mirror of
https://github.com/coder/coder.git
synced 2026-06-03 13:08:25 +00:00
Lukasz
9e771c4fc1
OSV-Scanner currently causes the scheduled security workflow to fail whenever it reports findings, which also triggers the Slack failure notification. Treat exit code 1 as a successful scan with uploaded SARIF results, and only fail the job when OSV-Scanner itself errors.
142 lines
4.5 KiB
YAML
142 lines
4.5 KiB
YAML
name: "security"
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
# Uncomment when testing.
|
|
# pull_request:
|
|
|
|
schedule:
|
|
# Run every 6 hours Monday-Friday!
|
|
- cron: "0 0/6 * * 1-5"
|
|
|
|
# Cancel in-progress runs for pull requests when developers push
|
|
# additional changes
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}-security
|
|
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
|
|
|
|
jobs:
|
|
codeql:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Go
|
|
uses: ./.github/actions/setup-go
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
|
|
with:
|
|
languages: go, javascript
|
|
|
|
# Workaround to prevent CodeQL from building the dashboard.
|
|
- name: Remove Makefile
|
|
run: |
|
|
rm Makefile
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
|
|
|
|
- name: Send Slack notification on failure
|
|
if: ${{ failure() }}
|
|
run: |
|
|
msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
curl \
|
|
-qfsSL \
|
|
-X POST \
|
|
-H "Content-Type: application/json" \
|
|
--data "{\"content\": \"$msg\"}" \
|
|
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
|
|
|
|
osv-scanner:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
|
|
with:
|
|
go-version: "1.25.9"
|
|
cache: false
|
|
|
|
- name: Install OSV-Scanner
|
|
run: go install github.com/google/osv-scanner/v2/cmd/osv-scanner@v2.3.5
|
|
|
|
- name: Pull released Coder image
|
|
env:
|
|
IMAGE_REF: ghcr.io/coder/coder:latest
|
|
run: docker pull "$IMAGE_REF"
|
|
|
|
- name: Run OSV-Scanner vulnerability scanner
|
|
id: scan
|
|
env:
|
|
IMAGE_REF: ghcr.io/coder/coder:latest
|
|
run: |
|
|
set +e
|
|
osv-scanner scan image "$IMAGE_REF" \
|
|
--format sarif \
|
|
--output-file osv-results.sarif
|
|
scan_exit_code=$?
|
|
set -e
|
|
|
|
echo "exit_code=${scan_exit_code}" >> "${GITHUB_OUTPUT}"
|
|
|
|
if [[ "${scan_exit_code}" -eq 0 ]]; then
|
|
exit 0
|
|
fi
|
|
|
|
if [[ "${scan_exit_code}" -eq 1 ]]; then
|
|
echo "OSV-Scanner found vulnerabilities in ${IMAGE_REF}."
|
|
echo "Results will be uploaded to GitHub Security and as a SARIF artifact."
|
|
exit 0
|
|
fi
|
|
|
|
echo "::error::OSV-Scanner failed with exit code ${scan_exit_code}"
|
|
exit "${scan_exit_code}"
|
|
|
|
- name: Upload OSV-Scanner scan results to GitHub Security tab
|
|
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
|
|
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
|
|
with:
|
|
sarif_file: osv-results.sarif
|
|
category: "OSV-Scanner"
|
|
|
|
- name: Upload OSV-Scanner scan results as an artifact
|
|
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: osv-scanner
|
|
path: osv-results.sarif
|
|
retention-days: 7
|
|
|
|
- name: Send Slack notification on failure
|
|
if: ${{ failure() }}
|
|
run: |
|
|
msg="❌ OSV-Scanner Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
|
|
curl \
|
|
-qfsSL \
|
|
-X POST \
|
|
-H "Content-Type: application/json" \
|
|
--data "{\"content\": \"$msg\"}" \
|
|
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
|