Install binskim through dotnet sdk

.github/workflows/binskim.yaml

@@ -22,25 +22,31 @@ jobs:
           echo "Installing dependencies..."
           sudo apt-get update
           sudo apt-get install -y git golang rustc cargo build-essential protobuf-compiler libprotobuf-dev expect libssl-dev clang libseccomp-dev btrfs-progs libdevmapper-dev cmake libfuse-dev
+          sudo add-apt-repository ppa:dotnet/backports
+          sudo apt-get install -y dotnet-sdk-9.0 aspnetcore-runtime-9.0 dotnet-runtime-9.0 zlib1g
 
-
-      - name: Download and Install BinSkim
+      - name: Set up BinSkim
         run: |
-          echo "Downloading BinSkim..."
-          curl -L -o binskim https://github.com/microsoft/binskim/releases/latest/download/BinSkim-linux-x64
-          chmod +x binskim
-          sudo mv binskim /usr/local/bin/
-          echo "BinSkim installed successfully."
-          binskim --version || echo "BinSkim installed but no version command."
+          dotnet new console -n TempConsoleApp
+          cd TempConsoleApp
+          echo "Installing BinSkim version 1.9.5"
+          dotnet add package Microsoft.CodeAnalysis.BinSkim --version 1.9.5
+          ls ~/.nuget/packages/microsoft.codeanalysis.binskim/
+          sudo mv ~/.nuget/packages/microsoft.codeanalysis.binskim/ $GITHUB_WORKSPACE
+          echo "BinSkim files moved to: $GITHUB_WORKSPACE"
+          sudo ln -sf "$GITHUB_WORKSPACE/microsoft.codeanalysis.binskim/1.9.5/tools/netcoreapp3.1/linux-x64/BinSkim" /usr/local/bin/binskim
+          
 
       - name: Build kata artifacts
         run: |
+          echo "Building kata-agent binary"
           agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}"
           agent_make_flags+=" AGENT_POLICY=yes"
           pushd src/agent/
           make ${agent_make_flags}
           popd
 
+          echo "Building kata-runtime binary"
           runtime_make_flags="SKIP_GO_VERSION_CHECK=1 QEMUCMD= FCCMD= ACRNCMD= STRATOVIRTCMD= DEFAULT_HYPERVISOR=cloud-hypervisor 
             DEFMEMSZ=0 DEFSTATICSANDBOXWORKLOADMEM=512 DEFVCPUS=0 DEFSTATICSANDBOXWORKLOADVCPUS=1 DEFVIRTIOFSDAEMON=${VIRTIOFSD_BINARY_LOCATION} PREFIX=${INSTALL_PATH_PREFIX}"
           runtime_make_flags+=" CLHPATH=${CLOUD_HYPERVISOR_LOCATION}"
@@ -54,25 +60,61 @@ jobs:
           make all
           popd
 
+          echo "Building tardev-snapshotter service binary"
           pushd src/tardev-snapshotter/
           make all
           popd
 
-      # 🔹 Run BinSkim on compiled binaries
+      # Run BinSkim on compiled binaries
       - name: Scan kata-agent binary
-        run: binskim analyze src/agent/target/release/kata-agent --output binskim-agent.sarif --verbose
+        run: | 
+          KATA_AGENT_PATH=$(find src/agent/ -type f -name "kata-agent" | head -n 1)
+          if [ -z "$KATA_AGENT_PATH" ]; then
+            echo "Error: kata-agent binary not found!"
+            exit 1
+          fi
+          binskim analyze "$KATA_AGENT_PATH" --output binskim-agent.sarif --verbose
 
-      - name: Scan runtime binary
-        run: binskim analyze src/runtime/kata-runtime --output binskim-runtime.sarif --verbose
+      #- name: Scan runtime binary
+      #  run: | 
+      #    KATA_RUNTIME_PATH=$(find src/runtime/ -type f -name "containerd-shim-kata-v2" | head -n 1)
+      #    if [ -z "$KATA_RUNTIME_PATH" ]; then
+      #      echo "Error: kata-runtime binary not found!"
+      #      exit 1
+      #    fi
+      #    binskim analyze "$KATA_RUNTIME_PATH" --output binskim-runtime.sarif --verbose
 
       - name: Scan tardev-snapshotter binary
-        run: binskim analyze src/tardev-snapshotter/target/release/tardev-snapshotter --output binskim-snapshotter.sarif --verbose
+        run: |
+          TARDEV_SNAPSHOTTER_PATH=$(find src/tardev-snapshotter/ -type f -name "tardev-snapshotter" | head -n 1)
+          if [ -z "$TARDEV_SNAPSHOTTER_PATH" ]; then
+            echo "Error: tardev-snapshotter binary not found!"
+            exit 1
+          fi
+          binskim analyze "$TARDEV_SNAPSHOTTER_PATH" --output binskim-snapshotter.sarif --verbose
 
       - name: Scan overlay binary
-        run: binskim analyze src/overlay/target/release/kata-overlay --output binskim-overlay.sarif --verbose
+        run: | 
+          OVERLAY_PATH=$(find src/overlay/ -type f -name "kata-overlay" | head -n 1)
+          if [ -z "$OVERLAY_PATH" ]; then
+            echo "Error: kata-overlay binary not found!"
+            exit 
+          fi
+          binskim analyze "$OVERLAY_PATH" --output binskim-overlay.sarif --verbose
+
+      # Validate SARIF reports before uploading
+      - name: Validate SARIF Reports
+        run: |
+          for file in binskim-agent.sarif binskim-runtime.sarif binskim-snapshotter.sarif binskim-overlay.sarif; do
+            if [ ! -f "$file" ]; then
+              echo "Error: $file was not generated."
+              exit 1
+            fi
+          done
+          echo "All SARIF reports generated successfully."
 
-      # 🔹 Upload SARIF results for GitHub Security Tab
+      # Upload SARIF results to GitHub Security Tab
       - name: Upload BinSkim Results
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: binskim.sarif
+          sarif_file: binskim-agent.sarif,binskim-runtime.sarif,binskim-snapshotter.sarif,binskim-overlay.sarif