Stepsecurity remediation 1726530247 #307

Workflow file for this run

	---
	name: Scan And Validate

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]

	permissions:
	contents: read

	jobs:
	super_lint:
	name: Run Super Linter
	container: github/super-linter
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	fetch-depth: 0
	lfs: false

	- name: (CT222) (E/C) - Use hadolint to evaluate Dockerfile configuration
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# Rust validation is handled by build_and_test
	VALIDATE_RUST_2015: false
	VALIDATE_RUST_2018: false
	VALIDATE_RUST_2021: false
	VALIDATE_RUST_CLIPPY: false
	# We have no non-example CPP in the codebase
	VALIDATE_CPP: false
	VALIDATE_CLANG_FORMAT: false
	VALIDATE_JSCPD: false
	# This is way too pedantic
	VALIDATE_NATURAL_LANGUAGE: false
	# Dont flake8/mypy/pylint because our only python files attempt to import
	# simics and fail
	VALIDATE_PYTHON_FLAKE8: false
	VALIDATE_PYTHON_MYPY: false
	VALIDATE_PYTHON_PYLINT: false
	# If gitleaks finds anything, it is too late. Suggested in developer docs in
	# pre-commit instead. Too many false positives (X509VerifyCert, for example)
	VALIDATE_GITLEAKS: false
	run: \|
	/action/lib/linter.sh \|\| ( echo "❗ [CT222] Super linter found an issue (possibly Hadolint)" && exit 1 )
	echo "✅ [CT222] Hadolint Dockerfile check passed"

	scan_x86_64_breakpoint_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-breakpoint-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
	with:
	image-ref: container

	scan_x86_64_timeout_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-timeout-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
	with:
	image-ref: container

	scan_x86_64_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb # master
	with:
	image-ref: container

	additional_sdl_checks:
	name: Perform Additional SDL Checks
	container: fedora:38
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
	with:
	egress-policy: audit

	- name: Install Dependencies
	run: \|
	dnf -y update && \
	dnf -y install \
	g++ gcc git git-lfs glibc-devel make openssl openssl-devel openssl-libs

	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	with:
	lfs: false

	- uses: dtolnay/rust-toolchain@83bdede770b06329615974cf8c786f845d824dfb # nightly
	with:
	toolchain: nightly
	components: rustfmt,clippy,miri

	- name: Install Cargo Plugins
	run: \|
	cargo install cargo-audit cargo-outdated

	- name: (CT247/CT200) (N/C) - Scan 3rd-Party Components for Vulnerabilities
	run: \|
	# shellcheck disable=SC2086,SC2143
	LATEST="$(find '.github/dependabot' -name '*.csv' -print0 \
	\| xargs -r -0 ls -1 -t \
	\| head -n 1)"

	if ! find '.github/dependabot' -name '*.csv' -mtime -14 \| grep -q '.'; then
	echo "❗ [CT247/CT200] No dependabot report found from last 2 weeks. Run ./scripts/dependabot.sh."
	exit 1
	fi

	if tail -n+2 "${LATEST}" \| grep -qv ".github/actions/toolchain"; then
	cat "${LATEST}"
	echo "❗ [CT247/CT200] Vulnerabilities found outside of github actions. Please remediate them."
	exit 1
	fi
	echo "✅ [CT247/CT200] No dependabot vulnerabilities found"

	- name: (T186) (N/C) - Use recommended settings and latest patches for third party libraries and software
	run: \|
	cargo generate-lockfile

	cargo audit

	if ! cargo outdated -R --exit-code 1; then
	echo "❗ [T186] Out of date third party dependencies found"
	exit 1
	fi

	echo "✅ [T186] No outdated or vulnerable third party dependencies found"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stepsecurity remediation 1726530247 #307

Workflow file

Stepsecurity remediation 1726530247 #307

Jobs

Run details

Workflow file for this run