add steps to analyze for CVEs and upload SARIF

also: - fix spelling in readme - fix pulumi copy step in dockerfile - quote "prepare commit" step in mega-linter.yml
mauwii · Sep 29, 2023 · 1292d9a · 1292d9a
1 parent 83c2030
commit 1292d9a
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 4 deletions.
diff --git a/.cspell.json b/.cspell.json
@@ -29,10 +29,12 @@
     "catthehacker",
     "cmdline",
     "codeowners",
+    "codeql",
     "commandlinetools",
     "containerd",
     "containerimage",
     "coreutils",
+    "cves",
     "dbus",
     "dckr",
     "dearmor",
@@ -110,6 +112,7 @@
     "pwsh",
     "quickview",
     "rubygems",
+    "sarif",
     "semgrep",
     "Sfrg",
     "shellcheck",

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -121,7 +121,31 @@ jobs:
           targets: ${{ matrix.targets }}
           sbom: true
           provenance: true
-          push: ${{ github.event_name != 'pull_request' }}
+          push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
+
+      - name: Get the image tag
+        id: meta
+        run: |
+          printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '[.target[].tags[]][0]')" >> "$GITHUB_OUTPUT"
+
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        if: ${{ github.event_name != 'pull_request_target' && github.actor != 'nektos/act' }}
+        # kics-scan ignore-line
+        uses: docker/[email protected]
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tag }}
+          sarif-file: sarif.output.json
+          summary: true
+
+      - name: Upload SARIF result
+        id: upload-sarif
+        if: ${{ github.event_name != 'pull_request_target' && github.actor != 'nektos/act' }}
+        # kics-scan ignore-line
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: sarif.output.json
 
       # # vulnerability scanning to verify PRs
       # - name: Docker Scout

diff --git a/.github/workflows/mega-linter.yml b/.github/workflows/mega-linter.yml
@@ -127,7 +127,7 @@ jobs:
             github.event_name == 'push' ||
             github.event.pull_request.head.repo.full_name == github.repository
           )
-        run: sudo chown -Rc $UID .git/
+        run: 'sudo chown -Rc $UID .git/'
 
       # kics-scan ignore-line
       - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a

diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ The easiest way is to add those lines in your `~/.actrc`:
 -P ubuntu-20.04=mauwii/ubuntu-act:20.04
 ```
 
-For further Informations about nektos/act and how to use it, take a 👀 at the [nektos
+For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the [nektos
 documentation📖][nektosDocs]
 
 ## How I run act on my M2-Max 💻

diff --git a/linux/ubuntu/Dockerfile b/linux/ubuntu/Dockerfile
@@ -318,7 +318,7 @@ ENV PATH=/usr/local/go/bin:${PATH}
 RUN sed "s|^PATH=|PATH=/usr/local/go/bin:|mg" -i /etc/environment
 
 # add pulumi
-COPY --from=pulumi /root/.pulumi/bin/* /usr/local/bin/
+COPY --from=pulumi /root/.pulumi/bin /usr/local/bin/
 
 # add bicep
 COPY --from=bicep /usr/local/bin/bicep /usr/local/bin/bicep