diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e4b452de4..43bcbcffc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -7,12 +7,17 @@ on: branches: - main - 'release-*' + permissions: contents: read pull-requests: read jobs: trivy: + permissions: + actions: read + contents: read + security-events: write uses: "./.github/workflows/lib-trivy.yaml" validate: diff --git a/.github/workflows/devel.yaml b/.github/workflows/devel.yaml index 1e9f319d1..cf5bb5a40 100644 --- a/.github/workflows/devel.yaml +++ b/.github/workflows/devel.yaml @@ -3,13 +3,17 @@ on: push: branches: - main + permissions: contents: read pull-requests: read - security-events: write jobs: trivy: + permissions: + actions: read + contents: read + security-events: write uses: "./.github/workflows/lib-trivy.yaml" with: upload-to-github-security-tab: true @@ -17,6 +21,20 @@ jobs: validate: uses: "./.github/workflows/lib-validate.yaml" + codeql: + permissions: + actions: read + contents: read + security-events: write + uses: "./.github/workflows/lib-codeql.yaml" + + scorecard: + permissions: + contents: read + id-token: write + security-events: write + uses: "./.github/workflows/lib-scorecard.yaml" + build: needs: - validate diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml index 8bd32173b..7ee06571b 100644 --- a/.github/workflows/lib-build.yaml +++ b/.github/workflows/lib-build.yaml @@ -1,6 +1,11 @@ name: build + on: workflow_call: + +permissions: + contents: read + jobs: image: name: Build image diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml new file mode 100644 index 000000000..0fc6c7771 --- /dev/null +++ b/.github/workflows/lib-codeql.yaml @@ -0,0 +1,32 @@ +name: "CodeQL" + +on: + workflow_call: + +permissions: + actions: read + contents: read + +jobs: + analyze: + name: Analysis + runs-on: 'ubuntu-22.04' + timeout-minutes: 360 + + permissions: + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: 'go' + + - uses: actions/setup-go@v4 + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:go" diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml index 0469c3e3f..c4fdbef86 100644 --- a/.github/workflows/lib-publish.yaml +++ b/.github/workflows/lib-publish.yaml @@ -9,6 +9,9 @@ on: env: no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']" +permissions: + contents: read + jobs: image: name: Build image diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml new file mode 100644 index 000000000..03e2d9ae7 --- /dev/null +++ b/.github/workflows/lib-scorecard.yaml @@ -0,0 +1,33 @@ +name: "OSSF" + +on: + workflow_call: + +permissions: + contents: read + +jobs: + analysis: + name: Analysis + runs-on: ubuntu-22.04 + + permissions: + security-events: write + id-token: write + + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: "Analyze project" + uses: ossf/scorecard-action@v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload results to security" + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: results.sarif diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml index 609a60f9e..cd2265e34 100644 --- a/.github/workflows/lib-trivy.yaml +++ b/.github/workflows/lib-trivy.yaml @@ -19,6 +19,10 @@ on: required: false type: boolean +permissions: + actions: read + contents: read + jobs: trivy-scan-deployments: name: Scan deployments @@ -69,6 +73,9 @@ jobs: severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL" trivy-scan-vulns: + permissions: + security-events: write + runs-on: ubuntu-22.04 name: Scan vulnerabilities steps: diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml index bf3646e27..a7ada7727 100644 --- a/.github/workflows/lib-validate.yaml +++ b/.github/workflows/lib-validate.yaml @@ -2,6 +2,9 @@ name: validate on: workflow_call: +permissions: + contents: read + jobs: docs: name: Check docs are buildable @@ -28,7 +31,6 @@ jobs: golangci: permissions: - contents: read # for actions/checkout to fetch code pull-requests: read # for golangci/golangci-lint-action to fetch pull requests name: lint runs-on: ubuntu-22.04 diff --git a/README.md b/README.md index b017a4243..cd786aa36 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,8 @@ # Overview -[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/workflows/CI/badge.svg?branch=main)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ACI) +[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/actions/workflows/devel.yaml/badge.svg)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ADevel) [![Go Report Card](https://goreportcard.com/badge/github.com/intel/intel-device-plugins-for-kubernetes)](https://goreportcard.com/report/github.com/intel/intel-device-plugins-for-kubernetes) [![GoDoc](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin?status.svg)](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/intel/intel-device-plugins-for-kubernetes/badge)](https://api.securityscorecards.dev/projects/intel/intel-device-plugins-for-kubernetes) This repository contains a framework for developing plugins for the Kubernetes [device plugins framework](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/),