From 9b0ab3ac731f69d7dac63344b56622e139b253de Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 22:38:42 -0600 Subject: [PATCH 01/15] ci: add security scanning workflows (#123) --- .github/dependabot.yaml | 9 ++++ .github/workflows/scorecard.yml | 46 ++++++++++++++++ .github/workflows/security.yaml | 96 +++++++++++++++++++++++++++++++++ CHANGELOG.md | 12 +++++ 4 files changed, 163 insertions(+) create mode 100644 .github/workflows/scorecard.yml create mode 100644 .github/workflows/security.yaml diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index fa24f06..05240b4 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -7,6 +7,8 @@ updates: time: "06:00" timezone: "America/Chicago" labels: [] + commit-message: + prefix: "ci" groups: github-actions: patterns: @@ -19,8 +21,15 @@ updates: time: "06:00" timezone: "America/Chicago" labels: [] + commit-message: + prefix: "chore" open-pull-requests-limit: 15 groups: x: patterns: - "golang.org/x/*" + ignore: + # Ignore patch updates for all dependencies to reduce PR noise + - dependency-name: "*" + update-types: + - version-update:semver-patch diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 0000000..fc2d16b --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,46 @@ +name: OpenSSF Scorecard + +on: + branch_protection_rule: + schedule: + # Run weekly on Wednesdays at 7:27 UTC + - cron: "27 7 * * 3" + push: + branches: + - main + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Run analysis + uses: ossf/scorecard-action@v2.4.0 + with: + results_file: results.sarif + results_format: sarif + repo_token: ${{ secrets.GITHUB_TOKEN }} + publish_results: true + + - name: Upload artifact + uses: actions/upload-artifact@v4 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..f334b28 --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,96 @@ +name: security + +on: + push: + branches: + - main + pull_request: + schedule: + # Run every day at 10:00 UTC (6:00 AM ET / 3:00 AM PT) + - cron: "0 10 * * *" + workflow_dispatch: + +permissions: + contents: read + +# Cancel in-progress runs for pull requests when developers push +# additional changes +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ github.event_name == 'pull_request' }} + +jobs: + codeql: + name: CodeQL Analysis + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: go + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:go" + + trivy-repo: + name: Trivy Filesystem Scan + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: "fs" + scan-ref: "." + format: "sarif" + output: "trivy-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" + category: "Trivy-Filesystem" + + trivy-image: + name: Trivy Docker Image Scan + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner on latest image + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: "ghcr.io/coder/code-marketplace:latest" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-image-results.sarif" + category: "Trivy-Docker" diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c39ce7..d3ad562 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased +### Added + +- Automated security scanning workflows for improved supply chain security: + - CodeQL analysis for Go code vulnerability scanning + - Trivy scanning for Go dependencies and Docker images + - OpenSSF Scorecard for security best practices assessment + - Results uploaded to GitHub Security tab for centralized monitoring + +### Changed + +- Enhanced Dependabot configuration with commit message prefixes and patch update + filtering to reduce PR noise while maintaining security update coverage. - Update the Kubernetes Deployment `spec.strategy.type` field to be of type `Recreate` in order to properly handle upgrades/restarts as the default deployment creates a PVC of type `ReadWriteOnce` and could only be assigned to one replica. From 351ea5c885b224bb25d66499faee23b9298679a4 Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 22:45:31 -0600 Subject: [PATCH 02/15] ci: scan for all CVE severity levels and remove Docker image scan - Scan LOW,MEDIUM,HIGH,CRITICAL instead of only HIGH,CRITICAL - Remove Docker image scan (no :latest tag exists) --- .github/workflows/security.yaml | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f334b28..8c32fa2 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -63,34 +63,10 @@ jobs: scan-ref: "." format: "sarif" output: "trivy-results.sarif" - severity: "CRITICAL,HIGH" + severity: "LOW,MEDIUM,HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results.sarif" category: "Trivy-Filesystem" - - trivy-image: - name: Trivy Docker Image Scan - runs-on: ubuntu-latest - permissions: - security-events: write - contents: read - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner on latest image - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: "ghcr.io/coder/code-marketplace:latest" - format: "sarif" - output: "trivy-image-results.sarif" - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-image-results.sarif" - category: "Trivy-Docker" From 980a03918a01be8b081c6e4576ed6549f0a6e63e Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 22:52:43 -0600 Subject: [PATCH 03/15] ci: add explicit scanners to Trivy configuration Enable vuln, secret, and misconfig scanners explicitly --- .github/workflows/security.