From 70c37810b44b14f8a4585fc8e28589fc2a98b919 Mon Sep 17 00:00:00 2001 From: Frederic BIDON Date: Sun, 7 Jan 2024 11:21:22 +0100 Subject: [PATCH] Reintroduced codeql and Open SSF score card * The main disagreement on #3049 came from dependabot * codeql scan and score card are thought as desirable additions dependabot triggered a lot of PRs and overall, generates a lot of extra work for the maintainers. We need extra care and testing before introducing a dependency update bot that understands our dependencies, may be coupled with auto approval and auto merge, and may skip long running integration tests when they are irrelevant. This work is deferred to a forthcoming PR. The pinning of build dependencies (github actions, docker base images) is reverted until we set out for a proper update process to automatically update them with an appropriate frequency. Signed-off-by: Frederic BIDON --- .github/workflows/codeql.yaml | 48 ++++++++++++++++++++++++++++ .github/workflows/scorecard.yaml | 55 ++++++++++++++++++++++++++++++++ .github/workflows/test.yaml | 4 +-- README.md | 2 ++ 4 files changed, 107 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/codeql.yaml create mode 100644 .github/workflows/scorecard.yaml diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 0000000000..00160e885c --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,48 @@ +name: "CodeQL" + +on: + push: + branches: [ "master" ] + pull_request: + branches: [ "master" ] + schedule: + - cron: '31 21 * * 4' + +permissions: + contents: read + +jobs: + analyze: + name: Analyze. + runs-on: ubuntu-latest + timeout-minutes: 360 + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ 'go' ] + + steps: + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + languages: ${{ matrix.language }} + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3.22.12 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml new file mode 100644 index 0000000000..6adf625da5 --- /dev/null +++ b/.github/workflows/scorecard.yaml @@ -0,0 +1,55 @@ +name: Scorecard supply-chain security + +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '44 2 * * 1' + push: + branches: [ "master" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + # Uncomment the permissions below if installing in a private repository. + # contents: read + # actions: read + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF + # format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index c73dec8ff3..010ac27fcb 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -326,10 +326,10 @@ jobs: type=sha - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to Quay Registry uses: docker/login-action@v2 diff --git a/README.md b/README.md index 7e5a7458f9..2263de3049 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,8 @@ [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fgo-swagger%2Fgo-swagger.svg?type=shield)](https://app.fossa.io/projects/git%2Bgithub.com%2Fgo-swagger%2Fgo-swagger?ref=badge_shield) [![Go Report Card](https://goreportcard.com/badge/github.com/go-swagger/go-swagger)](https://goreportcard.com/report/github.com/go-swagger/go-swagger) +[![Open SSF Scorecard](https://api.securityscorecards.dev/projects/github.com/go-swagger/go-swagger/badge)](https://securityscorecards.dev/viewer/?uri=github.com/go-swagger/go-swagger) + This package contains a golang implementation of Swagger 2.0 (aka [OpenAPI 2.0](https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md)): it knows how to serialize and deserialize swagger specifications.