Check kernel security options - PR #9878 ("fix(docker): unique per-build image tags for parallel builds on a shared daemon") #1975
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Maintenance: Analyze kernel security" | |
| run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")' | |
| # | |
| # Check the Linux kernel options against security hardening | |
| # | |
| # Attention! Changing security parameters may also affect system performance and functionality of userspace software! | |
| # More info: | |
| # https://github.com/a13xp0p0v/kernel-hardening-checker | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [ready_for_review, opened, reopened, synchronize] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: pipeline-security-${{github.event.pull_request.number}} | |
| cancel-in-progress: true | |
| jobs: | |
| Analysis: | |
| name: Check kernel security options | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'Armbian' }} | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v46.0.5 | |
| - name: Checkout repository | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| repository: a13xp0p0v/kconfig-hardened-check | |
| path: kconfig-hardened-check | |
| - name: Check kernel config for security issues | |
| # Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet. | |
| # See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56 | |
| # sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output | |
| run: | | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then | |
| kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done |