d4022fbbbb
Addressing security issue: https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/
72 lines
2.5 KiB
YAML
72 lines
2.5 KiB
YAML
name: Kernel Hardening Analysis
|
|
run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")'
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# This workflow analyzes Linux kernel configuration files to check for
|
|
# security hardening options using the kernel-hardening-checker tool.
|
|
#
|
|
# ⚠️ Important:
|
|
# Modifying security parameters may impact system performance and
|
|
# functionality of userspace software.
|
|
#
|
|
# More info:
|
|
# https://github.com/a13xp0p0v/kernel-hardening-checker
|
|
#
|
|
# Triggers:
|
|
# - Manually via workflow_dispatch
|
|
# - On pull request events: ready_for_review, opened, reopened, or synchronized
|
|
#
|
|
# Features:
|
|
# - Runs only for PRs targeting the 'Armbian' repository
|
|
# - Validates kernel `.config` files for security best practices
|
|
# - Skips RISC-V configurations due to known compatibility issues
|
|
# - Provides a formatted security report in GitHub Actions summary
|
|
# -----------------------------------------------------------------------------
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
pull_request:
|
|
types: [ready_for_review, opened, reopened, synchronize]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: pipeline-security-${{ github.event.pull_request.number }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
Analysis:
|
|
name: Check kernel security options
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get changed files
|
|
id: files
|
|
uses: UplandJacob/retrieve-changed-files@v4
|
|
|
|
- name: Checkout kernel-hardening-checker
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: a13xp0p0v/kconfig-hardened-check
|
|
path: kconfig-hardened-check
|
|
|
|
- name: Run kernel security analysis
|
|
run: |
|
|
for file in ${{ steps.files.outputs.all }}; do
|
|
# Process only kernel configuration files and skip RISC-V configs
|
|
if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then
|
|
# Run security checks and format output for GitHub Actions summary
|
|
kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file \
|
|
| sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' \
|
|
>> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
done
|