Enable codeql for github actions

aws · Dec 13, 2023 · 38d5ed8 · 38d5ed8
1 parent 53e8963
commit 38d5ed8
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 12 deletions.
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
@@ -4,28 +4,44 @@ on:
     branches:
       - 'main'
       - 'release-v*'
+  pull_request:
   schedule:
     - cron: '0 12 * * *'
 jobs:
-  analyze:
-    if: github.repository == 'aws/karpenter-provider-aws'
-    name: Analyze
+  analyze-go:
+    name: Analyze Go
     runs-on: ubuntu-latest
     permissions:
       actions: read # github/codeql-action/init@v2
       security-events: write # github/codeql-action/init@v2
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: ./.github/actions/install-deps
       - run: make vulncheck
       - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
         with:
-          languages: ${{ matrix.language }}
+          languages: go
       - uses: github/codeql-action/autobuild@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
       - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+  # Javascript is added here for evaluating Github Action vulnerabilities
+  # https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/#2-enable-code-scanning-for-workflows
+  analyze-github-actions:
+    name: Analyze Github Actions
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # github/codeql-action/init@v2
+      security-events: write # github/codeql-action/init@v2
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: github/codeql-action/init@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
+        with:
+          languages: javascript
+          config: |
+            packs:
+              # Use the latest version of 'codeql-javascript' published by 'advanced-security'
+              # This will catch things like actions that aren't pinned to a hash
+              - advanced-security/codeql-javascript
+            paths:
+              - '.github/workflows'
+              - '.github/actions'
+      - uses: github/codeql-action/analyze@df32e399139a3050671466d7d9b3cbacc1cfd034 # v2.22.8
diff --git a/.github/workflows/e2e-soak-trigger.yaml b/.github/workflows/e2e-soak-trigger.yaml
@@ -11,7 +11,7 @@ jobs:
     outputs:
       PREEXISTING_CLUSTERS: ${{ steps.list_clusters.outputs.PREEXISTING_CLUSTERS }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     - name: configure aws credentials
       uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a
       with:

diff --git a/.github/workflows/resource-count.yaml b/.github/workflows/resource-count.yaml
@@ -16,7 +16,7 @@ jobs:
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: configure aws credentials
-        uses: aws-actions/[email protected]
+        uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: arn:aws:iam::${{ vars.ACCOUNT_ID }}:role/${{ vars.ROLE_NAME }}
           aws-region: ${{ matrix.region }}