name: "security" permissions: actions: read contents: read on: workflow_dispatch: # Uncomment when testing. # pull_request: schedule: # Run every 6 hours Monday-Friday! - cron: "0 0/6 * * 1-5" # Cancel in-progress runs for pull requests when developers push # additional changes concurrency: group: ${{ github.workflow }}-${{ github.ref }}-security cancel-in-progress: ${{ github.event_name == 'pull_request' }} jobs: codeql: permissions: security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} steps: - name: Harden Runner uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - name: Set up mise tools uses: ./.github/actions/setup-mise with: install-args: "go" - name: Restore Go cache uses: ./.github/actions/go-cache - name: Initialize CodeQL uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5 with: languages: go, javascript # Workaround to prevent CodeQL from building the dashboard. - name: Remove Makefile run: | rm Makefile - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5 - name: Send Slack notification on failure if: ${{ failure() }} run: | msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" curl \ -qfsSL \ -X POST \ -H "Content-Type: application/json" \ --data "{\"content\": \"$msg\"}" \ "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}" osv-scanner: permissions: security-events: write runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} env: IMAGE_REF: ghcr.io/coder/coder-preview:main OSV_SCANNER_VERSION: v2.3.5 steps: - name: Harden Runner uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit - name: Install OSV-Scanner run: | curl -fsSL -o /usr/local/bin/osv-scanner \ "https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_linux_amd64" chmod +x /usr/local/bin/osv-scanner - name: Pull latest Coder preview image run: docker pull "$IMAGE_REF" - name: Run OSV-Scanner vulnerability scanner id: scan run: | set +e osv-scanner scan image "$IMAGE_REF" \ --format sarif \ --output-file osv-results.sarif scan_exit_code=$? set -e echo "exit_code=${scan_exit_code}" >> "${GITHUB_OUTPUT}" if [[ "${scan_exit_code}" -eq 0 ]]; then exit 0 fi if [[ "${scan_exit_code}" -eq 1 ]]; then echo "OSV-Scanner found vulnerabilities in ${IMAGE_REF}." echo "Results will be uploaded to GitHub Security and as a SARIF artifact." exit 0 fi echo "::error::OSV-Scanner failed with exit code ${scan_exit_code}" exit "${scan_exit_code}" - name: Upload OSV-Scanner scan results to GitHub Security tab if: ${{ always() && hashFiles('osv-results.sarif') != '' }} uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v3.29.5 with: sarif_file: osv-results.sarif category: "OSV-Scanner" - name: Upload OSV-Scanner scan results as an artifact if: ${{ always() && hashFiles('osv-results.sarif') != '' }} uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: osv-scanner path: osv-results.sarif retention-days: 7 - name: Send Slack notification on failure if: ${{ failure() }} run: | msg="❌ OSV-Scanner Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" curl \ -qfsSL \ -X POST \ -H "Content-Type: application/json" \ --data "{\"content\": \"$msg\"}" \ "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"