From 91364920499f95d64ee3f836c5f9f78b60def8cb Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 20:17:01 +0000 Subject: [PATCH 01/11] initial codeql file --- .github/workflows/scan-codeql.yaml | 52 ++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/scan-codeql.yaml diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml new file mode 100644 index 00000000..a7c77a54 --- /dev/null +++ b/.github/workflows/scan-codeql.yaml @@ -0,0 +1,52 @@ +name: Scan CVEs + +permissions: + contents: read + +on: + push: + branches: ["main"] + pull_request: + paths-ignore: + - "**.md" + - "**.jpg" + - "**.png" + - "**.gif" + - "**.svg" + - "adr/**" + - "docs/**" + - "CODEOWNERS" + + schedule: + - cron: "32 2 * * 5" + +jobs: + validate: + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["go"] + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + + - name: Initialize CodeQL + uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 + env: + CODEQL_EXTRACTOR_GO_BUILD_TRACING: on + with: + languages: ${{ matrix.language }} + config-file: ./.github/codeql.yaml + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 + with: + category: "/language:${{matrix.language}}" \ No newline at end of file From 66b7817358313ed8150aea628c2d2715aaa4d454 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 20:49:40 +0000 Subject: [PATCH 02/11] initial scan and code checking. --- .github/codeql.yaml | 1 + .github/workflows/dependency-review.yml | 22 +++++++++++ .github/workflows/scan-codeql.yaml | 12 ++++-- .github/workflows/scorecard.yml | 51 +++++++++++++++++++++++++ 4 files changed, 83 insertions(+), 3 deletions(-) create mode 100644 .github/codeql.yaml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml diff --git a/.github/codeql.yaml b/.github/codeql.yaml new file mode 100644 index 00000000..4287ca86 --- /dev/null +++ b/.github/codeql.yaml @@ -0,0 +1 @@ +# \ No newline at end of file diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..02843f6e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,22 @@ +# Dependency Review Action +# +# This Action will scan dependency manifest files that change as part of a Pull Request, +# surfacing known-vulnerable versions of the packages declared or updated in the PR. +# Once installed, if the workflow run is marked as required, +# PRs introducing known-vulnerable packages will be blocked from merging. +# +# Source repository: https://github.com/actions/dependency-review-action +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: 'Dependency Review' + uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 \ No newline at end of file diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index a7c77a54..1ab79b8f 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -21,7 +21,8 @@ on: - cron: "32 2 * * 5" jobs: - validate: + scan-cves: + name: Scan CVEs runs-on: ubuntu-latest permissions: actions: read @@ -32,7 +33,6 @@ jobs: fail-fast: false matrix: language: ["go"] - # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support steps: - name: Checkout @@ -47,6 +47,12 @@ jobs: config-file: ./.github/codeql.yaml - name: Perform CodeQL Analysis + id: scan uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 with: - category: "/language:${{matrix.language}}" \ No newline at end of file + category: "/language:${{matrix.language}}" + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..d8382877 --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,51 @@ +name: OpenSSF Scorecard +on: + # For Branch-Protection check. Only the default branch is supported. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection + branch_protection_rule: + # To guarantee Maintained check is occasionally updated. See + # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained + schedule: + - cron: '40 5 * * 5' + push: + branches: [ "main" ] + +# Declare default permissions as read only. +permissions: read-all + +jobs: + scorecard: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + # Needed to upload the results to code-scanning dashboard. + security-events: write + # Needed to publish results and get a badge (see publish_results below). + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + # Format to the repository Actions tab. + - name: "Upload artifact" + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 + with: + sarif_file: results.sarif \ No newline at end of file From fea3e2dad9cc92c913a8f8498e5f7ecbf118ac57 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 20:56:29 +0000 Subject: [PATCH 03/11] remove copied file --- .github/workflows/dependency-review.yml | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 .github/workflows/dependency-review.yml diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml deleted file mode 100644 index 02843f6e..00000000 --- a/.github/workflows/dependency-review.yml +++ /dev/null @@ -1,22 +0,0 @@ -# Dependency Review Action -# -# This Action will scan dependency manifest files that change as part of a Pull Request, -# surfacing known-vulnerable versions of the packages declared or updated in the PR. -# Once installed, if the workflow run is marked as required, -# PRs introducing known-vulnerable packages will be blocked from merging. -# -# Source repository: https://github.com/actions/dependency-review-action -name: 'Dependency Review' -on: [pull_request] - -permissions: - contents: read - -jobs: - dependency-review: - runs-on: ubuntu-latest - steps: - - name: 'Checkout Repository' - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 - - name: 'Dependency Review' - uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 \ No newline at end of file From 5c0781b3c5f9d36972aa7388096333f9cae8d8a7 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 21:00:26 +0000 Subject: [PATCH 04/11] removing null config file --- .github/workflows/scan-codeql.