workflows: Add clippy, nancy, and binskim release checks #319
Conversation
miz060
force-pushed
the
mitchzhu/sdl
branch
2 times, most recently
from
4706b68 to
d6648a0
Compare
Add clippy, nancy, binskim release checks to help stablize kata releases Signed-off-by: Mitch Zhu <[email protected]>
miz060
changed the title
miz060
added
upstream/missing
| echo "✅ Clippy check passed for kata overlay." | ||
|
|
||
| - name: Run Clippy on tardev-snapshotter | ||
| working-directory: src/tardev-snapshotter |
| run: | | ||
| dotnet new console -n TempConsoleApp | ||
| cd TempConsoleApp | ||
| echo "Installing BinSkim version 1.9.5" |
There was a problem hiding this comment.
is there a pattern to install the latest stable version?
| echo "Building kata pod sandboxing binaries" | ||
| pushd tools/osbuilder/node-builder/azure-linux | ||
| # Adapt build script for ubuntu environment | ||
| sed -i 's|^OS_VERSION=.*|OS_VERSION="3.0"|' common.sh |
There was a problem hiding this comment.
we don't need this. If you code doesn't work for Ubuntu, we can pass OS_VERSION as a variable for make package
|
|
||
| # Prepare go binaries for binskim | ||
| pushd src/runtime | ||
| strip --strip-unneeded containerd-shim-kata-v2 |
There was a problem hiding this comment.
should stripping be something we should generally be doing when we build?
There was a problem hiding this comment.
It might remove information needed when debugging, no?
| @@ -0,0 +1,128 @@ | |||
| name: Release Binary Hardening checks | |||
There was a problem hiding this comment.
should we add a codeql file as well for the tarfs module, similar to https://github.com/kata-containers/kata-containers/pull/10930/files ?
|
For the clippy check, the agent makefile already has a check target that runs standard_rust_check. And standard_rust_check runs clippy. I'm wondering if it's better to add a clippy.yaml vs running |
| - name: Validate BinSkim results | ||
| run: | | ||
| # Validate pod sandboxing binaries | ||
| for result in artifacts/vanilla/*_binskim_result; do | ||
| if [ ! -f "$result" ]; then | ||
| echo "❌ Error: $result was not generated." | ||
| exit 1 | ||
| fi | ||
| echo "Validating: pod sandboxing ${result}" | ||
| cat "$result" | ||
|
|
||
| if grep -qi "fail" "$result"; then | ||
| echo "❌ Error: Failures detected in pod sandboxing binary: $result" | ||
| exit 1 | ||
| fi | ||
| echo "--------------------------- End-------------------------" | ||
| done | ||
| echo "✅ All pod sandboxing binaries passed BinSkim." | ||
|
|
||
| # Validate confpod binaries | ||
| for result in artifacts/confpods/*_binskim_result; do | ||
| if [ ! -f "$result" ]; then | ||
| echo "❌ Error: $result was not generated." | ||
| exit 1 | ||
| fi | ||
| echo "Validating: conf pod ${result}" | ||
| cat "$result" | ||
|
|
||
| if grep -qi "fail" "$result"; then | ||
| echo "❌ Error: Failures detected in Confidential Pod binary: $result" | ||
| exit 1 | ||
| fi | ||
| echo "--------------------------- End-------------------------" | ||
| done | ||
| echo "✅ All confpod binaries passed BinSkim." |
There was a problem hiding this comment.
These should be independent steps so one binary failing doesn't block other results. We should probably rework this step using matrix:.
|
|
||
| jobs: | ||
| clippy: | ||
| name: Run Clippy on Rust Components |
There was a problem hiding this comment.
The upstream static checks (static-checks.yaml) already run clippy - we should leverage those?
| - name: Run Clippy on agent | ||
| working-directory: src/agent | ||
| run: | | ||
| echo "Running Clippy on kata agent..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for kata agent." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for kata agent." | ||
|
|
||
| - name: Run Clippy on overlay | ||
| working-directory: src/overlay | ||
| run: | | ||
| echo "Running Clippy on kata overlay..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for kata overlay." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for kata overlay." | ||
|
|
||
| - name: Run Clippy on tardev-snapshotter | ||
| working-directory: src/tardev-snapshotter | ||
| run: | | ||
| echo "Running Clippy on tardev-snapshotter..." | ||
| if ! cargo clippy -- -D warnings; then | ||
| echo "❌ Clippy check failed for tardev-snapshotter." | ||
| exit 1 | ||
| fi | ||
| echo "✅ Clippy check passed for tardev-snapshotter." |
There was a problem hiding this comment.
These steps should be independent too.
And no need for the output complexity, simply running cargo clippy -- -D warnings will return an exit code already.
| - name: Verify Nancy Installation | ||
| run: | | ||
| echo "Checking Nancy installation..." | ||
| nancy --help || echo "Nancy installed successfully!" | ||
|
|
There was a problem hiding this comment.
Redundant
| - name: Verify Nancy Installation | |
| run: | | |
| echo "Checking Nancy installation..." | |
| nancy --help || echo "Nancy installed successfully!" |
| - name: Install Rust Toolchain | ||
| uses: dtolnay/rust-toolchain@stable | ||
| with: | ||
| components: clippy |
There was a problem hiding this comment.
We should install Rust the way that upstream does it (install_rust.sh).
Regardless, we might not want to pick up Rust's latest version here, as it could break us. We should probably fetch the version from versions.yaml (and ensure the version that's there is the one we want).
There was a problem hiding this comment.
PR Overview
This PR introduces new GitHub CI workflows for release checks that enforce binary hardening, dependency security, and Rust code quality.
- Adds a binskim workflow to analyze compiled binaries for security hardening.
- Adds a nancy workflow to scan Go dependencies for vulnerabilities.
- Adds a clippy workflow to run Rust linter checks on source components.
Reviewed Changes
| File | Description |
|---|---|
| .github/workflows/binskim.yaml | Adds steps to set up and run BinSkim on both kata pod and confpod binaries. |
| .github/workflows/nancy.yaml | Sets up a Nancy vulnerability scan on Go dependencies. |
| .github/workflows/clippy.yaml | Configures Clippy runs on Rust components using specified toolchains. |
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
Comments suppressed due to low confidence (1)
.github/workflows/binskim.yaml:73
- The binary 'containerd-shim-kata-v2' is being stripped twice (once at line 47 and again at line 73), which may be redundant. Consider removing one of these calls if it is not required for the intended binary preparation.
strip --strip-unneeded containerd-shim-kata-v2
Merge Checklist
upstream/missinglabel (orupstream/not-needed) has been set on the PR.Summary
Introduces
These checks will also be added as part of kata release process later in kata conformance test pipeline through test containers.
Existing upstream kata ci static checks include below tools, so there is no duplication:
Test Methodology
Test runs: