implement basic automatic security audit

rcambrj · rcambrj · commit 0846a5f08b45 · 2025-10-08T11:15:48.000+02:00
diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml
@@ -22,9 +22,43 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
+  scan-dependencies:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - uses: actions/dependency-review-action@v4
+        # this action requires a base and head
+        if: ${{ github.event_name == 'pull_request' }}
+
+  scan-codeql:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: actions,go
+      - uses: github/codeql-action/analyze@v3
+
+  scan-nix:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@main
+        with:
+          send-statistics: false
+
   build-go:
+    needs: [ scan-dependencies, scan-codeql, scan-nix ]
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -68,6 +102,8 @@ jobs:
         with:
           name: multigres-operator-${{matrix.arch}}
           path: dist/*
+          if-no-files-found: error
+          retention-days: 7
 
   build-push-container:
     needs: [ build-go ]
@@ -79,49 +115,85 @@ jobs:
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
+      - name: Set up Docker for multi-platform
+        uses: docker/setup-docker-action@v4
+        with:
+          daemon-config: |
+            {
+              "debug": true,
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v3
 
+      - uses: actions/download-artifact@v5
+        with:
+          pattern: multigres-operator-*
+          path: dist/
+
       - name: Log into registry
+        if: ${{ inputs.push-container-image }}
         uses: docker/login-action@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Extract container metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          images: ghcr.io/${{ github.repository }}
-          tags: |
-            type=ref,event=branch,prefix=
-            type=ref,event=tag,prefix=
-            type=sha,format=short,prefix=
-            type=sha,format=long,prefix=
-
-      - uses: actions/download-artifact@v5
-        with:
-          pattern: multigres-operator-*
-          path: dist/
-
-      - name: Build and push container image
-        id: build-and-push
+      - name: Build container image
         uses: docker/build-push-action@v5
         with:
           context: .
           file: Containerfile
           platforms: linux/${{ join(fromJson(inputs.architectures), ',linux/') }}
-          push: ${{ inputs.push-container-image }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          load: true
+          push: false
+          tags: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
           provenance: false
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          outputs: type=oci,dest=container-image.tar
+
+      - name: Push to registry (sha)
+        run: |
+          IMAGE="ghcr.io/${{ github.repository }}"
+          docker push "$IMAGE:${{ github.sha }}"
+
+      # grype requires that the container image be pushed already because
+      # the scanner runs in a container with a different local registry
+      - name: Scan image with grype
+        if: ${{ inputs.push-container-image }}
+        id: scan
+        uses: anchore/scan-action@v6
+        continue-on-error: true
+        with:
+          image: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
+          cache-db: true
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Success
+        if: ${{ steps.scan.outcome == 'failure' }}
+        run: exit 1
+
+      - name: Push to registry (proper)
+        if: ${{ inputs.push-container-image }}
+        run: |
+          IMAGE="ghcr.io/${{ github.repository }}"
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
+            docker push "$IMAGE:latest"
+          fi
+          if [ "${{ github.ref_type }}" = "tag" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
+            docker push "$IMAGE:${{ github.ref_name }}"
+          fi
 
   create-release:
-    needs: [ build-go ]
+    needs: [ scan-container ]
     runs-on: ubuntu-latest
     if: ${{ inputs.create-release }}
     steps:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -6,6 +6,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
