feat(queries): implementation of regal for linting rego files #2459
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: security-checks | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
jobs: | |
trivy-file-system: | |
name: Trivy fs scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0 | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'table' | |
output: './results.txt' | |
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | |
exit-code: '1' | |
# trivy-config: trivy.yaml | |
- name: Inspect action report | |
if: always() | |
run: cat ./results.txt | |
- name: Upload artifact | |
if: always() | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 | |
with: | |
name: trivy-fs-scan-results | |
path: ./results.txt | |
trivy-docker-image: | |
name: Trivy docker image scan | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
kics-docker: [ "Dockerfile" ] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | |
- name: Build | |
id: docker_build | |
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 | |
with: | |
load: true | |
context: ./ | |
file: ./${{ matrix.kics-docker }} | |
builder: ${{ steps.buildx.outputs.name }} | |
push: false | |
tags: kics:sec-trivy-tests-${{ github.sha }} | |
build-args: | | |
VERSION=development | |
COMMIT=${{ github.sha }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 #v 0.24.0 | |
with: | |
image-ref: kics:sec-trivy-tests-${{ github.sha }} | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
format: 'table' | |
output: './results.txt' | |
severity: 'CRITICAL,HIGH,MEDIUM,LOW' | |
ignore-policy: './trivy-ignore.rego' | |
# trivy-config: trivy.image.yaml | |
exit-code: '1' | |
- name: Inspect action report | |
if: always() | |
run: cat ./results.txt | |
- name: Upload artifact | |
if: always() | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 | |
with: | |
name: trivy-docker-image-scan-results | |
path: ./results.txt | |
grype-file-system: | |
name: Grype fs scan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Run Grype vulnerability scanner in repo mode | |
id: grype-fs-scan | |
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0 | |
with: | |
path: "." | |
only-fixed: true | |
output-format: table | |
severity-cutoff: low | |
fail-build: true | |
grype-docker-image: | |
name: Grype docker image scan | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
kics-docker: [ "Dockerfile" ] | |
steps: | |
- name: Check out code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
persist-credentials: false | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 | |
- name: Build | |
id: docker_build | |
uses: docker/build-push-action@1ca370b3a9802c92e886402e0dd88098a2533b12 # v6.4.1 | |
with: | |
load: true | |
context: ./ | |
file: ./${{ matrix.kics-docker }} | |
builder: ${{ steps.buildx.outputs.name }} | |
push: false | |
tags: kics:sec-tests-${{ github.sha }} | |
build-args: | | |
VERSION=development | |
COMMIT=${{ github.sha }} | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache | |
- name: Scan image | |
id: grype-image-scan | |
uses: anchore/scan-action@d43cc1dfea6a99ed123bf8f3133f1797c9b44492 # v4.1.0 | |
with: | |
image: kics:sec-tests-${{ github.sha }} | |
only-fixed: true | |
severity-cutoff: low | |
output-format: table | |
fail-build: true | |
govulncheck-file-system: | |
runs-on: ubuntu-latest | |
name: govulncheck fs scan | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Install govulncheck | |
run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
- name: Run govulncheck scanner in fs mode | |
run: | | |
govulncheck -show verbose -C . ./... > ./results.txt || true | |
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh | |
- name: Inspect action report | |
if: always() | |
run: cat ./results.txt | |
- name: Upload artifact | |
if: always() | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 | |
with: | |
name: govulncheck-fs-scan-results | |
path: ./results.txt | |
govulncheck-binary: | |
runs-on: ubuntu-latest | |
name: govulncheck binary scan | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Build kics | |
run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go | |
- name: Install govulncheck | |
run: go install golang.org/x/vuln/cmd/govulncheck@latest | |
- name: Run govulncheck scanner in binary mode | |
run: | | |
govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt || true | |
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh | |
- name: Inspect action report | |
if: always() | |
run: cat ./results.txt | |
- name: Upload artifact | |
if: always() | |
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4 | |
with: | |
name: govulncheck-binary-scan-results | |
path: ./results.txt |