ci: improve pipelines for security + sbom generation (#389)

JGiola · web-flow · commit ddbbed89bbd8 · 2024-10-17T14:55:05.000+02:00
* build: add devcontainer

* feat: add dockerignore

* style: add editorconfig

* refactor: improved gitignore with gitignore template

* build: add support for multiarch in dockerfile

* ci: update pipelines
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,40 @@
+{
+  "name": "Go",
+  "image": "golang:1.23.2",
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {"username": "golang"},
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {}
+  },
+  "runArgs": [
+    "--cap-add=SYS_PTRACE",
+    "--security-opt",
+    "seccomp=unconfined"
+  ],
+  "customizations": {
+    "vscode": {
+      "settings": {
+        "files.eol": "\n",
+        "files.insertFinalNewline": true,
+        "files.trimFinalNewlines": true,
+        "files.trimTrailingWhitespace": false,
+        "go.toolsManagement.checkForUpdates": "local",
+        "go.useLanguageServer": true,
+        "go.gopath": "/go",
+        "go.buildFlags": [
+          "-tags=conformance,integration"
+        ]
+      },
+      "extensions": [
+        "golang.go",
+        "redhat.vscode-yaml",
+        "editorconfig.editorconfig"
+      ]
+    },
+    "codespaces": {
+      "openFiles": [
+        "README.md",
+        "CONTRIBUTING.md"
+      ]
+    }
+  }
+}
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,17 @@
+.devcontainer
+.git
+.github
+.vscode
+cache
+mocks
+.dockerignore
+.gitignore
+CHANGELOG.md
+CODE_OF_CONDUCT.md
+CONTRIBUTING.md
+coverage.out
+Dockerfile
+Makefile
+output.txt
+README.md
+SECURITY.md
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,19 @@
+root = true
+
+[*]
+indent_style = space
+indent_size = tab
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+max_line_length = 120
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.go]
+indent_style = tab
+
+[Makefile]
+indent_style = tab
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,21 +1,51 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
+
 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "daily"
+# keep up to date the github actions
+- package-ecosystem: github-actions
+  directory: /
+  schedule:
+    interval: monthly
+    timezone: Europe/Rome
+  groups:
+    minor-actions-dependencies:
+      update-types:
+      - minor
+      - patch
+  commit-message:
+    include: scope
+    prefix: ci
+
+# keep up to date the base docker image
+- package-ecosystem: docker
+  directory: /
+  schedule:
+    interval: daily
+    time: "07:00"
+    timezone: Europe/Rome
+  commit-message:
+    include: scope
+    prefix: build
 
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "daily"
+# enable go dependencies security updates
+- directory: /
+  open-pull-requests-limit: 0
+  package-ecosystem: gomod
+  rebase-strategy: auto
+  schedule:
+    interval: daily
+    time: "07:00"
+    timezone: Europe/Rome
+  commit-message:
+    include: scope
+    prefix: chore
 
-  - package-ecosystem: "docker"
-    directory: "/"
-    schedule:
-      interval: "daily"
+# keep up to date devcontainers
+- package-ecosystem: devcontainers
+  directory: "/"
+  schedule:
+    interval: monthly
+    timezone: Europe/Rome
+  commit-message:
+    include: scope
+    prefix: build
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,49 +1,37 @@
-name: "CodeQL"
-
+name: Code Scanning
 on:
   push:
-    branches: [ "main" ]
+    branches:
+    - main
+    tags:
+    - "*"
   pull_request:
-    branches: [ "main" ]
+    branches:
+    - main
+    paths-ignore:
+    - "**/*.md"
   schedule:
-    - cron: '27 19 * * 1'
+  - cron: 27 19 * * 1
 
 jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
+  codeql:
+    runs-on: macos-latest
     permissions:
-      actions: read
-      contents: read
       security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
-
-    # Initializes the CodeQL tools for scanning.
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        show-progress: false
+    - name: Setup Golang
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      with:
+        go-version: 1.23
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
       with:
-        languages: ${{ matrix.language }}
-
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines. 
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
-
+        languages: go
+    - name: Run Build
+      run: CGO_ENABLED=0 go build -ldflags="-w -s" -o main .
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,15 +2,18 @@ name: Release
 on:
   push:
     tags:
-      - '*'
+    - '*'
+
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Release
-        uses: softprops/action-gh-release@v2
-        with:
-          generate_release_notes: true
-          prerelease: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-rc.') }}
+    - name: Checkout repository
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        show-progress: false
+    - name: Release
+      uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+      with:
+        generate_release_notes: true
+        prerelease: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-rc.') }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -2,14 +2,17 @@ on:
   pull_request:
     types: [opened]
   push:
+
 name: Security
 jobs:
   gosec:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout Source
-        uses: actions/checkout@v4
-      - name: Run Gosec Security Scanner
-        uses: securego/gosec@master
-        with:
-          args: ./...
+    - name: Checkout repository
+      uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
+      with:
+        show-progress: false
+    - name: Run Gosec Security Scanner
+      uses: securego/gosec@master
+      with:
+        args: ./...
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.gitignore b/.gitignore
diff --git a/Dockerfile b/Dockerfile
