From 8d6e611fba7858cb400688910a05d86228207629 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Igor=20Pe=C4=8Dovnik?= Date: Sat, 7 Jan 2023 21:02:38 +0100 Subject: [PATCH] Add kernel config security analysis Action script (#4616) - it never fails, just making a report - adjust run conditions on lint action --- .../workflows/kernel-security-analysis-pr.yml | 46 +++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .github/workflows/kernel-security-analysis-pr.yml diff --git a/.github/workflows/kernel-security-analysis-pr.yml b/.github/workflows/kernel-security-analysis-pr.yml new file mode 100644 index 0000000000..fea7afc375 --- /dev/null +++ b/.github/workflows/kernel-security-analysis-pr.yml @@ -0,0 +1,46 @@ +name: Kernel hardening analysis +# +# Check the Linux kernel options against security hardening +# +# Attention! Changing security parameters may also affect system performance and functionality of userspace software! +# More info: +# https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/README.md + +on: + workflow_dispatch: + + pull_request: + types: [ready_for_review, opened, reopened, synchronize] + +permissions: + contents: read + +jobs: + + Analysis: + + name: Analyse + runs-on: ubuntu-latest + if: ${{ github.repository_owner == 'Armbian' }} + steps: + + - name: Checkout repository + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Get changed files + id: changed-files + uses: tj-actions/changed-files@v35 + + - name: Checkout repository + uses: actions/checkout@v3 + with: + repository: a13xp0p0v/kconfig-hardened-check + path: kconfig-hardened-check + + - name: Check kernel config for security issues + run: | + for file in ${{ steps.changed-files.outputs.all_changed_files }}; do + kconfig-hardened-check/bin/kconfig-hardened-check -m show_fail -c $file | sed -e 's/^/ /' >> $GITHUB_STEP_SUMMARY + done