add ghalint workflow

RyosukeDTomita · Jun 17, 2024 · 64fcaae · 64fcaae
1 parent 5987d20
commit 64fcaae
Show file tree

Hide file tree

Showing 7 changed files with 158 additions and 69 deletions.
diff --git a/.github/workflows/actions-linter.yaml b/.github/workflows/actions-linter.yaml
@@ -0,0 +1,20 @@
+name: actions-lint
+on:
+  pull_request:
+    # paths:
+    #   - .github/workflows/*.yaml
+jobs:
+  run-ghalint:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - name: clone application source code
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: install package using aqua
+        uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
+        with:
+          aqua_version: v2.29.0
+      - name: run ghalint
+        run: github-comment exec --token ${{ secrets.token }} -- ghalint run
diff --git a/.github/workflows/react-dependency-check.yaml b/.github/workflows/react-dependency-check.yaml
@@ -3,8 +3,9 @@ name: trivy dependency check for package.json
 # TODO: aquaを使ってインストールして使う形にしたほうがわかりやすいかも
 on:
   push:
-    # paths:
-    #   - "package.json"
+    paths:
+      - "package.json"
+      - ".github/workflows/react-dependency-check.yaml"
   schedule:
     # 日曜日の午前0時に実行
     - cron:  '0 0 * * 0'
@@ -15,14 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      packages: write
+      security-events: write
 
     steps:
       - name: clone application source code
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: use trivy
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
         with:
           scan-type: 'fs'
           #exit-code: 1

diff --git a/.github/workflows/react-jest.yaml b/.github/workflows/react-jest.yaml
@@ -1,10 +1,11 @@
 name: run-jest
 on:
   push:
-    # paths:
-    #   - "src/**.tsx"
-    #   - "src/**.ts"
-    #   - "public/**.html"
+    paths:
+      - "src/**.tsx"
+      - "src/**.ts"
+      - "public/**.html"
+      - ".github/workflows/react-jest.yaml"
 
 defaults:
   run:

diff --git a/.github/workflows/react-semgrep.yaml b/.github/workflows/react-semgrep.yaml
@@ -3,46 +3,47 @@ name: Semgrep Full Scan
 #リポジトリの設定から --> Code and automation --> Actions --> GeneralのWorkflow permissionsをRead and write permissionsに[参考画像](../../doc/fig/semgrep_upgrade_grant.png)
 on:
   push:
-    # paths:
-    #   - "src/**.tsx"
-    #   - "src/**.ts"
-    #   - "public/**.html"
+    paths:
+      - "src/**.tsx"
+      - "src/**.ts"
+      - "public/**.html"
+      - ".github/workflows/react-semgrep.yaml"
   schedule:
     # 日曜日の午前0時に実行
     - cron:  '0 0 * * 0'
 
 jobs:
 
   semgrep-full:
-      runs-on: ubuntu-latest
-      permissions:
-        contents: read
-        packages: write
-      container:
-        image: returntocorp/semgrep
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    container:
+      image: returntocorp/semgrep:sha-69df2e1
 
-      steps:
-        - name: clone application source code
-          uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-        - name: install package using aqua
-          uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
-          with:
-            aqua_version: v2.29.0
-        - name: full scan
-          run: |
-            github-comment exec --token ${{ secrets.TOKEN }} -- semgrep \
-              --sarif --output report.sarif \
-              --metrics=off \
-              --config="p/default"
-        # reportsを生成(Actionsから確認できる)
-        - name: save report as pipeline artifact
-          uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
-          with:
-            name: report.sarif
-            path: report.sarif
-        # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
-        - name: publish code scanning alerts
-          uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
-          with:
-            sarif_file: report.sarif
-            category: semgrep
+    steps:
+      - name: clone application source code
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - name: install package using aqua
+        uses: aquaproj/aqua-installer@6ce1f8848ec8e61f14d57bd5d7597057a6dd187c # v3.0.1
+        with:
+          aqua_version: v2.29.0
+      - name: full scan
+        run: |
+          github-comment exec --token ${{ secrets.TOKEN }} -- semgrep \
+            --sarif --output report.sarif \
+            --metrics=off \
+            --config="p/default"
+      # reportsを生成(Actionsから確認できる)
+      - name: save report as pipeline artifact
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: report.sarif
+          path: report.sarif
+      # scanの結果を解析。GithubのSecurity --> Code Scanning等でアラートが見られる。
+      - name: publish code scanning alerts
+        uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
+        with:
+          sarif_file: report.sarif
+          category: semgrep
diff --git a/doc/tools_doc/ghalint.md b/doc/tools_doc/ghalint.md
@@ -0,0 +1,48 @@
+# ghalint
+
+## ghalintとは
+
+> [ghalintが検知してPolicy](https://github.com/suzuki-shunsuke/ghalint?tab=readme-ov-file#policies)
+> [permissionsの一覧が載っているページ](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)
+---
+
+## install
+
+```shell
+aqua g -i suzuki-shunsuke/[email protected]
+```
+
+---
+
+## How to Use
+
+```shell
+ghalint run
+```
+
+---
+
+## 修正log
+
+### All jobs should have the field permissions
+
+- [内容](https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/001.md): すべてのjobにpermissionをつけないといけない。
+
+```yaml
+jobs:
+
+  trivy-scan:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+```
+
+> [!NOTE]
+> [codeql-action](https://github.com/github/codeql-action/issues/464)には`security-events: write`が必要
+
+### the step violates policies
+
+- [内容](https://github.com/suzuki-shunsuke/ghalint/blob/main/docs/policies/008.md): フルコミットハッシュにすれば解決。
+
+### the job violates policies
diff --git a/doc/tools_doc/pinact.md b/doc/tools_doc/pinact.md
@@ -0,0 +1,44 @@
+# pinact
+
+## pinactとは
+
+- GitHub Actionsのactionのバージョンが実行タイミングによって内容が変わると突然CIが壊れたり，悪意のあるコードが実行される可能性がある --> フルコミットハッシュを用いてバージョンを固定すべきである。
+- pinactを使うとフルコミットハッシュに変換し，コメントでバージョンを記載してくれる。
+
+## install
+
+- [GitHub](https://github.com/suzuki-shunsuke/pinact#install)をみてinstallする。
+
+```shell
+aqua g -i suzuki-shunsuke/pinact
+```
+
+## HOW TO USE
+
+```shell
+pinact run
+```
+
+- actions/ツール名@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 のような表記に変換してくれる。
+
+```yaml
+uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+```
+
+---
+
+## Error log
+
+### 401 Bad credentials
+
+```shell
+pinact run
+WARN[0000] get a reference error="GET https://api.github.com/repos/aquasecurity/trivy-action/commits/v0.21.0: 401 Bad credentials []" pinact_version=0.2.0 program=pinact workflow_file=.github/workflows/react-dependency-check.yaml
+```
+
+[公式のREADME](https://github.com/suzuki-shunsuke/pinact#github-access-token)を見ると，
+
+> pinact calls GitHub REST API to get commit hashes and tags. You can pass GitHub Access token via environment variable GITHUB_TOKEN. If no GitHub Access token is passed, pinact calls GitHub REST API without access token.
+
+のような記載があり，GITHUB_TOKENをexportしているとそれを使ってpinactを起動しようとするらしい。
+そのため，GITHUB_TOKENをunexportしたら解決。
diff --git a/doc/tools_doc/pincat.md b/doc/tools_doc/pincat.md