Skip to content

Commit

Permalink
Add verify-govulncheck target and integrate to scan action
Browse files Browse the repository at this point in the history
  • Loading branch information
chrischdi committed Aug 14, 2023
1 parent 3c46105 commit d643435
Show file tree
Hide file tree
Showing 4 changed files with 64 additions and 33 deletions.
32 changes: 0 additions & 32 deletions .github/workflows/scan.yaml

This file was deleted.

32 changes: 32 additions & 0 deletions .github/workflows/weekly-security-scan.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Weekly security scan

on:
schedule:
# Cron for every Monday at 12:00 UTC.
- cron: "0 12 * * 1"

# Remove all permissions from GITHUB_TOKEN except metadata.
permissions: {}

jobs:
scan:
strategy:
fail-fast: false
matrix:
branch: [ main, release-1.8, release-1.7, release-1.6, release-1.5 ]
name: Trivy
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # tag=v3.5.3
with:
ref: ${{ matrix.branch }}
- name: Calculate go version
id: vars
run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # tag=v4.1.0
with:
go-version: ${{ steps.vars.outputs.go_version }}
- name: Run verify security target
run: make verify-security
31 changes: 31 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,11 @@ GOLANGCI_LINT_VER := $(shell cat .github/workflows/golangci-lint.yaml | grep [[:
GOLANGCI_LINT := $(abspath $(TOOLS_BIN_DIR)/$(GOLANGCI_LINT_BIN)-$(GOLANGCI_LINT_VER))
GOLANGCI_LINT_PKG := github.com/golangci/golangci-lint/cmd/golangci-lint

GOVULNCHECK_BIN := govulncheck
GOVULNCHECK_VER := v1.0.0
GOVULNCHECK := $(abspath $(TOOLS_BIN_DIR)/$(GOVULNCHECK_BIN)-$(GOVULNCHECK_VER))
GOVULNCHECK_PKG := golang.org/x/vuln/cmd/govulncheck

GOVC_VER := $(shell cat go.mod | grep "github.com/vmware/govmomi" | awk '{print $$NF}')
GOVC_BIN := govc
GOVC := $(abspath $(TOOLS_BIN_DIR)/$(GOVC_BIN)-$(GOVC_VER))
Expand Down Expand Up @@ -370,6 +375,26 @@ verify-boilerplate: ## Verify boilerplate text exists in each file
verify-container-images: ## Verify container images
TRACE=$(TRACE) ./hack/verify-container-images.sh

.PHONY: verify-govulncheck
verify-govulncheck: $(GOVULNCHECK) ## Verify code for vulnerabilities
$(GOVULNCHECK) ./...

.PHONY: verify-security
verify-security: ## Verify code and images for vulnerabilities
$(MAKE) verify-container-images && R1=$$? || R1=$$?; \
$(MAKE) verify-govulncheck && R2=$$? || R2=$$?; \
if [ "$$R1" -ne "0" ] || [ "$$R2" -ne "0" ]; then \
echo "Check for vulnerabilities failed! There are vulnerabilities to be fixed"; \
exit 1; \
fi

.PHONY: verify-flavors
verify-flavors: $(FLAVOR_DIR) generate-flavors ## Verify generated flavors
@if !(git diff --quiet HEAD -- $(FLAVOR_DIR)); then \
git diff $(FLAVOR_DIR); \
echo "flavor files in templates directory are out of date"; exit 1; \
fi

## --------------------------------------
## Build
## --------------------------------------
Expand Down Expand Up @@ -714,6 +739,9 @@ $(GINKGO_BIN): $(GINKGO) ## Build a local copy of ginkgo.
.PHONY: $(GOLANGCI_LINT_BIN)
$(GOLANGCI_LINT_BIN): $(GOLANGCI_LINT) ## Build a local copy of golangci-lint.

.PHONY: $(GOVULNCHECK_BIN)
$(GOVULNCHECK_BIN): $(GOVULNCHECK) ## Build a local copy of govulncheck.

.PHONY: $(GOVC_BIN)
$(GOVC_BIN): $(GOVC) ## Build a local copy of govc.

Expand Down Expand Up @@ -760,6 +788,9 @@ $(GINKGO): # Build ginkgo.
$(GOLANGCI_LINT): # Build golangci-lint.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOLANGCI_LINT_PKG) $(GOLANGCI_LINT_BIN) $(GOLANGCI_LINT_VER)

$(GOVULNCHECK): # Build govulncheck.
GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVULNCHECK_PKG) $(GOVULNCHECK_BIN) $(GOVULNCHECK_VER)

$(GOVC): # Build GOVC.
CGO_ENABLED=0 GOBIN=$(TOOLS_BIN_DIR) $(GO_INSTALL) $(GOVC_PKG) $(GOVC_BIN) $(GOVC_VER)

Expand Down
2 changes: 1 addition & 1 deletion hack/verify-container-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ NC='\033[0m' # No

if [ "$R1" -ne "0" ]
then
echo -e "${BRed}Check container images failed! There are vulnerability to be fixed${NC}"
echo -e "${BRed}Check container images failed! There are vulnerabilities to be fixed${NC}"
exit 1
fi

Expand Down

0 comments on commit d643435

Please sign in to comment.