Add CI actions (#5)

bleggett · web-flow · commit 5436687adbb2 · 2025-11-14T17:23:15.000-05:00
* ad actions

* lints

* fixup
diff --git a/.github/actions/install-llvm/action.yaml b/.github/actions/install-llvm/action.yaml
@@ -0,0 +1,10 @@
+name: 'Install LLVM Dependencies'
+description: 'Install LLVM and Clang dependencies'
+runs:
+  using: composite
+  steps:
+    - name: Install llvm deps
+      shell: bash
+      run: |
+        sudo apt-get update
+        sudo apt-get install -y clang cmake build-essential llvm-dev libclang-dev
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -0,0 +1,30 @@
+version: 2
+updates:
+
+- package-ecosystem: "github-actions"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  cooldown:
+    default-days: 7
+  groups:
+    actions-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    actions-dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
+
+- package-ecosystem: "cargo"
+  directory: "/"
+  schedule:
+    interval: "daily"
+  cooldown:
+    default-days: 7
+  groups:
+    cargo-updates:
+      dependency-type: "production"
+      applies-to: "version-updates"
+    cargo-dev-updates:
+      dependency-type: "development"
+      applies-to: "version-updates"
diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
@@ -0,0 +1,43 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Needed to write security events to github
+      contents: read         # Needed to read clone repo
+      actions: read          # Needed to read actions
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
+
+      - name: Run zizmor
+        run: uvx zizmor --pedantic --format sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/workflows/ci-code.yaml b/.github/workflows/ci-code.yaml
@@ -0,0 +1,91 @@
+name: Lint and Test Code
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - src/**
+      - Cargo.*
+      - rust-toolchain.toml
+      - .github/workflows/ci-code.yaml
+
+permissions:
+  contents: read # Default token to read
+
+jobs:
+  rustfmt:
+    name: rustfmt
+    runs-on: ubuntu-latest
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+
+      - name: Install llvm deps
+        uses: ./.github/actions/install-llvm
+
+      - name: 'cargo fmt'
+        run: cargo fmt --all -- --check
+
+  full-build:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+        - x86_64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: 'Full build linux-${{ matrix.arch }}'
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+
+      - name: Install llvm deps
+        uses: ./.github/actions/install-llvm
+
+      - name: cargo build
+        run: cargo build
+
+  clippy:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch:
+        - x86_64
+    env:
+      TARGET_ARCH: "${{ matrix.arch }}"
+    name: 'Full clippy linux-${{ matrix.arch }}'
+    steps:
+      - name: harden runner
+        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with:
+          egress-policy: audit
+
+      - name: checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          submodules: recursive
+          persist-credentials: false
+
+      - name: Install llvm deps
+        uses: ./.github/actions/install-llvm
+
+      - name: 'cargo clippy'
+        run: cargo clippy
diff --git a/src/base_plugin/mod.rs b/src/base_plugin/mod.rs
@@ -1,3 +1,7 @@
+use crate::proto::generated::protect::control::v1::{
+    ZoneKernelFdInfo, ZoneKernelSyscallEvent, ZoneKernelThreadInfo,
+    zone_kernel_fd_info_data::InfoType,
+};
 use anyhow::{Error, Result, anyhow};
 use dns_lookup::lookup_addr;
 use falco_event::events::Event;
@@ -14,10 +18,6 @@ use libscap_bindings::types::{
 };
 use log::info;
 use prost::Message;
-use crate::proto::generated::protect::control::v1::{
-    ZoneKernelFdInfo, ZoneKernelSyscallEvent, ZoneKernelThreadInfo,
-    zone_kernel_fd_info_data::InfoType,
-};
 use std::collections::{HashMap, HashSet};
 use std::ffi::{CStr, CString};
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
diff --git a/src/lib.rs b/src/lib.rs
@@ -2,9 +2,9 @@ mod base_plugin;
 mod extract_plugin;
 mod parse_plugin;
 mod parsers;
+mod proto;
 mod source_plugin;
 mod threadstate;
-mod proto;
 
 use falco_plugin::{extract_plugin, parse_plugin, plugin, source_plugin};
 
