workflows updates - scorecard, codeql, token changes

Also add scorecard badge and fix CI/Devel badge Signed-off-by: Tuomas Katila <tuomas.katila@intel.com>
intel · Nov 14, 2023 · ab4ca9b · ab4ca9b
1 parent f9bc72f
commit ab4ca9b
Show file tree

Hide file tree

Showing 9 changed files with 109 additions and 3 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -7,12 +7,17 @@ on:
     branches:
       - main
       - 'release-*'
+
 permissions:
   contents: read
   pull-requests: read
 
 jobs:
   trivy:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: "./.github/workflows/lib-trivy.yaml"
 
   validate:

diff --git a/.github/workflows/devel.yaml b/.github/workflows/devel.yaml
@@ -3,20 +3,38 @@ on:
   push:
     branches:
       - main
+
 permissions:
   contents: read
   pull-requests: read
-  security-events: write
 
 jobs:
   trivy:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: "./.github/workflows/lib-trivy.yaml"
     with:
       upload-to-github-security-tab: true
 
   validate:
     uses: "./.github/workflows/lib-validate.yaml"
 
+  codeql:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    uses: "./.github/workflows/lib-codeql.yaml"
+
+  scorecard:
+    permissions:
+      contents: read
+      id-token: write
+      security-events: write
+    uses: "./.github/workflows/lib-scorecard.yaml"
+
   build:
     needs:
       - validate

diff --git a/.github/workflows/lib-build.yaml b/.github/workflows/lib-build.yaml
@@ -1,6 +1,11 @@
 name: build
+
 on:
   workflow_call:
+
+permissions:
+  contents: read
+
 jobs:
   image:
     name: Build image

diff --git a/.github/workflows/lib-codeql.yaml b/.github/workflows/lib-codeql.yaml
@@ -0,0 +1,32 @@
+name: "CodeQL"
+
+on:
+  workflow_call:
+
+permissions:
+  actions: read
+  contents: read
+
+jobs:
+  analyze:
+    name: Analysis
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 360
+
+    permissions:
+      security-events: write
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: 'go'
+
+    - uses: actions/setup-go@v4
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
+      with:
+        category: "/language:go"
diff --git a/.github/workflows/lib-publish.yaml b/.github/workflows/lib-publish.yaml
@@ -9,6 +9,9 @@ on:
 env:
   no_base_check: "['intel-qat-plugin-kerneldrv', 'intel-idxd-config-initcontainer', 'crypto-perf', 'opae-nlb-demo']"
 
+permissions:
+  contents: read
+
 jobs:
   image:
     name: Build image

diff --git a/.github/workflows/lib-scorecard.yaml b/.github/workflows/lib-scorecard.yaml
@@ -0,0 +1,33 @@
+name: "OSSF"
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Analysis
+    runs-on: ubuntu-latest
+
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Analyze project"
+        uses: ossf/scorecard-action@v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload results to security"
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: results.sarif
diff --git a/.github/workflows/lib-trivy.yaml b/.github/workflows/lib-trivy.yaml
@@ -19,6 +19,10 @@ on:
         required: false
         type: boolean
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   trivy-scan-deployments:
     name: Scan deployments
@@ -69,6 +73,9 @@ jobs:
         severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL"
 
   trivy-scan-vulns:
+    permissions:
+      security-events: write
+
     runs-on: ubuntu-22.04
     name: Scan vulnerabilities
     steps:

diff --git a/.github/workflows/lib-validate.yaml b/.github/workflows/lib-validate.yaml
@@ -2,6 +2,9 @@ name: validate
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   docs:
     name: Check docs are buildable
@@ -28,7 +31,6 @@ jobs:
 
   golangci:
     permissions:
-      contents: read  # for actions/checkout to fetch code
       pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: lint
     runs-on: ubuntu-22.04

diff --git a/README.md b/README.md
@@ -1,7 +1,8 @@
 # Overview
-[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/workflows/CI/badge.svg?branch=main)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ACI)
+[![Build Status](https://github.com/intel/intel-device-plugins-for-kubernetes/actions/workflows/devel.yaml/badge.svg)](https://github.com/intel/intel-device-plugins-for-kubernetes/actions?query=workflow%3ADevel)
 [![Go Report Card](https://goreportcard.com/badge/github.com/intel/intel-device-plugins-for-kubernetes)](https://goreportcard.com/report/github.com/intel/intel-device-plugins-for-kubernetes)
 [![GoDoc](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin?status.svg)](https://godoc.org/github.com/intel/intel-device-plugins-for-kubernetes/pkg/deviceplugin)
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/intel/intel-device-plugins-for-kubernetes/badge)](https://api.securityscorecards.dev/projects/intel/intel-device-plugins-for-kubernetes)
 
 This repository contains a framework for developing plugins for the Kubernetes
 [device plugins framework](https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/device-plugins/),