Bump github/codeql-action from 4.31.2 to 4.31.4 #676

Workflow file for this run

	---
	name: Scan And Validate

	on:
	push:
	branches: ["main"]
	pull_request:
	branches: ["main"]

	permissions:
	contents: read

	jobs:
	super_lint:
	name: Run Super Linter
	container: github/super-linter
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0
	lfs: false

	- name: (CT222) (E/C) - Use hadolint to evaluate Dockerfile configuration
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	# Rust validation is handled by build_and_test
	VALIDATE_RUST_2015: false
	VALIDATE_RUST_2018: false
	VALIDATE_RUST_2021: false
	VALIDATE_RUST_CLIPPY: false
	# We have no non-example CPP in the codebase
	VALIDATE_CPP: false
	VALIDATE_CLANG_FORMAT: false
	VALIDATE_JSCPD: false
	# This is way too pedantic
	VALIDATE_NATURAL_LANGUAGE: false
	# Dont flake8/mypy/pylint because our only python files attempt to import
	# simics and fail
	VALIDATE_PYTHON_FLAKE8: false
	VALIDATE_PYTHON_MYPY: false
	VALIDATE_PYTHON_PYLINT: false
	# If gitleaks finds anything, it is too late. Suggested in developer docs in
	# pre-commit instead. Too many false positives (X509VerifyCert, for example)
	VALIDATE_GITLEAKS: false
	run: \|
	/action/lib/linter.sh \|\| ( echo "❗ [CT222] Super linter found an issue (possibly Hadolint)" && exit 1 )
	echo "✅ [CT222] Hadolint Dockerfile check passed"

	- name: Run Trivy vulnerability scanner on repo
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # master
	with:
	scan-type: config
	scan-ref: .
	output: repo_scan_trivy_report.txt

	- name: Upload Trivy Report
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	path: repo_scan_trivy_report.txt
	name: trivy_repo_report

	scan_main_container:
	runs-on: ubuntu-latest
	steps:
	- name: Aggressive cleanup
	run: \|
	# Remove Java (JDKs)
	sudo rm -rf /usr/lib/jvm

	# Remove .NET SDKs
	sudo rm -rf /usr/share/dotnet

	# Remove Swift toolchain
	sudo rm -rf /usr/share/swift

	# Remove Haskell (GHC)
	sudo rm -rf /usr/local/.ghcup

	# Remove Julia
	sudo rm -rf /usr/local/julia*

	# Remove Android SDKs
	sudo rm -rf /usr/local/lib/android

	# Remove Chromium (optional if not using for browser tests)
	sudo rm -rf /usr/local/share/chromium

	# Remove Microsoft/Edge and Google Chrome builds
	sudo rm -rf /opt/microsoft /opt/google

	# Remove Azure CLI
	sudo rm -rf /opt/az

	# Remove PowerShell
	sudo rm -rf /usr/local/share/powershell

	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0
	lfs: false

	- name: Setup Docker
	uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

	- name: Build Image
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	load: true
	tags: tsffs:latest
	cache-to: type=gha,mode=max
	cache-from: type=gha

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # master
	with:
	image-ref: tsffs:latest
	output: main_container_trivy_report.txt
	skip-dirs: /workspace/simics

	- name: Upload Trivy Report
	uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
	with:
	path: main_container_trivy_report.txt
	name: trivy_container_report

	scan_x86_64_breakpoint_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-breakpoint-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # master
	with:
	image-ref: container

	scan_x86_64_timeout_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-timeout-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # master
	with:
	image-ref: container

	scan_x86_64_uefi_edk2_container:
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0
	lfs: false

	- name: Build Image
	run: \|
	cd tests/rsrc/x86_64-uefi-edk2/
	cp "../../../harness/tsffs.h" "src/tsffs.h"
	docker buildx build -t container -f Dockerfile . > build.log 2>&1 \|\| { tail -n 1000 build.log; exit 1; }

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # master
	with:
	image-ref: container

	additional_sdl_checks:
	name: Perform Additional SDL Checks
	container: fedora:38
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- name: Install Dependencies
	run: \|
	dnf -y update && \
	dnf -y install \
	g++ gcc git git-lfs glibc-devel make openssl openssl-devel openssl-libs

	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	lfs: false

	- uses: dtolnay/rust-toolchain@83bdede770b06329615974cf8c786f845d824dfb # nightly
	with:
	toolchain: nightly
	components: rustfmt,clippy,miri

	- name: Install Cargo Plugins
	run: \|
	cargo install cargo-audit cargo-outdated

	- name: (CT247/CT200) (N/C) - Scan 3rd-Party Components for Vulnerabilities
	run: \|
	# shellcheck disable=SC2086,SC2143
	LATEST="$(find '.github/dependabot' -name '*.csv' -print0 \
	\| xargs -r -0 ls -1 -t \
	\| head -n 1)"

	if ! find '.github/dependabot' -name '*.csv' -mtime -14 \| grep -q '.'; then
	echo "❗ [CT247/CT200] No dependabot report found from last 2 weeks. Run ./scripts/dependabot.sh."
	exit 1
	fi

	if tail -n+2 "${LATEST}" \| grep -qv ".github/actions/toolchain"; then
	cat "${LATEST}"
	echo "❗ [CT247/CT200] Vulnerabilities found outside of github actions. Please remediate them."
	exit 1
	fi
	echo "✅ [CT247/CT200] No dependabot vulnerabilities found"

	- name: (T186) (N/C) - Use recommended settings and latest patches for third party libraries and software
	run: \|
	cargo generate-lockfile

	cargo audit

	# if ! cargo outdated -R --exit-code 1; then
	# echo "❗ [T186] Out of date third party dependencies found"
	# exit 1
	# fi

	echo "✅ [T186] No outdated or vulnerable third party dependencies found"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump github/codeql-action from 4.31.2 to 4.31.4 #676

Workflow file

Bump github/codeql-action from 4.31.2 to 4.31.4 #676

Uh oh!

Jobs

Run details

Workflow file for this run