Configure CodeQL and scorecard workflow. (#986)

* Configure CodeQL and scorecard workflow. * Fix CodeQL finding. Signed-off-by: Fabian Kammel <[email protected]>
edgelesssys · Jan 17, 2023 · 8f88129 · 8f88129
1 parent 5ee69d2
commit 8f88129
Show file tree

Hide file tree

Showing 4 changed files with 107 additions and 4 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -0,0 +1,59 @@
+name: CodeQL
+
+on:
+  push:
+    branches:
+      - main
+      - release/v*
+  pull_request:
+
+jobs:
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-22.04
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go", "python"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+
+      - name: Setup Go environment
+        if: ${{ matrix.language == 'go' }}
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: "1.19.5"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@515828d97454b8354517688ddc5b48402b723750 # v2.1.38
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Install Go Dependencies
+        if: ${{ matrix.language == 'go' }}
+        run: |
+          echo "::group::Install apt dependencies"
+          sudo apt-get update && sudo apt-get install -y libcryptsetup12 libcryptsetup-dev libvirt-dev
+          echo "::endgroup::"
+
+          echo "::group::Install go dependencies"
+          mods=$(go list -f '{{.Dir}}' -m | xargs)
+          for mod in $mods; do
+            (cd "$mod" || exit; go mod tidy)
+          done
+          echo "::endgroup::"
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@515828d97454b8354517688ddc5b48402b723750 # v2.1.38
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@515828d97454b8354517688ddc5b48402b723750 # v2.1.38
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -0,0 +1,44 @@
+name: Scorecard supply-chain security
+
+on:
+  push:
+    # Only the default branch is supported.
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-22.04
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (for publish_results below).
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@807578363a7869ca324a79039e6db9c843e0e100 # v2.1.27
+        with:
+          sarif_file: results.sarif
diff --git a/keyservice/setup/setup.go b/keyservice/setup/setup.go
@@ -182,16 +182,16 @@ func getAzureBlobConfig(uri *url.URL) (string, string, error) {
 	return r[0], r[1], nil
 }
 
-func getGCPKMSConfig(uri *url.URL) (string, string, string, int, error) {
+func getGCPKMSConfig(uri *url.URL) (string, string, string, int32, error) {
 	r, err := getConfig(uri.Query(), []string{"project", "location", "keyRing", "protectionLvl"})
 	if err != nil {
 		return "", "", "", 0, err
 	}
-	protectionLvl, err := strconv.Atoi(r[3])
+	protectionLvl, err := strconv.ParseInt(r[3], 10, 32)
 	if err != nil {
 		return "", "", "", 0, err
 	}
-	return r[0], r[1], r[2], protectionLvl, nil
+	return r[0], r[1], r[2], int32(protectionLvl), nil
 }
 
 func getGCPStorageConfig(uri *url.URL) (string, string, error) {

diff --git a/keyservice/setup/setup_test.go b/keyservice/setup/setup_test.go
@@ -185,7 +185,7 @@ func TestGetGCPKMSConfig(t *testing.T) {
 	assert.Equal(project, rProject)
 	assert.Equal(location, rLocation)
 	assert.Equal(keyRing, rKeyRing)
-	assert.Equal(2, rProtectionLvl)
+	assert.Equal(int32(2), rProtectionLvl)
 
 	uri, err = url.Parse(fmt.Sprintf(GCPKMSURI, project, location, keyRing, "invalid"))
 	require.NoError(err)