Add SDL and Binary Hardening CI PR Gate #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: BinSkim Security Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - msft-main # Adjust if needed | |
| push: | |
| branches: | |
| - mitchzhu/clippy | |
| jobs: | |
| binskim: | |
| name: Run BinSkim on Compiled Binaries | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Install Dependencies | |
| run: | | |
| echo "Installing dependencies..." | |
| sudo apt-get update | |
| sudo apt-get install -y git golang rustc cargo build-essential protobuf-compiler libprotobuf-dev expect libssl-dev clang libseccomp-dev btrfs-progs libdevmapper-dev cmake libfuse-dev | |
| sudo add-apt-repository ppa:dotnet/backports | |
| sudo apt-get install -y dotnet-sdk-9.0 aspnetcore-runtime-9.0 dotnet-runtime-9.0 zlib1g | |
| - name: Set up BinSkim | |
| run: | | |
| dotnet new console -n TempConsoleApp | |
| cd TempConsoleApp | |
| echo "Installing BinSkim version 1.9.5" | |
| dotnet add package Microsoft.CodeAnalysis.BinSkim --version 1.9.5 | |
| ls ~/.nuget/packages/microsoft.codeanalysis.binskim/ | |
| sudo mv ~/.nuget/packages/microsoft.codeanalysis.binskim/ $GITHUB_WORKSPACE | |
| echo "BinSkim files moved to: $GITHUB_WORKSPACE" | |
| sudo ln -sf "$GITHUB_WORKSPACE/microsoft.codeanalysis.binskim/1.9.5/tools/netcoreapp3.1/linux-x64/BinSkim" /usr/local/bin/binskim | |
| - name: Build kata artifacts | |
| run: | | |
| echo "Building kata-agent binary" | |
| agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}" | |
| agent_make_flags+=" AGENT_POLICY=yes" | |
| pushd src/agent/ | |
| make ${agent_make_flags} | |
| popd | |
| echo "Building kata-runtime binary" | |
| runtime_make_flags="SKIP_GO_VERSION_CHECK=1 QEMUCMD= FCCMD= ACRNCMD= STRATOVIRTCMD= DEFAULT_HYPERVISOR=cloud-hypervisor | |
| DEFMEMSZ=0 DEFSTATICSANDBOXWORKLOADMEM=512 DEFVCPUS=0 DEFSTATICSANDBOXWORKLOADVCPUS=1 DEFVIRTIOFSDAEMON=${VIRTIOFSD_BINARY_LOCATION} PREFIX=${INSTALL_PATH_PREFIX}" | |
| runtime_make_flags+=" CLHPATH=${CLOUD_HYPERVISOR_LOCATION}" | |
| runtime_make_flags+=" DEFSANDBOXCGROUPONLY=true" | |
| pushd src/runtime/ | |
| make ${runtime_make_flags} | |
| popd | |
| echo "Building kata-overlay binary" | |
| pushd src/overlay/ | |
| make all | |
| popd | |
| echo "Building tardev-snapshotter service binary" | |
| pushd src/tardev-snapshotter/ | |
| make all | |
| popd | |
| # Run BinSkim on compiled binaries | |
| - name: Scan kata-agent binary | |
| run: | | |
| KATA_AGENT_PATH=$(find src/agent/ -type f -name "kata-agent" | head -n 1) | |
| if [ -z "$KATA_AGENT_PATH" ]; then | |
| echo "Error: kata-agent binary not found!" | |
| exit 1 | |
| fi | |
| binskim analyze "$KATA_AGENT_PATH" --output binskim-agent.sarif --verbose | |
| - name: Scan runtime binary | |
| run: | | |
| KATA_RUNTIME_PATH=$(find src/runtime/ -type f -name "ccontainerd-shim-kata-v2" | head -n 1) | |
| if [ -z "$KATA_RUNTIME_PATH" ]; then | |
| echo "Error: kata-runtime binary not found!" | |
| exit 1 | |
| fi | |
| binskim analyze "$KATA_RUNTIME_PATH" --output binskim-runtime.sarif --verbose | |
| - name: Scan tardev-snapshotter binary | |
| run: | | |
| TARDEV_SNAPSHOTTER_PATH=$(find src/tardev-snapshotter/ -type f -name "tardev-snapshotter" | head -n 1) | |
| if [ -z "$TARDEV_SNAPSHOTTER_PATH" ]; then | |
| echo "Error: tardev-snapshotter binary not found!" | |
| exit 1 | |
| fi | |
| binskim analyze "$TARDEV_SNAPSHOTTER_PATH" --output binskim-snapshotter.sarif --verbose | |
| - name: Scan overlay binary | |
| run: | | |
| OVERLAY_PATH=$(find src/overlay/ -type f -name "kata-overlay" | head -n 1) | |
| if [ -z "$OVERLAY_PATH" ]; then | |
| echo "Error: kata-overlay binary not found!" | |
| exit | |
| fi | |
| binskim analyze "$OVERLAY_PATH" --output binskim-overlay.sarif --verbose | |
| # Validate SARIF reports before uploading | |
| - name: Validate SARIF Reports | |
| run: | | |
| for file in binskim-agent.sarif binskim-runtime.sarif binskim-snapshotter.sarif binskim-overlay.sarif; do | |
| if [ ! -f "$file" ]; then | |
| echo "Error: $file was not generated." | |
| exit 1 | |
| fi | |
| done | |
| echo "All SARIF reports generated successfully." | |
| # Upload SARIF results to GitHub Security Tab | |
| - name: Upload BinSkim Results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: binskim-agent.sarif,binskim-runtime.sarif,binskim-snapshotter.sarif,binskim-overlay.sarif |