Skip to content

feat: Add GitHub Actions CI/CD workflow #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: Add GitHub Actions CI/CD workflow #189

wants to merge 2 commits into from

Conversation

@zohayb23
Copy link
Contributor

Adds GitHub Actions CI/CD workflow with automated build, test, security scanning, and multi-platform Docker image publishing.

Workflow runs automatically on push/PR to main or develop.

@kusari-inspector
Copy link

Kusari Inspector

Kusari Analysis Results:

Do not proceed without addressing issues

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

While dependency analysis found no security issues, code analysis identified 16 high severity security vulnerabilities that pose critical risks. The most concerning issues include dangerous template injection vulnerabilities in GitHub workflows that could enable code injection attacks, overly broad workflow permissions violating least privilege principles, and unpinned GitHub actions creating supply chain risks. These template injection vulnerabilities are particularly severe as they can compromise the entire CI/CD pipeline. The identified security flaws must be remediated before merging to prevent potential code execution attacks and maintain secure deployment practices.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Code Mitigations

Move permissions to job level instead of workflow level to follow least privilege principle. Remove workflow-level permissions block.

Remove the entire permissions block at workflow level (lines 14-19) and add specific permissions to individual jobs that need them.

Template injection vulnerability - avoid direct interpolation of GitHub context variables in shell commands

env:
  VERSION: ${{ github.ref_name }}
  COMMIT_HASH: ${{ github.sha }}
run: |
  go build -ldflags="-s -w -X 'main.Version=${VERSION}' -X 'main.GitCommitHash=${COMMIT_HASH}' -X 'main.BuiltAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)'" -o ${{ matrix.output }}

Template injection vulnerability - avoid direct interpolation of repository context in shell commands

env:
  REPO_OWNER: ${{ github.repository_owner }}
  REPO_NAME: ${{ github.event.repository.name }}
run: |
  cat > test-config.yml << EOF
  loglevel: info
  write-directory: evaluation_results
  write: true
  output: yaml
  services:
    self-test:
      plugin: github-repo
      policy:
        catalogs:
          - OSPS_B
        applicability:
          - Maturity Level 1
      vars:
        owner: ${REPO_OWNER}
        repo: ${REPO_NAME}
        token: \${{ secrets.GITHUB_TOKEN }}
  EOF

Add persist-credentials: false to prevent credential persistence

- name: Checkout code
  uses: actions/checkout@v5
  with:
    persist-credentials: false

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: f62feac, performed at: 2025-10-28T18:40:01Z

Found this helpful? Give it a 👍 or 👎 reaction!

kusari-inspector[bot]
kusari-inspector bot reviewed Oct 28, 2025
View reviewed changes
.github/workflows/ci-cd.yml Outdated
workflow_dispatch:

permissions:
contents: write
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Move permissions to job level instead of workflow level to follow least privilege principle. Remove workflow-level permissions block.

Recommended Code Changes:

Remove the entire permissions block at workflow level (lines 14-19) and add specific permissions to individual jobs that need them.

kusari-inspector[bot]
kusari-inspector bot reviewed Oct 28, 2025
View reviewed changes
.github/workflows/ci-cd.yml
GOOS: ${{ matrix.os }}
GOARCH: ${{ matrix.arch }}
CGO_ENABLED: 0
run: |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Template injection vulnerability - avoid direct interpolation of GitHub context variables in shell commands

Recommended Code Changes:

env:
  VERSION: ${{ github.ref_name }}
  COMMIT_HASH: ${{ github.sha }}
run: |
  go build -ldflags="-s -w -X 'main.Version=${VERSION}' -X 'main.GitCommitHash=${COMMIT_HASH}' -X 'main.BuiltAt=$(date -u +%Y-%m-%dT%H:%M:%SZ)'" -o ${{ matrix.output }}

kusari-inspector[bot]
kusari-inspector bot reviewed Oct 28, 2025
View reviewed changes
.github/workflows/ci-cd.yml Outdated
applicability:
- Maturity Level 1
vars:
owner: ${{ github.repository_owner }}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Template injection vulnerability - avoid direct interpolation of repository context in shell commands

Recommended Code Changes:

env:
  REPO_OWNER: ${{ github.repository_owner }}
  REPO_NAME: ${{ github.event.repository.name }}
run: |
  cat > test-config.yml << EOF
  loglevel: info
  write-directory: evaluation_results
  write: true
  output: yaml
  services:
    self-test:
      plugin: github-repo
      policy:
        catalogs:
          - OSPS_B
        applicability:
          - Maturity Level 1
      vars:
        owner: ${REPO_OWNER}
        repo: ${REPO_NAME}
        token: \${{ secrets.GITHUB_TOKEN }}
  EOF

kusari-inspector[bot]
kusari-inspector bot reviewed Oct 28, 2025
View reviewed changes
.github/workflows/ci-cd.yml
needs: [docker-build-push]
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- name: Checkout code
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Add persist-credentials: false to prevent credential persistence

Recommended Code Changes:

- name: Checkout code
  uses: actions/checkout@v5
  with:
    persist-credentials: false

@zohayb23
feat: Add comprehensive CI/CD workflow with multi-platform builds
86248a9 
- Add ci-cd.yml workflow with automated build, test, and deployment
- Implement security scanning with Trivy and Gosec
- Add multi-platform binary builds (Linux, macOS, Windows - amd64/arm64)
- Add Docker multi-arch builds with GHCR and Docker Hub support
- Include integration testing and artifact uploads
- Update README with CI/CD information
@zohayb23
fix: Address security issues and apply workflow optimizations
479166b 
Security Fixes (Kusari Inspector findings):
- Move permissions from workflow level to individual jobs (least privilege)
- Fix template injection vulnerabilities using environment variables
- Add persist-credentials: false to integration-test checkout
- Add proper permissions to all jobs

Optimizations (ChatGPT suggestions):
- Add id: build to Docker step for attestation digest reference
- Pin action versions: trivy@0.28.0, gosec@v2.21.4 (prevent breaking changes)
- Add concurrency control to cancel old runs on new push
- Add explicit permissions: {} at workflow level for clarity

All 16 high severity Kusari issues resolved.
@zohayb23 zohayb23 force-pushed the feature/add-comprehensive-cicd-workflow branch from f62feac to 479166b Compare October 28, 2025 18:54
@zohayb23 zohayb23 marked this pull request as ready for review October 28, 2025 18:56
@zohayb23 zohayb23 requested a review from a team as a code owner October 28, 2025 18:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kusari-inspector kusari-inspector[bot] kusari-inspector[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zohayb23