Skip to content

Commit 684c016

Browse files
committed
ci: fix wiring bugs in security scanning workflows
First real Actions run surfaced four plumbing bugs (no real findings): - trivy-action pinned to a non-existent tag; the action's tags are v-prefixed (0.31.0 -> v0.31.0). Affected security, docker-publish and build-agent workflows. - govulncheck wrapper invoked via `go run` on a path in the separate .github module, which failed to resolve against the scanned module. Build the wrapper binary from its own module first, then pipe into it. - CodeQL uploaded SARIF twice per job (analyze + a manual filter step) with a colliding category. Drop the redundant upload; code scanning surfaces new-only alerts on PRs natively. - Semgrep baseline fetch failed (exit 128) on dubious-ownership/shallow checkout. Use fetch-depth 0, mark the workspace safe, and diff against the PR base SHA instead of origin/master.
1 parent f2d23e1 commit 684c016

5 files changed

Lines changed: 12 additions & 18 deletions

File tree

.github/workflows/build-agent.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
.
6363
6464
- name: Scan amd64 agent image with Trivy
65-
uses: aquasecurity/trivy-action@0.31.0
65+
uses: aquasecurity/trivy-action@v0.31.0
6666
with:
6767
image-ref: shellhubio/agent:scan-amd64
6868
format: table

.github/workflows/codeql.yml

Lines changed: 0 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -89,14 +89,6 @@ jobs:
8989
upload: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
9090
output: codeql-results-${{ matrix.module == '.' && 'root' || matrix.module }}.sarif
9191

92-
- name: Filter NEW alerts only (PR)
93-
if: ${{ github.event_name == 'pull_request' }}
94-
uses: github/codeql-action/upload-sarif@v3
95-
with:
96-
sarif_file: codeql-results-${{ matrix.module == '.' && 'root' || matrix.module }}.sarif
97-
category: codeql-go-${{ matrix.module == '.' && 'root' || matrix.module }}
98-
wait-for-processing: true
99-
10092
# security-gate aggregates all CodeQL jobs for branch protection.
10193
security-gate:
10294
name: security-gate

.github/workflows/docker-publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -116,7 +116,7 @@ jobs:
116116
# .trivyignore is always at shellhub/.trivyignore because all sources
117117
# are checked out under the shellhub/ subdirectory.
118118
- name: Scan '${{ matrix.project }}' image with Trivy
119-
uses: aquasecurity/trivy-action@0.31.0
119+
uses: aquasecurity/trivy-action@v0.31.0
120120
with:
121121
image-ref: ${{ steps.image.outputs.name }}:${{ env.RELEASE_VERSION }}
122122
format: table

.github/workflows/security.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -59,12 +59,15 @@ jobs:
5959
- name: Install govulncheck
6060
run: go install golang.org/x/vuln/cmd/govulncheck@latest
6161

62+
- name: Build govulncheck wrapper
63+
run: |
64+
( cd "$GITHUB_WORKSPACE/.github" && go build -o "$RUNNER_TEMP/govulncheck-filter" ./govulncheck/cmd )
65+
6266
- name: Run govulncheck
6367
run: |
6468
cd "${{ matrix.module }}"
6569
govulncheck -json ${{ matrix.extra_args }} ./... | \
66-
go run "$GITHUB_WORKSPACE/.github/govulncheck/cmd/" \
67-
"$GITHUB_WORKSPACE/.govulncheck-allow.txt"
70+
"$RUNNER_TEMP/govulncheck-filter" "$GITHUB_WORKSPACE/.govulncheck-allow.txt"
6871
6972
trivy-image:
7073
name: trivy-image (${{ matrix.image }})
@@ -94,7 +97,7 @@ jobs:
9497
load: true
9598

9699
- name: Scan ${{ matrix.image }} image with Trivy
97-
uses: aquasecurity/trivy-action@0.31.0
100+
uses: aquasecurity/trivy-action@v0.31.0
98101
with:
99102
image-ref: shellhub/${{ matrix.image }}:scan
100103
format: table
@@ -105,7 +108,7 @@ jobs:
105108

106109
- name: Scan ${{ matrix.image }} image with Trivy (SARIF)
107110
if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork }}
108-
uses: aquasecurity/trivy-action@0.31.0
111+
uses: aquasecurity/trivy-action@v0.31.0
109112
with:
110113
image-ref: shellhub/${{ matrix.image }}:scan
111114
format: sarif

.github/workflows/semgrep.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -34,9 +34,8 @@ jobs:
3434
# Full history required for --baseline-ref diff
3535
fetch-depth: 0
3636

37-
- name: Fetch master for baseline comparison
38-
if: ${{ github.event_name == 'pull_request' }}
39-
run: git fetch origin master
37+
- name: Mark workspace safe for git (semgrep container runs as different user)
38+
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
4039

4140
- name: Run Semgrep (PR — baseline diff)
4241
if: ${{ github.event_name == 'pull_request' }}
@@ -45,7 +44,7 @@ jobs:
4544
--config p/golang \
4645
--config p/dockerfile \
4746
--config p/ci \
48-
--baseline-ref origin/master \
47+
--baseline-ref ${{ github.event.pull_request.base.sha }} \
4948
--error \
5049
--sarif \
5150
--output semgrep.sarif \

0 commit comments

Comments
 (0)