From d771652b2e66fe892ab6c8f4d1572f2f9b3c5603 Mon Sep 17 00:00:00 2001
From: f41gh7 <nik@victoriametrics.com>
Date: Fri, 5 Nov 2021 22:23:50 +0300
Subject: [PATCH 1/2] adds security linter for workflow disables e2e tests

---
 .github/workflows/main.yaml    | 51 ++++++++++++++++++++++++----------
 .github/workflows/release.yaml | 31 +++++++++------------
 2 files changed, 49 insertions(+), 33 deletions(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 03f54758..18766ffa 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -15,11 +15,28 @@ jobs:
     steps:
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v2.x
+      - name: Checkout code
+        uses: actions/checkout@v2
       - name: Setup Go
         uses: actions/setup-go@master
         with:
           go-version: 1.16
         id: go
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Dependencies
         env:
           GO111MODULE: on
@@ -30,28 +47,32 @@ jobs:
           curl -L -o operator-sdk "https://github.com/operator-framework/operator-sdk/releases/download/v1.0.0/operator-sdk-v1.0.0-x86_64-linux-gnu"
           chmod +x operator-sdk
           sudo mv operator-sdk /bin/
-      - name: setup KIND for e2e tests
-        uses: engineerd/setup-kind@v0.5.0
-        with:
-          version: "v0.9.0"
-          image: kindest/node:v1.16.4
-      - name: Code checkout
-        uses: actions/checkout@master
-      - name: build binary
+      - name: lint and test
         env:
           GO111MODULE: on
-          TAG:   ${{ env.GITHUB_REF_SLUG }}
         run: |
           export PATH=$PATH:$(go env GOPATH)/bin # temporary fix. See https://github.com/actions/setup-go/issues/14
           make lint
           make test
-          make build
-      - name: run e2e tests
+
+      - name: build binary
+        env:
+          GO111MODULE: on
+          TAG:   ${{ env.GITHUB_REF_SLUG }}
         run: |
-          kubectl cluster-info
-          kubectl get pods -n kube-system
-          echo "current-context:" $(kubectl config current-context)
-          echo "environment-kubeconfig:" ${KUBECONFIG}
+          export PATH=$PATH:$(go env GOPATH)/bin # temporary fix. See https://github.com/actions/setup-go/issues/14
+          make build
+#      - name: setup KIND for e2e tests
+#        uses: engineerd/setup-kind@v0.5.0
+#        with:
+#          version: "v0.9.0"
+#          image: kindest/node:v1.16.4
+#      - name: run e2e tests
+#        run: |
+#          kubectl cluster-info
+#          kubectl get pods -n kube-system
+#          echo "current-context:" $(kubectl config current-context)
+#          echo "environment-kubeconfig:" ${KUBECONFIG}
 #          make e2e-local
 
       - name: build crosscompile and push to remote registry
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 370cd3e9..9fd517e7 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -10,7 +10,8 @@ jobs:
     steps:
       - name: Inject slug/short variables
         uses: rlespinasse/github-slug-action@v2.x
-
+      - name: Check out code
+        uses: actions/checkout@v2
       - name: Setup Go
         uses: actions/setup-go@master
         with:
@@ -26,16 +27,6 @@ jobs:
           curl -L -o operator-sdk "https://github.com/operator-framework/operator-sdk/releases/download/v1.0.0/operator-sdk-v1.0.0-x86_64-linux-gnu"
           chmod +x operator-sdk
           sudo mv operator-sdk /bin/
-
-      - name: setup KIND for e2e tests
-        uses: engineerd/setup-kind@v0.5.0
-        with:
-          version: "v0.9.0"
-          image: kindest/node:v1.16.4
-
-      - name: Check out code
-        uses: actions/checkout@v2
-
       - name: build binary
         env:
           TAG:  ${{ github.event.release.tag_name }}
@@ -44,13 +35,17 @@ jobs:
           make test
           make build
           make release-package
-
-      - name: run e2e tests local
-        run: |
-          kubectl cluster-info
-          kubectl get pods -n kube-system
-          echo "current-context:" $(kubectl config current-context)
-          echo "environment-kubeconfig:" ${KUBECONFIG}
+#      - name: setup KIND for e2e tests
+#        uses: engineerd/setup-kind@v0.5.0
+#        with:
+#          version: "v0.9.0"
+#          image: kindest/node:v1.16.4
+#      - name: run e2e tests local
+#        run: |
+#          kubectl cluster-info
+#          kubectl get pods -n kube-system
+#          echo "current-context:" $(kubectl config current-context)
+#          echo "environment-kubeconfig:" ${KUBECONFIG}
 #          make e2e-local
 
 

From d7fc147bff7989afdef57fe8ad66fc42b08d5dbd Mon Sep 17 00:00:00 2001
From: f41gh7 <nik@victoriametrics.com>
Date: Fri, 5 Nov 2021 22:30:04 +0300
Subject: [PATCH 2/2] increases severity

---
 .github/workflows/main.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index 18766ffa..1161432d 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -31,7 +31,8 @@ jobs:
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
-          severity: 'CRITICAL'
+          severity: 'HIGH,CRITICAL,MEDIUM'
+          vuln-type: 'os,library'
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v1
         with: