          docker push "$IMAGE:${{ github.sha }}"
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
+            docker push "$IMAGE:latest"
+          fi
+          if [ "${{ github.ref_type }}" = "tag" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
+            docker push "$IMAGE:${{ github.ref_name }}"
+          fi
+      # - name: Upload image artifact
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: container-image-tar
+      #     path: container-image.tar
+      #     if-no-files-found: error
+      #     retention-days: 7
+
+  # scan-container:
+  #   # requires that the container image be built already
+  #   needs: [ build-container ]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - name: Scan image with grype
+  #       uses: anchore/scan-action@v6
+  #       with:
+  #         image: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
+
+  # push-container:
+  #   needs: [ scan-container ]
+  #   runs-on: ubuntu-latest
+  #   if: ${{ inputs.push-container-image }}
+  #   steps:
+  #     - name: Download image artifact
+  #       uses: actions/download-artifact@v4
+  #       with:
+  #         name: container-image-tar
+  #         path: .
+
+  #     # - name: Log into registry
+  #     #   uses: docker/login-action@v3
+  #     #   with:
+  #     #     registry: ghcr.io
+  #     #     username: ${{ github.actor }}
+  #     #     password: ${{ secrets.GITHUB_TOKEN }}
+
+  #     - name: Push to registry
+  #       run: |
+  #         IMAGE="ghcr.io/${{ github.repository }}"
+  #         docker load --input container-image.tar
+  #         docker push "$IMAGE:${{ github.sha }}"
+  #         if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+  #           docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
+  #           docker push "$IMAGE:latest"
+  #         fi
+  #         if [ "${{ github.ref_type }}" = "tag" ]; then
+  #           docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
+  #           docker push "$IMAGE:${{ github.ref_name }}"
+  #         fi
 
   create-release:
-    needs: [ build-go ]
+    needs: [ build-scan-push-container ]
     runs-on: ubuntu-latest
     if: ${{ inputs.create-release }}
     steps:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -6,6 +6,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
