From 908e12985e6d64b3eaab4d517c818e25e7603add Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Mon, 7 Aug 2023 15:45:55 +0200 Subject: [PATCH] Add verify-govulncheck target and integrate to scan action --- .github/workflows/scan.yaml | 32 --------------------- .github/workflows/weekly-security-scan.yaml | 32 +++++++++++++++++++++ Makefile | 31 ++++++++++++++++++++ hack/verify-container-images.sh | 2 +- 4 files changed, 64 insertions(+), 33 deletions(-) delete mode 100644 .github/workflows/scan.yaml create mode 100644 .github/workflows/weekly-security-scan.yaml diff --git a/.github/workflows/scan.yaml b/.github/workflows/scan.yaml deleted file mode 100644 index f4063e8800..0000000000 --- a/.github/workflows/scan.yaml +++ /dev/null @@ -1,32 +0,0 @@ -name: scan-images - -on: - schedule: - # Cron for every Monday at 12:00 UTC. - - cron: "0 12 * * 1" - -# Remove all permissions from GITHUB_TOKEN except metadata. -permissions: {} - -jobs: - scan: - strategy: - fail-fast: false - matrix: - branch: [ main, release-1.6, release-1.5 ] - name: Trivy - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # tag=v3.5.2 - with: - ref: ${{ matrix.branch }} - - name: Calculate go version - id: vars - run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT - - name: Set up Go - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # tag=v3.5.0 - with: - go-version: ${{ steps.vars.outputs.go_version }} - - name: Run verify container script - run: make verify-container-images diff --git a/.github/workflows/weekly-security-scan.yaml b/.github/workflows/weekly-security-scan.yaml new file mode 100644 index 0000000000..2047bcfd9c --- /dev/null +++ b/.github/workflows/weekly-security-scan.yaml @@ -0,0 +1,32 @@ +name: Weekly security scan + +on: + schedule: + # Cron for every Monday at 12:00 UTC. + - cron: "0 12 * * 1" + +# Remove all permissions from GITHUB_TOKEN except metadata. +permissions: {} + +jobs: + scan: + strategy: + fail-fast: false + matrix: + branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ] + name: Trivy + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3 + with: + ref: ${{ matrix.branch }} + - name: Calculate go version + id: vars + run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0 + with: + go-version: ${{ steps.vars.outputs.go_version }} + - name: Run verify security target + run: make verify-security diff --git a/Makefile b/Makefile index 8f0191bc0f..1f24ac3af0 100644 --- a/Makefile +++ b/Makefile @@ -149,6 +149,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yaml | grep [[: GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER)) GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint +GOVULNCHECK_BIN := govulncheck +GOVULNCHECK_VER := v1.0.0 +GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER)) +GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck + GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}') GOVC_BIN := govc GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER)) @@ -370,6 +375,26 @@ verify-boilerplate: ## Verify boilerplate text exists in each file verify-container-images: ## Verify container images TRACE=$(TRACE) ./hack/verify-container-images.sh +.PHONY: verify-govulncheck +verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities + $(GOVULNCHECK) ./... + +.PHONY: verify-security +verify-security: ## Verify code and images for vulnerabilities + $(MAKE) verify-container-images && R1=$$? || R1=$$?; \ + $(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \ + if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \ + echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \ + exit 1; \ + fi + +.PHONY: verify-flavors +verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors + @if !(git diff --quiet HEAD -- $(FLAVOR_DIR)); then \ + git diff $(FLAVOR_DIR); \ + echo "flavor files in templates directory are out of date"; exit 1; \ + fi + ## -------------------------------------- ## Build ## -------------------------------------- @@ -712,6 +737,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo. .PHONY: $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint. +.PHONY: $(GOVULNCHECK_BIN) +$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck. + .PHONY: $(GOVC_BIN) $(GOVC_BIN): $(GOVC) ## Build a local copy of govc. @@ -758,6 +786,9 @@ $(GINKGO): # Build ginkgo. $(GOLANGCI_LINT): # Build golangci-lint. GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER) +$(GOVULNCHECK): # Build govulncheck. + GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER) + $(GOVC): # Build GOVC. CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER) diff --git a/hack/verify-container-images.sh b/hack/verify-container-images.sh index 0a983ea2e3..d99c2da64a 100755 --- a/hack/verify-container-images.sh +++ b/hack/verify-container-images.sh @@ -66,7 +66,7 @@ NC='\033[0m' # No if [ "$R1" -ne "0" ] then - echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}" + echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}" exit 1 fi