forked from kata-containers/kata-containers
-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,57 @@ | ||
| name: BinSkim Security Scan | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - msft-main # Adjust if needed | ||
| push: | ||
| branches: | ||
| - mitchzhu/clippy | ||
|
|
||
| jobs: | ||
| binskim: | ||
| name: Run BinSkim on Compiled Binaries | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install Dependencies | ||
| run: | | ||
| echo "Installing dependencies..." | ||
| sudo apt-get update | ||
| sudo apt-get install -y ca-certificates curl libdevmapper-dev clang llvm | ||
| - name: Download and Install BinSkim | ||
| run: | | ||
| echo "Downloading BinSkim..." | ||
| curl -L -o binskim https://github.com/microsoft/binskim/releases/latest/download/BinSkim-linux-x64 | ||
| chmod +x binskim | ||
| sudo mv binskim /usr/local/bin/ | ||
| echo "BinSkim installed successfully." | ||
| binskim --version || echo "BinSkim installed but no version command." | ||
| - name: Run Kata Containers Build Script | ||
| run: | | ||
| pushd tools/osbuilder/node-builder/azure-linux | ||
| make all | ||
| # 🔹 Run BinSkim on compiled binaries | ||
| - name: Scan kata-agent binary | ||
| run: binskim analyze src/agent/target/release/kata-agent --output binskim-agent.sarif --verbose | ||
|
|
||
| - name: Scan runtime binary | ||
| run: binskim analyze src/runtime/kata-runtime --output binskim-runtime.sarif --verbose | ||
|
|
||
| - name: Scan tardev-snapshotter binary | ||
| run: binskim analyze src/tardev-snapshotter/target/release/tardev-snapshotter --output binskim-snapshotter.sarif --verbose | ||
|
|
||
| - name: Scan overlay binary | ||
| run: binskim analyze src/overlay/target/release/kata-overlay --output binskim-overlay.sarif --verbose | ||
|
|
||
| # 🔹 Upload SARIF results for GitHub Security Tab | ||
| - name: Upload BinSkim Results | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: binskim.sarif |