diff --git a/.github/workflows/binskim.yaml b/.github/workflows/binskim.yaml new file mode 100644 index 000000000000..2532d79f2597 --- /dev/null +++ b/.github/workflows/binskim.yaml @@ -0,0 +1,57 @@ +name: BinSkim Security Scan + +on: + pull_request: + branches: + - msft-main # Adjust if needed + push: + branches: + - mitchzhu/clippy + +jobs: + binskim: + name: Run BinSkim on Compiled Binaries + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Install Dependencies + run: | + echo "Installing dependencies..." + sudo apt-get update + sudo apt-get install -y ca-certificates curl libdevmapper-dev clang llvm + + - name: Download and Install BinSkim + run: | + echo "Downloading BinSkim..." + curl -L -o binskim https://github.com/microsoft/binskim/releases/latest/download/BinSkim-linux-x64 + chmod +x binskim + sudo mv binskim /usr/local/bin/ + echo "BinSkim installed successfully." + binskim --version || echo "BinSkim installed but no version command." + + - name: Run Kata Containers Build Script + run: | + pushd tools/osbuilder/node-builder/azure-linux + OS_VERSION=3.0 make all + + # 🔹 Run BinSkim on compiled binaries + - name: Scan kata-agent binary + run: binskim analyze src/agent/target/release/kata-agent --output binskim-agent.sarif --verbose + + - name: Scan runtime binary + run: binskim analyze src/runtime/kata-runtime --output binskim-runtime.sarif --verbose + + - name: Scan tardev-snapshotter binary + run: binskim analyze src/tardev-snapshotter/target/release/tardev-snapshotter --output binskim-snapshotter.sarif --verbose + + - name: Scan overlay binary + run: binskim analyze src/overlay/target/release/kata-overlay --output binskim-overlay.sarif --verbose + + # 🔹 Upload SARIF results for GitHub Security Tab + - name: Upload BinSkim Results + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: binskim.sarif