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index 1ab79b8f..dd1ca6c5 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -44,7 +44,7 @@ jobs: CODEQL_EXTRACTOR_GO_BUILD_TRACING: on with: languages: ${{ matrix.language }} - config-file: ./.github/codeql.yaml + # config-file: ./.github/codeql.yaml #Uncomment once config file is needed. - name: Perform CodeQL Analysis id: scan From 662ba1e6c859c0e527c5e78734198ad7c2443bfa Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 22:21:38 +0000 Subject: [PATCH 05/11] testing autobuild codql failure --- .github/action/golang/action.yaml | 10 ++++++++++ .github/workflows/scan-codeql.yaml | 6 ++++++ .github/workflows/{scorecard.yml => scorecard.yaml} | 0 3 files changed, 16 insertions(+) create mode 100644 .github/action/golang/action.yaml rename .github/workflows/{scorecard.yml => scorecard.yaml} (100%) diff --git a/.github/action/golang/action.yaml b/.github/action/golang/action.yaml new file mode 100644 index 00000000..e6b5fb1c --- /dev/null +++ b/.github/action/golang/action.yaml @@ -0,0 +1,10 @@ +name: setup-go +description: "Setup Go binary and caching" + +runs: + using: composite + steps: + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: 1.21.x + cache: true \ No newline at end of file diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index dd1ca6c5..ade966e1 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -38,6 +38,9 @@ jobs: - name: Checkout uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 + - name: Setup golang + uses: ./.github/actions/golang + - name: Initialize CodeQL uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 env: @@ -46,6 +49,9 @@ jobs: languages: ${{ matrix.language }} # config-file: ./.github/codeql.yaml #Uncomment once config file is needed. + - name: Build + run: make build + - name: Perform CodeQL Analysis id: scan uses: github/codeql-action/analyze@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yaml similarity index 100% rename from .github/workflows/scorecard.yml rename to .github/workflows/scorecard.yaml From b60cc47d0ae85089d6c6351f8be8e3411f054ac7 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 22:22:58 +0000 Subject: [PATCH 06/11] folder name --- .github/{action => actions}/golang/action.yaml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{action => actions}/golang/action.yaml (100%) diff --git a/.github/action/golang/action.yaml b/.github/actions/golang/action.yaml similarity index 100% rename from .github/action/golang/action.yaml rename to .github/actions/golang/action.yaml From 083c5c24d3114501df9df3603c8c945fbf8c7a71 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 22:28:07 +0000 Subject: [PATCH 07/11] testing if auto uploads --- .github/workflows/scan-codeql.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index ade966e1..d48d5563 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -58,7 +58,7 @@ jobs: with: category: "/language:${{matrix.language}}" - - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 - with: - sarif_file: results.sarif + # - name: "Upload to code-scanning" + # uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 + # with: + # sarif_file: results.sarif From 2315d59677599c1272eda2db7f06d9eb9dba73bf Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 22:32:20 +0000 Subject: [PATCH 08/11] removed unused code --- .github/workflows/scan-codeql.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index d48d5563..773d65fb 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -58,7 +58,3 @@ jobs: with: category: "/language:${{matrix.language}}" - # - name: "Upload to code-scanning" - # uses: github/codeql-action/upload-sarif@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 - # with: - # sarif_file: results.sarif From 099301048b06bd89cfcc453448a48c7db52c9b69 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Fri, 13 Oct 2023 22:33:21 +0000 Subject: [PATCH 09/11] console output recommends removal --- .github/workflows/scan-codeql.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml index 773d65fb..81a08e1c 100644 --- a/.github/workflows/scan-codeql.yaml +++ b/.github/workflows/scan-codeql.yaml @@ -43,8 +43,6 @@ jobs: - name: Initialize CodeQL uses: github/codeql-action/init@0116bc2df50751f9724a2e35ef1f24d22f90e4e1 # v2.22.3 - env: - CODEQL_EXTRACTOR_GO_BUILD_TRACING: on with: languages: ${{ matrix.language }} # config-file: ./.github/codeql.yaml #Uncomment once config file is needed. From 14dceda73532b2492e08fdc63ab2acb366244cba Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Tue, 17 Oct 2023 13:16:26 +0000 Subject: [PATCH 10/11] include OSSWayne updates --- .gitignore | 2 +- README.md | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index a84fe8e8..18c9c2e4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ -lula +bin/ compliance_report-* out/ \ No newline at end of file diff --git a/README.md b/README.md index eb20d157..236743c4 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # Lula - The Kubernetes Compliance Engine -lula is a tool written to bridge the gap between expected configuration required for compliance and **_actual_** configuration. +[![Go version](https://img.shields.io/github/go-mod/go-version/defenseunicorns/lula?filename=go.mod)](https://go.dev/) +[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/lula/badge)](https://api.securityscorecards.dev/projects/github.com/defenseunicorns/lula) + +Lula is a tool written to bridge the gap between expected configuration required for compliance and **_actual_** configuration. Cloud Native Infrastructure, Platforms, and applications can establish OSCAL documents that live beside source-of-truth code bases. Providing an inheritance model for when a control that the technology can satisfy _IS_ satisfied in a live-environment. From 7c88c6dacd35f7b3c9825f191af1242974235e45 Mon Sep 17 00:00:00 2001 From: Andy Mills Date: Wed, 18 Oct 2023 14:56:03 +0000 Subject: [PATCH 11/11] update go file to save admin overhead. --- .github/actions/golang/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/golang/action.yaml b/.github/actions/golang/action.yaml index e6b5fb1c..f2d940b1 100644 --- a/.github/actions/golang/action.yaml +++ b/.github/actions/golang/action.yaml @@ -6,5 +6,5 @@ runs: steps: - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: - go-version: 1.21.x + go-version-file: './go.mod' cache: true \ No newline at end of file