-
Notifications
You must be signed in to change notification settings - Fork 132
76 lines (70 loc) · 2.61 KB
/
Copy pathcodeql-analysis.yml
File metadata and controls
76 lines (70 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
name: "CodeQL"
on:
push:
branches:
- 'main'
- 'release-v*'
pull_request:
schedule:
- cron: '0 12 * * *'
permissions:
contents: read
jobs:
analyze-go:
name: Analyze Go
if: github.repository == 'Azure/karpenter-provider-azure'
runs-on: ubuntu-latest
permissions:
actions: read # github/codeql-action/init@v4
contents: read
security-events: write # github/codeql-action/init@v4
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-telemetry: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
dc.services.visualstudio.com:443
github.com:443
login.microsoftonline.com:443
objects.githubusercontent.com:443
release-assets.githubusercontent.com:443
proxy.golang.org:443
golang.org:443
raw.githubusercontent.com:443
storage.googleapis.com:443
sum.golang.org:443
go.dev:443
dl.google.com:443
uploads.github.com:443
vuln.go.dev:443
aquasecurity.github.io:443
mirror.gcr.io:443
azure.archive.ubuntu.com:80
packages.microsoft.com:443
esm.ubuntu.com:443
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: ./.github/actions/install-deps
- run: make vulncheck
- uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: go
- uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
# Javascript is added here for evaluating Github Action vulnerabilities
# https://github.blog/2023-08-09-four-tips-to-keep-your-github-actions-workflows-secure/#2-enable-code-scanning-for-workflows
analyze-github-actions:
name: Analyze Github Actions
if: github.repository == 'Azure/karpenter-provider-azure'
runs-on: ubuntu-latest
permissions:
actions: read # github/codeql-action/init@v4
security-events: write # github/codeql-action/init@v4
steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
languages: actions
- uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2