shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
fe257666d7709192fca7b1a80019d7d019915c71
coder/.github/workflows/security.yaml
T
Thomas Kosiewski fe257666d7 ci: refactor CI to use mise for shared tool setup (#25727)
2026-06-01 15:55:19 +02:00

143 lines
4.5 KiB
YAML
Raw Blame History

name: "security"
permissions:
actions: read
contents: read
on:
workflow_dispatch:
# Uncomment when testing.
# pull_request:
schedule:
# Run every 6 hours Monday-Friday!
- cron: "0 0/6 * * 1-5"
# Cancel in-progress runs for pull requests when developers push
# additional changes
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-security
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
codeql:
permissions:
security-events: write
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up mise tools
uses: ./.github/actions/setup-mise
with:
install-args: "go"
- name: Restore Go cache
uses: ./.github/actions/go-cache
- name: Initialize CodeQL
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
with:
languages: go, javascript
# Workaround to prevent CodeQL from building the dashboard.
- name: Remove Makefile
run: |
rm Makefile
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
- name: Send Slack notification on failure
if: ${{ failure() }}
run: |
msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl \
-qfsSL \
-X POST \
-H "Content-Type: application/json" \
--data "{\"content\": \"$msg\"}" \
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
osv-scanner:
permissions:
security-events: write
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }}
env:
IMAGE_REF: ghcr.io/coder/coder-preview:main
OSV_SCANNER_VERSION: v2.3.5
steps:
- name: Harden Runner
uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
with:
egress-policy: audit
- name: Install OSV-Scanner
run: |
curl -fsSL -o /usr/local/bin/osv-scanner \
"https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/osv-scanner_linux_amd64"
chmod +x /usr/local/bin/osv-scanner
- name: Pull latest Coder preview image
run: docker pull "$IMAGE_REF"
- name: Run OSV-Scanner vulnerability scanner
id: scan
run: |
set +e
osv-scanner scan image "$IMAGE_REF" \
--format sarif \
--output-file osv-results.sarif
scan_exit_code=$?
set -e
echo "exit_code=${scan_exit_code}" >> "${GITHUB_OUTPUT}"
if [[ "${scan_exit_code}" -eq 0 ]]; then
exit 0
fi
if [[ "${scan_exit_code}" -eq 1 ]]; then
echo "OSV-Scanner found vulnerabilities in ${IMAGE_REF}."
echo "Results will be uploaded to GitHub Security and as a SARIF artifact."
exit 0
fi
echo "::error::OSV-Scanner failed with exit code ${scan_exit_code}"
exit "${scan_exit_code}"
- name: Upload OSV-Scanner scan results to GitHub Security tab
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v3.29.5
with:
sarif_file: osv-results.sarif
category: "OSV-Scanner"
- name: Upload OSV-Scanner scan results as an artifact
if: ${{ always() && hashFiles('osv-results.sarif') != '' }}
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: osv-scanner
path: osv-results.sarif
retention-days: 7
- name: Send Slack notification on failure
if: ${{ failure() }}
run: |
msg="❌ OSV-Scanner Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
curl \
-qfsSL \
-X POST \
-H "Content-Type: application/json" \
--data "{\"content\": \"$msg\"}" \
"${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
Reference in New Issue View Git Blame Copy Permalink