workflows: add scorecard and codeql

.github/workflows/ci.yaml

@@ -7,12 +7,17 @@ on:
     branches:
       - main
       - 'release-*'
+
 permissions:
   contents: read
   pull-requests: read
 
 jobs:
   trivy:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: "./.github/workflows/lib-trivy.yaml"
 
   validate:

.github/workflows/devel.yaml

@@ -3,20 +3,38 @@ on:
   push:
     branches:
       - main
+
 permissions:
   contents: read
   pull-requests: read
-  security-events: write
 
 jobs:
   trivy:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: "./.github/workflows/lib-trivy.yaml"
     with:
       upload-to-github-security-tab: true
 
   validate:
     uses: "./.github/workflows/lib-validate.yaml"
 
+  codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "./.github/workflows/lib-codeql.yaml"
+
+  scorecard:
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    uses: "./.github/workflows/lib-scorecard.yaml"
+
   build:
     needs:
       - validate

.github/workflows/lib-build.yaml

@@ -1,6 +1,11 @@
 name: build
+
 on:
   workflow_call:
+
+permissions:
+  contents: read
+
 jobs:
   image:
     name: Build image

.github/workflows/lib-codeql.yaml

@@ -0,0 +1,32 @@
+name: "CodeQL"
+
+on:
+  workflow_call:
+
+permissions:
+  actions: read
+  contents: read
+
+jobs:
+  analyze:
+    name: Analysis
+    runs-on: 'ubuntu-22.04'
+    timeout-minutes: 360
+
+    permissions:
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: 'go'
+
+    - uses: actions/setup-go@v4
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:go"

.github/workflows/lib-publish.yaml

@@ -9,6 +9,9 @@ on:
 env:
   no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"
 
+permissions:
+  contents: read
+
 jobs:
   image:
     name: Build image

.github/workflows/lib-scorecard.yaml

@@ -0,0 +1,33 @@
+name: "OSSF"
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Analysis
+    runs-on: ubuntu-22.04
+
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Analyze project"
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload results to security"
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif

.github/workflows/lib-trivy.yaml

@@ -19,6 +19,10 @@ on:
         required: false
         type: boolean
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   trivy-scan-deployments:
     name: Scan deployments
@@ -69,6 +73,9 @@ jobs:
         severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL"
 
   trivy-scan-vulns:
+    permissions:
+      security-events: write
+
     runs-on: ubuntu-22.04
     name: Scan vulnerabilities
     steps:

.github/workflows/lib-validate.yaml

@@ -2,6 +2,9 @@ name: validate
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     name: Check docs are buildable
@@ -28,7 +31,6 @@ jobs:
 
   golangci:
     permissions:
-      contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-22.04

README.md

@@ -1,7 +1,8 @@
 # Overview
-[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/workflows/CI/badge.svg?branch=main)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ACI)
+[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/actions/workflows/devel.yaml/badge.svg)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ADevel)
 [![Go Report Card](https://goreportcard.com/badge/github.com/intel/intel-device-plugins-for-kubernetes)](https://goreportcard.com/report/github.com/intel/intel-device-plugins-for-kubernetes)
 [![GoDoc](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin?status.svg)](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/intel/intel-device-plugins-for-kubernetes/badge)](https://api.securityscorecards.dev/projects/intel/intel-device-plugins-for-kubernetes)
 
 This repository contains a framework for developing plugins for the Kubernetes
 [device plugins framework](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/),