Skip to content

Commit

Permalink
feat: init commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@janfuhrer
janfuhrer committed Dec 28, 2024
0 parents commit fcd0b35
Show file tree
Hide file tree
Showing 34 changed files with 2,397 additions and 0 deletions.
18 changes: 18 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
root = true

[*]
charset = utf-8
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true

[{*.go,Makefile,.gitmodules,go.mod,go.sum}]
indent_style = tab

[*.md]
indent_style = tab
trim_trailing_whitespace = false

[*.{yml,yaml,json}]
indent_style = space
indent_size = 2
23 changes: 23 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
name: Bug report
about: Create a report to help me improve
title: ''
labels: ''
assignees: ''

---

**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
Steps to reproduce the behavior.

**Expected behavior**
A clear and concise description of what you expected to happen.

**Screenshots**
If applicable, add screenshots to help explain your problem.

**Additional context**
Add any other context about the problem here.
20 changes: 20 additions & 0 deletions .github/ISSUE_TEMPLATE/feature_request.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
name: Feature request
about: Suggest an idea for this project
title: ''
labels: ''
assignees: ''

---

**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

**Describe the solution you'd like**
A clear and concise description of what you want to happen.

**Describe any alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.

**Additional context**
Add any additional context or screenshots about the feature request here.
17 changes: 17 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<!--
Thank you for contributing to natrontech/openvpn-exporter.
-->

**What this PR does**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Notes for Reviewer**:


**Checklist**:

- [ ] I have read and understood the [CONTRIBUTING](https://github.com/natrontech/openvpn-exporter/blob/main/CONTRIBUTING.md) and [CODE_OF_CONDUCT](https://github.com/natrontech/openvpn-exporter/blob/main/CODE_OF_CONDUCT.md) documents
- [ ] All commits are signed (see [Signing Commits](https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification))
- [ ] Pull Request title in the format of [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) e.g. `feat|fix|chore|docs|...: Changed Something`
- [ ] Updated documentation in the `README.md` file (e.g. new parameters, environment variables, return values, ...)
92 changes: 92 additions & 0 deletions .github/actions/publish-image/action.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Publish image

description: Publishes a docker image, SBOM, scans vulns, and signs the image.

inputs:
makefile-target:
required: true
description: makefile target to invoke for publishing image with ko
registry:
required: true
description: registry to publish image to
registry-username:
required: true
description: registry credentials username
registry-password:
required: true
description: registry credentials password
repository:
required: true
description: repository to publish image to
version:
required: true
description: published image version
sign-image:
required: true
description: sign image
sbom-name:
required: true
description: name of the cyclonedx sbom
sbom-repository:
required: true
description: sbom repository
signature-repository:
required: true
description: signature repository
main-path:
required: true
description: path to main go entry point

outputs:
digest:
value: ${{ steps.digest.outputs.digest }}
description: published image digest

runs:
using: composite
steps:
- shell: bash
id: ko-publish
env:
REGISTRY: ${{ inputs.registry }}
REPO: ${{ inputs.repository }}
REGISTRY_PASSWORD: ${{ inputs.registry-password }}
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
set -e
echo "digest=$(VERSION=${{ inputs.version }} make ${{ inputs.makefile-target }})" >> $GITHUB_OUTPUT
- uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: v1
args: app -licenses -json -output ${{ inputs.sbom-name }}-bom.cdx.json -main ${{ inputs.main-path }}
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ inputs.sbom-name }}-bom-cdx
path: ${{ inputs.sbom-name }}-bom.cdx.json
- shell: bash
if: ${{ inputs.sign-image == 'true' }}
env:
COSIGN_REPOSITORY: ${{ inputs.signature-repository }}
run: |
set -e
cosign sign --yes \
-a "repo=${{ github.repository }}" \
-a "workflow=${{ github.workflow }}" \
-a "ref=${{ github.sha }}" \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
env:
COSIGN_REPOSITORY: ${{ inputs.sbom-repository }}
run: |
cosign attest --yes \
--predicate ./${{ inputs.sbom-name }}-bom.cdx.json \
--type cyclonedx \
--oidc-provider github-actions \
${{ steps.ko-publish.outputs.digest }}
- shell: bash
id: digest
run: |
echo "The image generated is: ${{ steps.ko-publish.outputs.digest }}"
DIGEST=$(echo ${{ steps.ko-publish.outputs.digest }} | cut -d '@' -f2)
echo "Digest from image is: $DIGEST"
echo "digest=$DIGEST" >> $GITHUB_OUTPUT
22 changes: 22 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: ":seedling:"

- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: ":robot:"

- package-ecosystem: "docker"
directory: /
schedule:
interval: "weekly"
commit-message:
prefix: ":robot:"
91 changes: 91 additions & 0 deletions .github/workflows/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# GitHub Workflows

## Overview

Following workflows are implemented in the repository.
[SARIF](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning) is used to store the results for an analysis of code scanning tools in the Security tab of the repository.

| Workflow | Jobs | Trigger | SARIF upload | Description |
| :----------------------------------------------------- | :------------------------------ | :------------------------------------------------------------ | :----------- | ----------------------------------------------------------------------------------------------- |
| [codeql.yml](./codeql.yml) | `analyze` | push/pr to `main`, cron: `00 13 * * 1` | yes | Semantic code analysis |
| [dependency-review.yml](./dependency-review.yml) | `dependency-review` | pr to `main` | - | Check pull request for vulnerabilities in dependencies or invalid licenses are being introduced |
| [golangci-lint.yml](./golangci-lint.yml) | `lint` | push/pr on `*` | - | Lint Go Code |
| [gosec.yml](./gosec.yml) | `analyze` | push/pr on `*` | - | Inspects source code for security problems in Go code |
| [osv-scan.yml](./osv-scan.yml) | `analyze` | push/pr to `main`, cron: `30 13 * * 1` | yes | Scanning for vulnerabilites in dependencies |
| [release.yml](./release.yml) | see [release chapter](#release) | push tag `v*` | - | Create release with go binaries and docker container |
| [release-verification.yml](./release-verification.yml) | see [release chapter](#release) | release published | - | Verify assets of a new release |
| [scorecard.yml](./scorecard.yml) | `analyze` | push to `main`, cron: `00 14 * * 1`, change branch protection | yes | Create OpenSSF analysis and create project score |

## CodeQL

Action: https://github.com/github/codeql-action

[CodeQL](https://codeql.github.com/) is a semantic code analysis engine that can find security vulnerabilities in codebases. The workflow displays security alerts in the repository's Security tab or in pull requests.

## Dependency Review

Action: https://github.com/actions/dependency-review-action

This action scans the dependency manifest files that change as part of a pull request, revealing known-vulnerable versions of the packages declared or updated in the PR. Pull requests that introduce known-vulnerable packages will be blocked from merging.
It also allows you to define a list of licenses that are allowed or disallowed in the project, and will check if the PR introduces a dependency with a disallowed license.
It also checks the OpenSSF scorecard for all dependencies and allows to warn if a dependency has a low score.

More information can be found in the [GitHub documentation](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review)

## GolangCI-Lint

Action: https://github.com/golangci/golangci-lint-action

[GolangCI-Lint](https://golangci-lint.run/) is a fast Go linters runner. It runs linters in parallel, uses caching, and works on Linux, macOS, and Windows. The workflow runs the linters on the Go code in the repository.

## Gosec

Action: https://github.com/securego/gosec

[Gosec](https://securego.io/) is a security tool that performs static code analysis of Go code. The workflow scans the Go code in the repository for security issues.

## OSV-Scan

Action: https://github.com/google/osv-scanner-action

[OSV-Scan](https://osv.dev/) is a vulnerability database and triage infrastructure for open-source projects. The [OSV-Scanner](https://google.github.io/osv-scanner/) finds vulnerabilities in dependencies of an project and uploads the results to the Security tab of the repository.