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8c32fa2..09e2b5f 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -64,6 +64,7 @@ jobs: format: "sarif" output: "trivy-results.sarif" severity: "LOW,MEDIUM,HIGH,CRITICAL" + scanners: "vuln,secret,misconfig" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 From 9f26520bfd773569f8d59f7d6863c2595ef59599 Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 22:55:57 -0600 Subject: [PATCH 04/15] ci: build and scan Docker image like coder/coder - Build Go binary for linux/amd64 - Build Docker image with buildx - Scan the built image (not filesystem) - Matches coder/coder scanning approach --- .github/workflows/security.yaml | 40 +++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 7 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 09e2b5f..59e1e80 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -46,8 +46,8 @@ jobs: with: category: "/language:go" - trivy-repo: - name: Trivy Filesystem Scan + trivy: + name: Trivy Docker Image Scan runs-on: ubuntu-latest permissions: security-events: write @@ -56,18 +56,44 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner in repo mode + - name: Setup Go + uses: actions/setup-go@v5 + with: + go-version-file: "go.mod" + + - name: Build binary for linux/amd64 + run: | + TAG=$(git describe --always) + mkdir -p bin + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ + -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=${TAG}" \ + -o bin/code-marketplace-linux-amd64 \ + ./cmd/marketplace/main.go + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build Docker image + id: build + run: | + docker buildx build \ + --platform linux/amd64 \ + --tag code-marketplace:scan \ + --load \ + --build-arg TARGETARCH=amd64 \ + . + echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" + + - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 with: - scan-type: "fs" - scan-ref: "." + image-ref: ${{ steps.build.outputs.image }} format: "sarif" output: "trivy-results.sarif" severity: "LOW,MEDIUM,HIGH,CRITICAL" - scanners: "vuln,secret,misconfig" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "trivy-results.sarif" - category: "Trivy-Filesystem" + category: "Trivy" From 9e22e3a55d53e7fb28c56c7b8c8f3d1ec4ca53aa Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 23:03:15 -0600 Subject: [PATCH 05/15] ci: add table output and artifact upload for scan visibility - Add table format scan to show results in workflow logs - Upload SARIF as artifact for manual inspection - Matches coder/coder artifact upload pattern --- .github/workflows/security.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 59e1e80..f8cfb59 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -84,7 +84,14 @@ jobs: . echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (table output for logs) + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ steps.build.outputs.image }} + format: "table" + severity: "LOW,MEDIUM,HIGH,CRITICAL" + + - name: Run Trivy vulnerability scanner (SARIF output for GitHub) uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ${{ steps.build.outputs.image }} @@ -97,3 +104,10 @@ jobs: with: sarif_file: "trivy-results.sarif" category: "Trivy" + + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@v4 + with: + name: trivy-results + path: trivy-results.sarif + retention-days: 7 From 9c091a9ca009d21c618dd7a2f99824dfe3ba10e3 Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 23:17:24 -0600 Subject: [PATCH 06/15] ci: add workflow_dispatch trigger to scorecard for manual testing --- .github/workflows/scorecard.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fc2d16b..67f85f4 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -8,6 +8,7 @@ on: push: branches: - main + workflow_dispatch: permissions: read-all From d3b966a3c1d9ad8be6f6ae7ec69ec7d4f2290fea Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Sat, 11 Oct 2025 23:19:14 -0600 Subject: [PATCH 07/15] revert: remove workflow_dispatch from scorecard --- .github/workflows/scorecard.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 67f85f4..fc2d16b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -8,7 +8,6 @@ on: push: branches: - main - workflow_dispatch: permissions: read-all From 949cdba792dadf02b173f4ef894cf236c366587c Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Mon, 13 Oct 2025 20:48:19 -0600 Subject: [PATCH 08/15] removed changes from changelog.md --- CHANGELOG.md | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d3ad562..30ae068 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,18 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## Unreleased -### Added - -- Automated security scanning workflows for improved supply chain security: - - CodeQL analysis for Go code vulnerability scanning - - Trivy scanning for Go dependencies and Docker images - - OpenSSF Scorecard for security best practices assessment - - Results uploaded to GitHub Security tab for centralized monitoring - ### Changed -- Enhanced Dependabot configuration with commit message prefixes and patch update - filtering to reduce PR noise while maintaining security update coverage. - Update the Kubernetes Deployment `spec.strategy.type` field to be of type `Recreate` in order to properly handle upgrades/restarts as the default deployment creates a PVC of type `ReadWriteOnce` and could only be assigned to one replica. From 6b8d1813632a8083f9cd90af3ecd1307a68d1537 Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Mon, 13 Oct 2025 21:15:04 -0600 Subject: [PATCH 09/15] updated Make for multiple targets and updated security.yaml to use make and bake. --- .github/workflows/security.yaml | 19 ++++++------------- Makefile | 5 +++++ 2 files changed, 11 insertions(+), 13 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index f8cfb59..8c7a4d8 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -62,13 +62,7 @@ jobs: go-version-file: "go.mod" - name: Build binary for linux/amd64 - run: | - TAG=$(git describe --always) - mkdir -p bin - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \ - -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=${TAG}" \ - -o bin/code-marketplace-linux-amd64 \ - ./cmd/marketplace/main.go + run: make build/linux/amd64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -76,12 +70,11 @@ jobs: - name: Build Docker image id: build run: | - docker buildx build \ - --platform linux/amd64 \ - --tag code-marketplace:scan \ - --load \ - --build-arg TARGETARCH=amd64 \ - . + docker buildx bake \ + -f ./docker-bake.hcl \ + --set "*.platform=linux/amd64" \ + --set "*.tags=code-marketplace:scan" \ + --load echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner (table output for logs) diff --git a/Makefile b/Makefile index 942ce2a..de41686 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,11 @@ upload: TAG=$(shell git describe --always) +build/linux/amd64: + mkdir -p bin + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-amd64 ./cmd/marketplace/main.go +.PHONY: build/linux/amd64 + build: CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-amd64 ./cmd/marketplace/main.go CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-arm64 ./cmd/marketplace/main.go From c3339da680fdb1c1deb2ae91e1767d0c31f8547f Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Mon, 13 Oct 2025 21:25:26 -0600 Subject: [PATCH 10/15] added sha pinning --- .github/workflows/scorecard.yml | 8 ++++---- .github/workflows/security.yaml | 22 +++++++++++----------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index fc2d16b..1b95224 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,12 +21,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@v2.4.0 + uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 with: results_file: results.sarif results_format: sarif @@ -34,13 +34,13 @@ jobs: publish_results: true - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: SARIF file path: results.sarif retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 with: sarif_file: results.sarif diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8c7a4d8..512e962 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -29,20 +29,20 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: "go.mod" - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 with: languages: go - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 with: category: "/language:go" @@ -54,10 +54,10 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 with: go-version-file: "go.mod" @@ -65,7 +65,7 @@ jobs: run: make build/linux/amd64 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build Docker image id: build @@ -78,14 +78,14 @@ jobs: echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner (table output for logs) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: image-ref: ${{ steps.build.outputs.image }} format: "table" severity: "LOW,MEDIUM,HIGH,CRITICAL" - name: Run Trivy vulnerability scanner (SARIF output for GitHub) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 with: image-ref: ${{ steps.build.outputs.image }} format: "sarif" @@ -93,13 +93,13 @@ jobs: severity: "LOW,MEDIUM,HIGH,CRITICAL" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 with: sarif_file: "trivy-results.sarif" category: "Trivy" - name: Upload Trivy scan results as artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: trivy-results path: trivy-results.sarif From 2a40050035fbf91c0e1148b6dc5854ec0854fc55 Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Wed, 15 Oct 2025 23:23:13 +0000 Subject: [PATCH 11/15] Updated SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit scorecard.yml:24: actions/checkout → v5.0.0 scorecard.yml:29: ossf/scorecard-action → v2.4.3 security.yaml:32: actions/checkout → v5.0.0 (CodeQL job) security.yaml:57: actions/checkout → v5.0.0 (Trivy job) security.yaml:81: aquasecurity/trivy-action → v0.33.1 security.yaml:88: aquasecurity/trivy-action → v0.33.1 --- .github/workflows/scorecard.yml | 4 ++-- .github/workflows/security.yaml | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1b95224..fdf23bb 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -21,12 +21,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Run analysis - uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0 + uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 with: results_file: results.sarif results_format: sarif diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 512e962..e787f9c 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -29,7 +29,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -54,7 +54,7 @@ jobs: contents: read steps: - name: Checkout repository - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Setup Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -78,14 +78,14 @@ jobs: echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner (table output for logs) - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 with: image-ref: ${{ steps.build.outputs.image }} format: "table" severity: "LOW,MEDIUM,HIGH,CRITICAL" - name: Run Trivy vulnerability scanner (SARIF output for GitHub) - uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 with: image-ref: ${{ steps.build.outputs.image }} format: "sarif" From 4769896af4f98bbe6e5e9e594f71c2a484d6d26b Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Thu, 16 Oct 2025 00:03:55 +0000 Subject: [PATCH 12/15] added explicit build targets for each arch removed PHONY alias added wildcard for .go files updated security workflow to use explicit build target vs old alias --- Makefile | 42 +++++++++++++++++++++++++++++++----------- README.md | 31 ++++++++++++++++++++++++++++++- 2 files changed, 61 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index de41686..1aa5c42 100644 --- a/Makefile +++ b/Makefile @@ -27,16 +27,36 @@ upload: TAG=$(shell git describe --always) -build/linux/amd64: +# Individual build targets for each OS/arch combination +bin/code-marketplace-mac-amd64: $(wildcard **/*.go) go.mod go.sum mkdir -p bin - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-amd64 ./cmd/marketplace/main.go -.PHONY: build/linux/amd64 - -build: - CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-amd64 ./cmd/marketplace/main.go - CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-arm64 ./cmd/marketplace/main.go - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-amd64 ./cmd/marketplace/main.go - CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-arm64 ./cmd/marketplace/main.go - CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-windows-amd64 ./cmd/marketplace/main.go - CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-windows-arm64 ./cmd/marketplace/main.go + CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +bin/code-marketplace-mac-arm64: $(wildcard **/*.go) go.mod go.sum + mkdir -p bin + CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +bin/code-marketplace-linux-amd64: $(wildcard **/*.go) go.mod go.sum + mkdir -p bin + CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +bin/code-marketplace-linux-arm64: $(wildcard **/*.go) go.mod go.sum + mkdir -p bin + CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +bin/code-marketplace-windows-amd64: $(wildcard **/*.go) go.mod go.sum + mkdir -p bin + CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +bin/code-marketplace-windows-arm64: $(wildcard **/*.go) go.mod go.sum + mkdir -p bin + CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o $@ ./cmd/marketplace/main.go + +# Main build target - builds all platforms +build: bin/code-marketplace-mac-amd64 \ + bin/code-marketplace-mac-arm64 \ + bin/code-marketplace-linux-amd64 \ + bin/code-marketplace-linux-arm64 \ + bin/code-marketplace-windows-amd64 \ + bin/code-marketplace-windows-arm64 .PHONY: build diff --git a/README.md b/README.md index 3c6c2d2..4caf02f 100644 --- a/README.md +++ b/README.md @@ -13,6 +13,35 @@ This marketplace reads extensions from file storage and provides an API for editors to consume. It does not have a frontend or any mechanisms for extension authors to add or update extensions in the marketplace. +## Development + +### Requirements + +- Go 1.21 or later +- GNU Make 4.3 or later (for recursive glob support in build targets) + +### Building from source + +Build all platform binaries: + +```console +make build +``` + +Build a specific platform: + +```console +make bin/code-marketplace-linux-amd64 +``` + +Available targets: +- `bin/code-marketplace-mac-amd64` +- `bin/code-marketplace-mac-arm64` +- `bin/code-marketplace-linux-amd64` +- `bin/code-marketplace-linux-arm64` +- `bin/code-marketplace-windows-amd64` +- `bin/code-marketplace-windows-arm64` + ## Deployment The marketplace is a single binary. Deployment involves running the binary, @@ -219,7 +248,7 @@ using code-marketplace with VS Code and VSCodium: - [VSCodium](https://github.com/VSCodium/vscodium/blob/master/docs/index.md#howto-switch-marketplace) - ``` + ```console export VSCODE_GALLERY_SERVICE_URL="https:///api export VSCODE_GALLERY_ITEM_URL="https:///item" # Or set a product.json file in `~/.config/VSCodium/product.json` From ad4db42efc2d93b551295478f83aac5ce789e8bb Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Thu, 16 Oct 2025 00:04:37 +0000 Subject: [PATCH 13/15] added explicit make build command instead of alias to security workflow --- .github/workflows/security.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index e787f9c..51130c1 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -62,7 +62,7 @@ jobs: go-version-file: "go.mod" - name: Build binary for linux/amd64 - run: make build/linux/amd64 + run: make bin/code-marketplace-linux-amd64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 From 0f66771bf1104d173c9737ed48fd967a47455f0f Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Thu, 16 Oct 2025 00:14:40 +0000 Subject: [PATCH 14/15] removed prefixes due to changelog.md being manually curated removed patch ignore and instead we are grouping all-dependencies updates weekly --- .github/dependabot.yaml | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 05240b4..762834e 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -7,8 +7,6 @@ updates: time: "06:00" timezone: "America/Chicago" labels: [] - commit-message: - prefix: "ci" groups: github-actions: patterns: @@ -21,15 +19,8 @@ updates: time: "06:00" timezone: "America/Chicago" labels: [] - commit-message: - prefix: "chore" open-pull-requests-limit: 15 groups: - x: + all-dependencies: patterns: - - "golang.org/x/*" - ignore: - # Ignore patch updates for all dependencies to reduce PR noise - - dependency-name: "*" - update-types: - - version-update:semver-patch + - "*" From 4bac6096e8187df8d9cbf258b4f5b2d265d0004d Mon Sep 17 00:00:00 2001 From: Austen Bruhn Date: Thu, 16 Oct 2025 00:23:34 +0000 Subject: [PATCH 15/15] reduce potential of credential leak by removing credential persistence --- .github/workflows/security.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 51130c1..6487502 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -30,6 +30,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 @@ -55,6 +57,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false - name: Setup Go uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0