From 8f88129cacfb2cef701e0d6ecd8a7c7e7aeb7345 Mon Sep 17 00:00:00 2001 From: Fabian Kammel Date: Tue, 17 Jan 2023 14:01:47 +0100 Subject: [PATCH] Configure CodeQL and scorecard workflow. (#986) * Configure CodeQL and scorecard workflow. * Fix CodeQL finding. Signed-off-by: Fabian Kammel --- .github/workflows/codeql.yml | 59 +++++++++++++++++++++++++++++++++ .github/workflows/scorecard.yml | 44 ++++++++++++++++++++++++ keyservice/setup/setup.go | 6 ++-- keyservice/setup/setup_test.go | 2 +- 4 files changed, 107 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..fe7017190 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,59 @@ +name: CodeQL + +on: + push: + branches: + - main + - release/v* + pull_request: + +jobs: + codeql: + name: CodeQL + runs-on: ubuntu-22.04 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go", "python"] + + steps: + - name: Checkout repository + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + + - name: Setup Go environment + if: ${{ matrix.language == 'go' }} + uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 + with: + go-version: "1.19.5" + + - name: Initialize CodeQL + uses: github/codeql-action/init@515828d97454b8354517688ddc5b48402b723750 # v2.1.38 + with: + languages: ${{ matrix.language }} + + - name: Install Go Dependencies + if: ${{ matrix.language == 'go' }} + run: | + echo "::group::Install apt dependencies" + sudo apt-get update && sudo apt-get install -y libcryptsetup12 libcryptsetup-dev libvirt-dev + echo "::endgroup::" + + echo "::group::Install go dependencies" + mods=$(go list -f '{{.Dir}}' -m | xargs) + for mod in $mods; do + (cd "$mod" || exit; go mod tidy) + done + echo "::endgroup::" + + - name: Autobuild + uses: github/codeql-action/autobuild@515828d97454b8354517688ddc5b48402b723750 # v2.1.38 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@515828d97454b8354517688ddc5b48402b723750 # v2.1.38 + with: + category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 000000000..f5fc9d716 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,44 @@ +name: Scorecard supply-chain security + +on: + push: + # Only the default branch is supported. + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-22.04 + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (for publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27 + with: + sarif_file: results.sarif diff --git a/keyservice/setup/setup.go b/keyservice/setup/setup.go index f7a0fbc1d..c70b87707 100644 --- a/keyservice/setup/setup.go +++ b/keyservice/setup/setup.go @@ -182,16 +182,16 @@ func getAzureBlobConfig(uri *url.URL) (string, string, error) { return r[0], r[1], nil } -func getGCPKMSConfig(uri *url.URL) (string, string, string, int, error) { +func getGCPKMSConfig(uri *url.URL) (string, string, string, int32, error) { r, err := getConfig(uri.Query(), []string{"project", "location", "keyRing", "protectionLvl"}) if err != nil { return "", "", "", 0, err } - protectionLvl, err := strconv.Atoi(r[3]) + protectionLvl, err := strconv.ParseInt(r[3], 10, 32) if err != nil { return "", "", "", 0, err } - return r[0], r[1], r[2], protectionLvl, nil + return r[0], r[1], r[2], int32(protectionLvl), nil } func getGCPStorageConfig(uri *url.URL) (string, string, error) { diff --git a/keyservice/setup/setup_test.go b/keyservice/setup/setup_test.go index 7f0175248..da5eed9ae 100644 --- a/keyservice/setup/setup_test.go +++ b/keyservice/setup/setup_test.go @@ -185,7 +185,7 @@ func TestGetGCPKMSConfig(t *testing.T) { assert.Equal(project, rProject) assert.Equal(location, rLocation) assert.Equal(keyRing, rKeyRing) - assert.Equal(2, rProtectionLvl) + assert.Equal(int32(2), rProtectionLvl) uri, err = url.Parse(fmt.Sprintf(GCPKMSURI, project, location, keyRing, "invalid")) require.NoError(err)