From 9b43f03094ef08eba3ff5217c42a62a0d918489c Mon Sep 17 00:00:00 2001 From: Maciej Golaszewski Date: Fri, 8 Nov 2024 11:06:16 +0100 Subject: [PATCH] wip1 --- .github/workflows/cron-jobs.yaml | 122 +++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 .github/workflows/cron-jobs.yaml diff --git a/.github/workflows/cron-jobs.yaml b/.github/workflows/cron-jobs.yaml new file mode 100644 index 00000000..db4edacb --- /dev/null +++ b/.github/workflows/cron-jobs.yaml @@ -0,0 +1,122 @@ +name: Security and quality nightly scan + +on: + # todo undo before merge +# schedule: +# - cron: '0 10 * * *' + pull_request: + +permissions: + contents: read + +jobs: + TICS: + permissions: + contents: read + runs-on: ubuntu-latest +# strategy: +# matrix: +# include: +# # Latest branches +# - { branch: main } + + steps: + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + - name: Checking out repo + uses: actions/checkout@v4 +# with: +# ref: ${{matrix.branch}} +# - uses: actions/setup-python@v5 +# with: +# python-version: '3.12' + - name: Install Go + uses: actions/setup-go@v5 + with: + go-version: "1.22" + - name: go mod download +# working-directory: src/k8s + run: go mod download + - name: TICS scan + run: | + export TICSAUTHTOKEN=${{ secrets.TICSAUTHTOKEN }} + + + # Install the TICS and staticcheck + go install honnef.co/go/tools/cmd/staticcheck@v0.5.1 + . <(curl --silent --show-error 'https://canonical.tiobe.com/tiobeweb/TICS/api/public/v1/fapi/installtics/Script?cfg=default&platform=linux&url=https://canonical.tiobe.com/tiobeweb/TICS/') + + # We need to have our project built + # We load the dqlite libs here instead of doing through make because TICS + # will try to build parts of the project itself +# sudo add-apt-repository -y ppa:dqlite/dev +# sudo apt install dqlite-tools libdqlite-dev -y + +# sudo make clean + + go build -a ./... + + TICSQServer -project ${{ github.event.repository.name }} -tmpdir /tmp/tics -branchdir $HOME/work/cluster-api-k8s/cluster-api-k8s/ + + ls -la $HOME/work/ || true + ls -la $HOME/work/cluster-api-k8s/ || true +# Trivy: +# permissions: +# contents: read # for actions/checkout to fetch code +# security-events: write # for github/codeql-action/upload-sarif to upload SARIF results +# runs-on: ubuntu-latest +# strategy: +# matrix: +# include: +# # Latest branches +# - { branch: main, channel: latest/edge } +# # Stable branches +# # Add branches to test here +# +# steps: +# - name: Harden Runner +# uses: step-security/harden-runner@v2 +# with: +# egress-policy: audit +# - name: Checking out repo +# uses: actions/checkout@v4 +# with: +# ref: ${{matrix.branch}} +# - name: Setup Trivy vulnerability scanner +# run: | +# mkdir -p sarifs +# VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); +# wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz +# tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz +# - name: Run Trivy vulnerability scanner in repo mode +# uses: aquasecurity/trivy-action@master +# with: +# scan-type: "fs" +# ignore-unfixed: true +# format: "sarif" +# output: "trivy-k8s-repo-scan--results.sarif" +# severity: "MEDIUM,HIGH,CRITICAL" +# - name: Gather Trivy repo scan results +# run: | +# cp trivy-k8s-repo-scan--results.sarif ./sarifs/ +# - name: Run Trivy vulnerability scanner on the snap +# run: | +# snap download k8s --channel ${{ matrix.channel }} +# mv ./k8s*.snap ./k8s.snap +# unsquashfs k8s.snap +# for var in $(env | grep -o '^TRIVY_[^=]*'); do +# unset "$var" +# done +# ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif +# - name: Get HEAD sha +# run: | +# SHA="$(git rev-parse HEAD)" +# echo "head_sha=$SHA" >> "$GITHUB_ENV" +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: "sarifs" +# sha: ${{ env.head_sha }} +# ref: refs/heads/${{matrix.branch}}