Skip to content

feat(queries): implementation of regal for linting rego files #2459

feat(queries): implementation of regal for linting rego files

feat(queries): implementation of regal for linting rego files #2459

Workflow file for this run

name: security-checks
on:
push:
branches:
- main
pull_request:
jobs:
trivy-file-system:
name: Trivy fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
exit-code: '1'
# trivy-config: trivy.yaml
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: trivy-fs-scan-results
path: ./results.txt
trivy-docker-image:
name: Trivy docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Build
id: docker_build
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-trivy-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0
with:
image-ref: kics:sec-trivy-tests-${{ github.sha }}
ignore-unfixed: true
vuln-type: 'os,library'
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
ignore-policy: './trivy-ignore.rego'
# trivy-config: trivy.image.yaml
exit-code: '1'
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: trivy-docker-image-scan-results
path: ./results.txt
grype-file-system:
name: Grype fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Grype vulnerability scanner in repo mode
id: grype-fs-scan
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
with:
path: "."
only-fixed: true
output-format: table
severity-cutoff: low
fail-build: true
grype-docker-image:
name: Grype docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Check out code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
- name: Build
id: docker_build
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Scan image
id: grype-image-scan
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0
with:
image: kics:sec-tests-${{ github.sha }}
only-fixed: true
severity-cutoff: low
output-format: table
fail-build: true
govulncheck-file-system:
runs-on: ubuntu-latest
name: govulncheck fs scan
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in fs mode
run: |
govulncheck -show verbose -C . ./... > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: govulncheck-fs-scan-results
path: ./results.txt
govulncheck-binary:
runs-on: ubuntu-latest
name: govulncheck binary scan
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Build kics
run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in binary mode
run: |
govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
with:
name: govulncheck-binary-scan-results
path: ./results.txt