|
| 1 | +# This workflow uses actions that are not certified by GitHub. |
| 2 | +# They are provided by a third-party and are governed by |
| 3 | +# separate terms of service, privacy policy, and support |
| 4 | +# documentation. |
| 5 | + |
| 6 | +name: "0.Gen_Report" |
| 7 | + |
| 8 | +on: |
| 9 | + workflow_dispatch: |
| 10 | + push: |
| 11 | + branches: [ "main" ] |
| 12 | + pull_request: |
| 13 | + # The branches below must be a subset of the branches above |
| 14 | + branches: [ "main" ] |
| 15 | + |
| 16 | +permissions: |
| 17 | + contents: read |
| 18 | + |
| 19 | +jobs: |
| 20 | + build: |
| 21 | + permissions: |
| 22 | + contents: read # for actions/checkout to fetch code |
| 23 | + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| 24 | + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
| 25 | + name: Build |
| 26 | + runs-on: ubuntu-latest |
| 27 | + steps: |
| 28 | + - name: Harden Runner |
| 29 | + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 |
| 30 | + with: |
| 31 | + egress-policy: audit |
| 32 | + |
| 33 | + - name: Checkout code |
| 34 | + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 |
| 35 | + |
| 36 | + |
| 37 | + - name: Build the Docker image |
| 38 | + run: docker build . -f ./docker/userspacecni/Dockerfile -t userspacecni:latest |
| 39 | + |
| 40 | + |
| 41 | + - name: Trivy Generate Reports |
| 42 | + run: | |
| 43 | + wget -q https://github.com/aquasecurity/trivy/releases/download/v0.48.2/trivy_0.48.2_Linux-64bit.deb |
| 44 | + sudo apt install -y ./*.deb |
| 45 | + echo "trivy fs -d ." |tee ./trivy_fs_scan.txt |
| 46 | + trivy fs -d . &> ./trivy_fs_scan.txt |
| 47 | + echo "trivy config -s HIGH,CRITICAL . -d" |tee ./trivy_config_scan.txt |
| 48 | + trivy config -s HIGH,CRITICAL -d . &> ./trivy_config_scan.txt |
| 49 | + echo "trivy image userspacecni:latest -s HIGH,CRITICAL" > ./trivy_image_scan.txt |
| 50 | + trivy image userspacecni:latest -s HIGH,CRITICAL &> ./trivy_image_scan.txt |
| 51 | +
|
| 52 | + - name: Initialize CodeQL |
| 53 | + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v2.3.3 |
| 54 | + with: |
| 55 | + languages: ${{ matrix.language }} |
| 56 | + queries: +security-and-quality |
| 57 | + |
| 58 | + - name: Autobuild |
| 59 | + uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v2.3.3 |
| 60 | + |
| 61 | + - name: Perform CodeQL Analysis |
| 62 | + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v2.3.3 |
| 63 | + with: |
| 64 | + category: "/language:${{ matrix.language }}" |
| 65 | + |
| 66 | + - name: CodeQL and Dependabot Report Action |
| 67 | + # if: ${{ github.event_name == 'workflow_dispatch' }} |
| 68 | + uses: rsdmike/github-security-report-action@a149b24539044c92786ec39af8ba38c93496495d # v3.0.4 |
| 69 | + with: |
| 70 | + template: report |
| 71 | + token: ${{ secrets.SECURITY_TOKEN }} |
| 72 | + |
| 73 | + - name: remove deployer container from dockerfile |
| 74 | + run: sed -ie '/End of builder/,+5d' ./docker/userspacecni/Dockerfile |
| 75 | + - name: Build the Docker image |
| 76 | + run: docker build . -f ./docker/userspacecni/Dockerfile -t userspacecni_build:latest |
| 77 | + - name: run container |
| 78 | + run: docker run --name userspacecni_build -itd userspacecni_build:latest bash |
| 79 | + - name: docker copy generated bin api files |
| 80 | + run: docker cp userspacecni_build:/root/userspace-cni-network-plugin/cnivpp ./ |
| 81 | + |
| 82 | + - name: golangci-lint |
| 83 | + run: | |
| 84 | + sudo apt install -y aha |
| 85 | + curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.55.2 |
| 86 | + $(go env GOPATH)/bin/golangci-lint run --color always --timeout=5m -v ./...; exitcode=$?; [[ $exitcode != 0 ]] && echo "failed $exitcode" || echo "passed $exitcode" | aha > golangci-lint.html |
| 87 | +
|
| 88 | + - name: GitHub Upload Trivy Reports |
| 89 | + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 |
| 90 | + with: |
| 91 | + name: reports |
| 92 | + path: | |
| 93 | + ./trivy_fs_scan.txt |
| 94 | + ./trivy_config_scan.txt |
| 95 | + ./trivy_image_scan.txt |
| 96 | + ./report.pdf |
| 97 | + ./golangci-lint.html |
0 commit comments