diff --git a/src/parse_plugin/mod.rs b/src/parse_plugin/mod.rs
@@ -1,10 +1,10 @@
+use crate::proto::generated::protect::control::v1::ZoneKernelSyscallEvent;
 use anyhow::Result;
 use falco_event::events::Event;
 use falco_plugin::parse::{EventInput as ParseEventInput, ParseInput, ParsePlugin};
 use falco_plugin::source::PluginEvent;
 use log::{debug, error, warn};
 use prost::Message;
-use crate::proto::generated::protect::control::v1::ZoneKernelSyscallEvent;
 
 use crate::{EderaPlugin, threadstate};
 
diff --git a/src/parsers.rs b/src/parsers.rs
@@ -1,13 +1,13 @@
+use crate::proto::generated::protect::control::v1::ZoneKernelFdInfo;
+use crate::proto::generated::protect::control::v1::{
+    ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType,
+};
 use anyhow::{Result, anyhow};
 use libscap_bindings::consts as ppm_consts;
 use libscap_bindings::types::{
     ppm_event_code as event_codes, ppm_event_flags as event_flags, scap_l4_proto as l4_types,
 };
 use log::error;
-use crate::proto::generated::protect::control::v1::ZoneKernelFdInfo;
-use crate::proto::generated::protect::control::v1::{
-    ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType,
-};
 use std::ffi::CStr;
 use std::fs::File;
 use std::io::{BufRead, BufReader};
diff --git a/src/source_plugin/client/edera_client/client.rs b/src/source_plugin/client/edera_client/client.rs
@@ -1,10 +1,10 @@
 use super::dial::ControlDialAddress;
 #[cfg(unix)]
 use super::unix::HyperUnixConnector;
-use anyhow::{Result, bail};
+use crate::proto::generated::protect::control::v1::control_service_client::ControlServiceClient;
 #[cfg(not(unix))]
 use anyhow::anyhow;
-use crate::proto::generated::protect::control::v1::control_service_client::ControlServiceClient;
+use anyhow::{Result, bail};
 use tonic::transport::{Channel, Endpoint};
 
 pub struct ControlClientProvider {}
diff --git a/src/source_plugin/client/edera_client/events.rs b/src/source_plugin/client/edera_client/events.rs
@@ -1,11 +1,11 @@
 use std::{sync::Arc, time::Duration};
 
-use anyhow::Result;
-use log::{error, trace, warn};
 use crate::proto::generated::protect::control::v1::{
     WatchEventsReply, WatchEventsRequest, control_service_client::ControlServiceClient,
     watch_events_reply::Event,
 };
+use anyhow::Result;
+use log::{error, trace, warn};
 use tokio::{sync::broadcast, task::JoinHandle, time::sleep};
 use tokio_stream::StreamExt;
 use tonic::{Streaming, transport::Channel};
diff --git a/src/source_plugin/client/edera_client/zone_watcher.rs b/src/source_plugin/client/edera_client/zone_watcher.rs
@@ -1,10 +1,10 @@
 use super::events::EventStream;
-use anyhow::Result;
-use log::warn;
 use crate::proto::generated::protect::control::v1::{
     ListZonesRequest, Zone, ZoneState, control_service_client::ControlServiceClient,
     watch_events_reply::Event,
 };
+use anyhow::Result;
+use log::warn;
 use std::{collections::HashMap, str::FromStr, time::Duration};
 use tokio::{select, sync::broadcast::Receiver, time::sleep};
 use tonic::transport::Channel;
@@ -90,5 +90,4 @@ impl ZoneWatcher {
         }
         Ok(())
     }
-
 }
diff --git a/src/source_plugin/client/mod.rs b/src/source_plugin/client/mod.rs
@@ -1,16 +1,14 @@
 use anyhow::Result;
 use async_stream::stream;
 
-use edera_client::{
-    client::ControlClientProvider, dial::ControlDialAddress, events::EventStream,
-};
 use crate::proto::generated::protect::control::v1::{
     MonitorZoneKernelEventReply, MonitorZoneKernelEventRequest, ZoneKernelEventStreamStop,
     ZoneKernelEventStreamUpdate, ZoneState,
     control_service_client::ControlServiceClient,
     monitor_zone_kernel_event_request::{self as zk_req},
     watch_events_reply::Event,
 };
+use edera_client::{client::ControlClientProvider, dial::ControlDialAddress, events::EventStream};
 
 mod zone_creation_watcher;
 use log::{debug, error, info, warn};
@@ -22,8 +20,8 @@ use tokio::{
 use tokio_stream::{Stream, StreamExt, wrappers::BroadcastStream};
 use tonic::{Streaming, transport::Channel};
 
