feat(queries): implementation of regal for linting rego files #2457

Workflow file for this run

.github/workflows/sec-checks.yaml at 5fe8468

	name: security-checks
	on:
	push:
	branches:
	- main
	pull_request:
	jobs:
	trivy-file-system:
	name: Trivy fs scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Run Trivy vulnerability scanner in repo mode
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'table'
	output: './results.txt'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	exit-code: '1'
	# trivy-config: trivy.yaml
	- name: Inspect action report
	if: always()
	run: cat ./results.txt
	- name: Upload artifact
	if: always()
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
	with:
	name: trivy-fs-scan-results
	path: ./results.txt
	trivy-docker-image:
	name: Trivy docker image scan
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	kics-docker: [ "Dockerfile" ]
	steps:
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
	- name: Build
	id: docker_build
	uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
	with:
	load: true
	context: ./
	file: ./${{ matrix.kics-docker }}
	builder: ${{ steps.buildx.outputs.name }}
	push: false
	tags: kics:sec-trivy-tests-${{ github.sha }}
	build-args: \|
	VERSION=development
	COMMIT=${{ github.sha }}
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
	with:
	image-ref: kics:sec-trivy-tests-${{ github.sha }}
	ignore-unfixed: true
	vuln-type: 'os,library'
	format: 'table'
	output: './results.txt'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	ignore-policy: './trivy-ignore.rego'
	# trivy-config: trivy.image.yaml
	exit-code: '1'
	- name: Inspect action report
	if: always()
	run: cat ./results.txt
	- name: Upload artifact
	if: always()
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
	with:
	name: trivy-docker-image-scan-results
	path: ./results.txt
	grype-file-system:
	name: Grype fs scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Run Grype vulnerability scanner in repo mode
	id: grype-fs-scan
	uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
	with:
	path: "."
	only-fixed: true
	output-format: table
	severity-cutoff: low
	fail-build: true
	grype-docker-image:
	name: Grype docker image scan
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	kics-docker: [ "Dockerfile" ]
	steps:
	- name: Check out code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	persist-credentials: false
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
	- name: Build
	id: docker_build
	uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
	with:
	load: true
	context: ./
	file: ./${{ matrix.kics-docker }}
	builder: ${{ steps.buildx.outputs.name }}
	push: false
	tags: kics:sec-tests-${{ github.sha }}
	build-args: \|
	VERSION=development
	COMMIT=${{ github.sha }}
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache
	- name: Scan image
	id: grype-image-scan
	uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
	with:
	image: kics:sec-tests-${{ github.sha }}
	only-fixed: true
	severity-cutoff: low
	output-format: table
	fail-build: true
	govulncheck-file-system:
	runs-on: ubuntu-latest
	name: govulncheck fs scan
	steps:
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	- name: Run govulncheck scanner in fs mode
	run: \|
	govulncheck -show verbose -C . ./... > ./results.txt \|\| true
	bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
	- name: Inspect action report
	if: always()
	run: cat ./results.txt
	- name: Upload artifact
	if: always()
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
	with:
	name: govulncheck-fs-scan-results
	path: ./results.txt
	govulncheck-binary:
	runs-on: ubuntu-latest
	name: govulncheck binary scan
	steps:
	- name: Checkout code
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Build kics
	run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go
	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest
	- name: Run govulncheck scanner in binary mode
	run: \|
	govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt \|\| true
	bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
	- name: Inspect action report
	if: always()
	run: cat ./results.txt
	- name: Upload artifact
	if: always()
	uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
	with:
	name: govulncheck-binary-scan-results
	path: ./results.txt

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(queries): implementation of regal for linting rego files #2457

Workflow file

feat(queries): implementation of regal for linting rego files #2457

Jobs

Run details

Workflow file for this run