mirror of
https://github.com/armbian/build
synced 2025-09-24 19:47:06 +07:00
544952fb4c
Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 666c9d29007687c52e3c7aa2aac6c0ffcadeadc3 to e8772ff27de71367c2771ef3e8b5b2075b3f8282.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](666c9d2900...e8772ff27d)
---
updated-dependencies:
- dependency-name: tj-actions/changed-files
dependency-version: e8772ff27de71367c2771ef3e8b5b2075b3f8282
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
55 lines
2.0 KiB
YAML
55 lines
2.0 KiB
YAML
name: Kernel Hardening Analysis
|
|
run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")'
|
|
#
|
|
# Check the Linux kernel options against security hardening
|
|
#
|
|
# Attention! Changing security parameters may also affect system performance and functionality of userspace software!
|
|
# More info:
|
|
# https://github.com/a13xp0p0v/kernel-hardening-checker
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
pull_request:
|
|
types: [ready_for_review, opened, reopened, synchronize]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: pipeline-security-${{github.event.pull_request.number}}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
Analysis:
|
|
name: Check kernel security options
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get changed files
|
|
id: changed-files
|
|
uses: tj-actions/changed-files@e8772ff27de71367c2771ef3e8b5b2075b3f8282 # v46.0.3
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: a13xp0p0v/kconfig-hardened-check
|
|
path: kconfig-hardened-check
|
|
|
|
- name: Check kernel config for security issues
|
|
# Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet.
|
|
# See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56
|
|
# sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output
|
|
run: |
|
|
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
|
|
if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then
|
|
kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
done
|