-mod enabled_syscalls;
 mod edera_client;
+mod enabled_syscalls;
 
 const DAEMON_SOCKET: &str = "unix:///var/lib/edera/protect/daemon.socket";
 
diff --git a/src/source_plugin/client/zone_creation_watcher.rs b/src/source_plugin/client/zone_creation_watcher.rs
@@ -1,10 +1,9 @@
-use anyhow::Result;
 use crate::proto::generated::protect::{
     control::v1::ZoneState, control::v1::control_service_client::ControlServiceClient,
 };
+use anyhow::Result;
 use tonic::transport::Channel;
 
-
 use super::edera_client::zone_watcher::ZoneWatcher as watcher;
 use log::{debug, error};
 use tokio::{sync::broadcast, task::JoinHandle};
diff --git a/src/source_plugin/mod.rs b/src/source_plugin/mod.rs
@@ -1,18 +1,18 @@
+use crate::proto::generated::protect::control::v1::{
+    MonitorZoneKernelEventReply, monitor_zone_kernel_event_reply::Reply,
+};
 use anyhow::{Error, Result, anyhow};
+use env_logger::Env;
 use falco_event::events::EventToBytes;
 use falco_plugin::FailureReason;
 use falco_plugin::source::{EventBatch, EventInput, SourcePlugin, SourcePluginInstance};
 use log::{debug, info, warn};
 use prost::Message;
-use crate::proto::generated::protect::control::v1::{
-    MonitorZoneKernelEventReply, monitor_zone_kernel_event_reply::Reply,
-};
 use std::ffi::{CStr, CString};
 use std::io::BufWriter;
 use std::thread;
 use std::time::Duration;
 use tokio::{runtime, sync::mpsc, sync::oneshot};
-use env_logger::Env;
 
 use crate::EderaPlugin;
 
@@ -105,7 +105,6 @@ impl SourcePlugin for EderaPlugin {
     type Event<'a> = falco_event::events::RawEvent<'a>;
 
     fn open(&mut self, _params: Option<&str>) -> Result<Self::Instance, Error> {
-
         env_logger::Builder::from_env(Env::default().default_filter_or("info")).init();
 
         log::set_max_level(log::LevelFilter::Trace);
diff --git a/src/threadstate.rs b/src/threadstate.rs
@@ -4,19 +4,20 @@ use libc::{
     SOCK_RAW, SOCK_STREAM,
 };
 
-use libscap_bindings::{consts as ppm_consts,
+use crate::proto::generated::protect::control::v1::{
+    ZoneKernelEventParam, ZoneKernelFdInfo, ZoneKernelFdInfoData, ZoneKernelIpv4SocketInfo,
+    ZoneKernelIpv6SocketInfo, ZoneKernelPidFd, ZoneKernelRegularFileInfo, ZoneKernelSyscallEvent,
+    ZoneKernelThreadInfo, ZoneKernelThreadSnapshotEvent, ZoneKernelUnixSocketInfo,
+    zone_kernel_fd_info_data::InfoType,
+};
+use libscap_bindings::{
+    consts as ppm_consts,
     types::{
         ppm_event_code as event_codes, ppm_param_type as param_type, scap_fd_type as fd_types,
         scap_l4_proto as l4_types,
-    }
+    },
 };
 use log::{debug, error, trace, warn};
-use crate::proto::generated::protect::control::v1::{
-    ZoneKernelEventParam, ZoneKernelFdInfo, ZoneKernelFdInfoData, ZoneKernelIpv4SocketInfo,
-    ZoneKernelIpv6SocketInfo, ZoneKernelPidFd, ZoneKernelRegularFileInfo,
-    ZoneKernelThreadSnapshotEvent, ZoneKernelUnixSocketInfo,
-    ZoneKernelSyscallEvent, ZoneKernelThreadInfo, zone_kernel_fd_info_data::InfoType,
-};
 use std::collections::HashMap;
 use std::ffi::CStr;
 use std::net::{Ipv4Addr, Ipv6Addr};