## Release

The release workflow includes multiple jobs to create a release of the project. Following jobs are implemented:

| Job | GitHub Action | Description |
| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------------------- |
| `goreleaser` | [goreleaser-action](https://github.com/goreleaser/goreleaser-action) | Creates the go archives & checksums file |
| `ko-publish` | [publish-image action](../actions/publish-image/action.yaml) | Create the container images & SBOMs, sign images and upload to the GitHub registry |
| `binary-provenance` | [generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) | Generate provenance for all release artifacts (go archives & SBOMs) |
| `image-provenance` | [generator_container_slsa3](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) | Generates provenance for the container images |
| `verification-with-cosign` | - | Verifying the cryptographic signatures on provenance for the container image |
| `verification-with-slsa-verifier` | - | Verifying the cryptographic signatures on provenance for all binary releases (only possible if release is published) |

### Go Release

This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml).
For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).

### Container Release

The multi-arch container images are built using [ko](https://ko.build/) in the [publish-image](../actions/publish-image/action.yaml) action and uploaded to the GitHub Container Registry. The docker image provenance is generated using the [SLSA Container Generator](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container) and uploaded to the registry. The provenance can be verified using the `slsa-verifier` or `cosign` tool (see [Release Verification](./../../SECURITY.md#release-verification)).

**Credits**: The [publish-image](../actions/publish-image/action.yaml) action is from [Kyverno](https://github.com/kyverno/kyverno).

### Container SBOM

[ko](https://ko.build/features/sboms/) only generates a "minimal" SBOM for the container images (see [comment in GitHub Issue](https://github.com/ko-build/ko/pull/587#issuecomment-1034926085)) and lacks some information (e.g. Licensing information or the `version` field which is set to `devel` instead of the actual version).

To generate a complete SBOM for the container images, the [go-gomod-generate-sbom](https://github.com/CycloneDX/gh-gomod-generate-sbom) action is used instead.

The SBOMs of the container images are uploaded to a separate package registry (see [SBOM](./../../SECURITY.md#sbom) for more information).

## Scorecards

Action: https://github.com/ossf/scorecard-action

[Scorecards](https://github.com/ossf/scorecard) is a tool that provides a security score for open-source projects. The workflow runs the scorecard on the repository and uploads the results to the Security tab of the repository. There is also a report on the OpenSSF website, the link is available in the README file by clicking on the OpenSSF Scorecard badge.

[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/natrontech/openvpn-exporter/badge)](https://securityscorecards.dev/viewer/?uri=github.com/natrontech/openvpn-exporter)
59 changes: 59 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
name: "CodeQL"

on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '00 13 * * 1'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read

strategy:
fail-fast: false
matrix:
include:
- language: go
build-mode: manual

steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}

- if: matrix.build-mode == 'manual'
env:
# fix "go: download go1.22 for linux/amd64: toolchain not available" error
GOTOOLCHAIN: "go1.23.4"
run: |
make go-build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0
with:
category: "/language:${{matrix.language}}"
31 changes: 31 additions & 0 deletions .github/workflows/dependency-review.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: 'Dependency Review'

on:
pull_request:
branches: [ "main" ]

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
dependency-review:
runs-on: ubuntu-latest
steps:
- id: checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: 'Dependency Review'
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
with:
# fail if a pull request introduce vulnerabilities of level "low" or higher
fail-on-severity: low
# allowed licenses in SPDX format, the action will fail if a new dependencies with a license not in this list is introduced
# if the license cant be detected, the action will inform but not fail
#allow-licenses: 'Apache-2.0, MIT, GPL-3.0-or-later, MPL-2.0'
# threshold for the OpenSSF Scorecard level, the action will get a warning in the CI
warn-on-openssf-scorecard-level: 3
Loading

0 comments on commit fcd0b35

Please sign in to comment.