Add BinSkim check

microsoft · Feb 19, 2025 · fd45bae · fd45bae
1 parent 86d4547
commit fd45bae
Showing 1 changed file with 74 additions and 0 deletions.
diff --git a/.github/workflows/binskim.yaml b/.github/workflows/binskim.yaml
@@ -0,0 +1,74 @@
+name: BinSkim Security Scan
+
+on:
+  pull_request:
+    branches:
+      - main  # Adjust if needed
+  push:
+    branches:
+      - main
+
+jobs:
+  binskim:
+    name: Run BinSkim on Compiled Binaries
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Install Dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y libdevmapper-dev clang llvm
+
+      - name: Set up Rust (for kata-agent, overlay, tardev-snapshotter)
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Set up Go (for runtime)
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+
+      - name: Install BinSkim
+        run: |
+          echo "Installing BinSkim..."
+          wget https://github.com/microsoft/binskim/releases/latest/download/BinSkim-linux-x64 -O /usr/local/bin/binskim
+          chmod +x /usr/local/bin/binskim
+          binskim --version
+
+      # 🔹 Build binaries before running BinSkim
+      - name: Build kata-agent
+        working-directory: src/agent
+        run: cargo build --release
+
+      - name: Build runtime
+        working-directory: src/runtime
+        run: go build -o kata-runtime
+
+      - name: Build tardev-snapshotter
+        working-directory: src/tardev-snapshotter
+        run: cargo build --release
+
+      - name: Build overlay
+        working-directory: src/overlay
+        run: cargo build --release
+
+      # 🔹 Run BinSkim on compiled binaries
+      - name: Scan kata-agent binary
+        run: binskim analyze src/agent/target/release/kata-agent --output binskim-agent.sarif --verbose
+
+      - name: Scan runtime binary
+        run: binskim analyze src/runtime/kata-runtime --output binskim-runtime.sarif --verbose
+
+      - name: Scan tardev-snapshotter binary
+        run: binskim analyze src/tardev-snapshotter/target/release/tardev-snapshotter --output binskim-snapshotter.sarif --verbose
+
+      - name: Scan overlay binary
+        run: binskim analyze src/overlay/target/release/kata-overlay --output binskim-overlay.sarif --verbose
+
+      # 🔹 Upload SARIF results for GitHub Security Tab
+      - name: Upload BinSkim Results
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: binskim-agent.sarif