Enable dependabot (#9)

Mionsz · web-flow · commit 98ecddbe7d36 · 2024-09-02T09:31:19.000+02:00
Enable dependabot by adding scheduled weekly tasks .
Create dependency-review.yml
Create dependency-review.yml workflow for dependabot scheduled actions.
Create trivy.yml for enablement of trivy scanning of Dockerfiles and image.
Create mock CodeQL script (to-be-done).
No real job to be done currently as scripts need to be fixed.
Create codeql-config.yml
Create docker-build.yml

Create docker-build.yml with build script for Dockerfiles and Trivy scan for results,

* Update docker-build.yml

Fix path issue for docker buildx build.

* Update trivy.yml

Fix scan-type rootfs and scan-type config as one of them performed checkout.

Signed-off-by: Miłosz Linkiewicz &lt;milosz.linkiewicz@intel.com&gt;
---------

Signed-off-by: Miłosz Linkiewicz &lt;milosz.linkiewicz@intel.com&gt;
diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
@@ -0,0 +1 @@
+name: "MCM CodeQL Config"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /.github
+    schedule:
+      interval: "weekly"
+      day: "sunday"
+
+  - package-ecosystem: docker
+    directory: /docker
+    schedule:
+      interval: "weekly"
+      day: "sunday"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,66 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "master", "main", "dev" ]
+  pull_request:
+    branches: [ "master", "main", "dev" ]
+  schedule:
+    - cron: '42 8 * * 1'
+
+env:
+  # Customize the CMake build type here (Release, Debug, RelWithDebInfo, etc.)
+  BUILD_TYPE: Release
+  PREFIX_DIR: /usr/local
+  DEBIAN_FRONTEND: noninteractive
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ${{ matrix.runner-os }}
+    timeout-minutes: 90
+    strategy:
+      fail-fast: false
+      matrix:
+        runner-os: [ 'ubuntu-22.04' ]
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    defaults:
+      run:
+        shell: bash
+
+    steps:
+    - name: 'Harden Runner'
+      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+      with:
+        egress-policy: audit
+
+    - name: 'Checkout repository'
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+    - name: 'Initialize CodeQL'
+      uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+      with:
+        languages: 'c-cpp'
+        build-mode: autobuild
+        # config-file: ${{ github.workspace }}/.github/codeql/codeql-config.yml
+
+    - if: matrix.build-mode == 'manual'
+      shell: bash
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v3
+      with:
+        category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -0,0 +1,23 @@
+# Dependency Review Action
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-review:
+    runs-on: ubuntu-latest
+    steps:
+      - name: 'Harden Runner'
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -0,0 +1,66 @@
+name: Docker Build
+on:
+  push:
+    branches: [ "master", "main" ]
+  pull_request:
+    branches: [ "master", "main" ]
+
+permissions:
+  contents: read
+
+jobs:
+  docker-build:
+    name: Dockerfiles Build
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfiles: [ 'ubuntu22.04', 'ubuntu18.04', 'centos7.9' ]
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    defaults:
+      run:
+        shell: bash
+    timeout-minutes: 90
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+        with:
+          buildkitd-flags: --debug
+
+      - name: 'Build Dockerfile for ${{ matrix.dockerfiles }}'
+        uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
+        with:
+          file: '${{ github.workspace }}/docker/Dockerfile.${{ matrix.dockerfiles }}'
+          context: .
+          push: false
+          tags: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}'
+
+      - name: 'Run Trivy vulnerability scanner on result'
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: 'docker.io/openvisualcloud/raisr/${{ matrix.dockerfiles }}:${{ github.sha }}'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif'
+
+      - name: 'Upload Trivy scan results to GitHub Security tab'
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: '${{ github.workspace }}/trivy-${{ matrix.dockerfiles }}-${{ github.sha }}.sarif'
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,39 @@
+name: Trivy
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+permissions:
+  contents: read
+
+jobs:
+  scan-type-config:
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
+    name: scan-type-config
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout code
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Run Trivy vulnerability scanner, scan-type=config
+        uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
+        with:
+          scan-type: 'config'
+          hide-progress: false
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-config-results.sarif'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+
+      - name: Upload Trivy config scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        with:
+          sarif_file: 'trivy-config-results.sarif'
