Skip to content

Commit 1064447

Browse files
committed
🤖 ci: add code and image security scanning
Add CodeQL code scanning and Trivy filesystem/image scanning across CI and release workflows. Also gate publish-main on security scan jobs and enable GoReleaser image SBOM generation. --- _Generated with `mux` • Model: `openai:gpt-5.3-codex` • Thinking: `xhigh` • Cost: $0.34_ <!-- mux-attribution: model=openai:gpt-5.3-codex thinking=xhigh costs=0.34 -->
1 parent 8cb24dd commit 1064447

4 files changed

Lines changed: 120 additions & 2 deletions

File tree

‎.github/workflows/ci.yaml‎

Lines changed: 73 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,29 @@ jobs:
113113
- name: Run govulncheck
114114
run: go tool govulncheck ./...
115115

116+
scan-fs:
117+
name: Trivy filesystem scan
118+
needs: changes
119+
if: github.event_name == 'merge_group' || ((needs.changes.outputs.go == 'true' || needs.changes.outputs.workflows == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]'))
120+
runs-on: depot-ubuntu-24.04-8
121+
timeout-minutes: 20
122+
permissions:
123+
contents: read
124+
steps:
125+
- name: Checkout
126+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
127+
with:
128+
persist-credentials: false
129+
130+
- name: Trivy filesystem scan
131+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
132+
with:
133+
scan-type: fs
134+
scan-ref: .
135+
skip-dirs: vendor
136+
severity: HIGH,CRITICAL
137+
exit-code: '1'
138+
116139
test:
117140
needs: changes
118141
if: github.event_name == 'merge_group' || (needs.changes.outputs.go == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]'))
@@ -290,6 +313,45 @@ jobs:
290313
echo "=== CNPG controller logs ==="
291314
kubectl -n cnpg-system logs deploy/cnpg-controller-manager --tail=200 || true
292315
316+
image-scan:
317+
name: Trivy image scan
318+
needs: changes
319+
if: github.event_name == 'merge_group' || (needs.changes.outputs.publish == 'true' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]'))
320+
runs-on: depot-ubuntu-24.04-8
321+
timeout-minutes: 20
322+
steps:
323+
- name: Checkout
324+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
325+
with:
326+
persist-credentials: false
327+
328+
- name: Setup Go
329+
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
330+
with:
331+
go-version-file: go.mod
332+
cache: true
333+
334+
- name: Build linux/amd64 binary for image
335+
env:
336+
GOFLAGS: -mod=vendor
337+
CGO_ENABLED: "0"
338+
GOOS: linux
339+
GOARCH: amd64
340+
run: |
341+
mkdir -p linux/amd64
342+
go build -o linux/amd64/coder-k8s ./
343+
344+
- name: Build local image
345+
run: docker build -f Dockerfile.goreleaser -t coder-k8s:scan .
346+
347+
- name: Trivy image scan
348+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
349+
with:
350+
scan-type: image
351+
image-ref: coder-k8s:scan
352+
severity: HIGH,CRITICAL
353+
exit-code: '1'
354+
293355
terraform:
294356
name: Terraform (fmt/validate/tflint/trivy)
295357
needs: changes
@@ -393,16 +455,18 @@ jobs:
393455

394456
publish-main:
395457
name: Publish GHCR :main
396-
needs: [changes, test, lint, lint-actions, e2e-kind, terraform]
458+
needs: [changes, test, lint, scan-fs, lint-actions, e2e-kind, image-scan, terraform]
397459
if: |
398460
always() &&
399461
github.event_name == 'push' &&
400462
github.ref == 'refs/heads/main' &&
401463
needs.changes.outputs.publish == 'true' &&
402464
(needs.test.result == 'success' || needs.test.result == 'skipped') &&
403465
(needs.lint.result == 'success' || needs.lint.result == 'skipped') &&
466+
(needs.scan-fs.result == 'success' || needs.scan-fs.result == 'skipped') &&
404467
(needs.lint-actions.result == 'success' || needs.lint-actions.result == 'skipped') &&
405468
(needs.e2e-kind.result == 'success' || needs.e2e-kind.result == 'skipped') &&
469+
(needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') &&
406470
(needs.terraform.result == 'success' || needs.terraform.result == 'skipped')
407471
runs-on: depot-ubuntu-24.04-8
408472
timeout-minutes: 30
@@ -464,3 +528,11 @@ jobs:
464528
org.opencontainers.image.vendor=Coder
465529
org.opencontainers.image.licenses=Apache-2.0
466530
org.opencontainers.image.authors=Coder
531+
532+
- name: Trivy image scan (:main)
533+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
534+
with:
535+
scan-type: image
536+
image-ref: ghcr.io/coder/coder-k8s:main
537+
severity: HIGH,CRITICAL
538+
exit-code: '1'
Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
name: CodeQL
2+
3+
on:
4+
pull_request:
5+
push:
6+
branches:
7+
- main
8+
schedule:
9+
- cron: '0 6 * * 1'
10+
11+
permissions:
12+
contents: read
13+
security-events: write
14+
actions: read
15+
16+
jobs:
17+
analyze:
18+
name: Analyze (Go)
19+
runs-on: depot-ubuntu-24.04-8
20+
timeout-minutes: 30
21+
steps:
22+
- name: Checkout
23+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
24+
with:
25+
persist-credentials: false
26+
27+
- name: Initialize CodeQL
28+
uses: github/codeql-action/init@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3
29+
with:
30+
languages: go
31+
32+
- name: Build
33+
env:
34+
GOFLAGS: -mod=vendor
35+
run: go build ./...
36+
37+
- name: Perform CodeQL Analysis
38+
uses: github/codeql-action/analyze@f5c2471be782132e47a6e6f9c725e56730d6e9a3 # v3.32.3

‎.github/workflows/release.yaml‎

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,3 +43,11 @@ jobs:
4343
args: release --clean
4444
env:
4545
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
46+
47+
- name: Trivy image scan (release)
48+
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
49+
with:
50+
scan-type: image
51+
image-ref: ghcr.io/coder/coder-k8s:${{ github.event.release.tag_name }}
52+
severity: HIGH,CRITICAL
53+
exit-code: '1'

‎.goreleaser.yaml‎

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ dockers_v2:
3838
- latest
3939
platforms:
4040
- linux/amd64
41-
sbom: false
41+
sbom: true
4242
labels:
4343
org.opencontainers.image.created: "{{ .Date }}"
4444
org.opencontainers.image.source: https://github.com/coder/coder-k8s

0 commit comments

Comments
 (0)