Merge pull request #1758 from authzed/enable-snyk

refactor Security related actions and add Snyk

.github/workflows/build-test.yaml

@@ -11,7 +11,6 @@ on:  # yamllint disable-line rule:truthy
     types:
       - "checks_requested"
 env:
-  GO_VERSION: "~1.21.3"
   DOCKERHUB_PUBLIC_ACCESS_TOKEN: "dckr_pat_8AEETZWxu8f7FvJUk9NrpyX_ZEQ"
   DOCKERHUB_PUBLIC_USER: "spicedbgithubactions"
 jobs:
@@ -53,8 +52,6 @@ jobs:
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - uses: "docker/login-action@v3"
         with:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
@@ -72,8 +69,6 @@ jobs:
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - name: "Unit tests"
         run: "go run mage.go test:unit"
 
@@ -86,8 +81,6 @@ jobs:
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - uses: "docker/login-action@v3"
         with:
           username: "${{ env.DOCKERHUB_PUBLIC_USER }}"
@@ -110,8 +103,6 @@ jobs:
       - uses: "authzed/actions/setup-go@main"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - uses: "docker/login-action@v3"
         if: |
           needs.paths-filter.outputs.codechange == 'true'
@@ -137,7 +128,6 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
         with:
-          go-version: "${{ env.GO_VERSION }}"
           go-version-file: "e2e/go.mod"
           cache-dependency-path: "e2e/go.sum"
       - name: "Cache Binaries"
@@ -189,7 +179,6 @@ jobs:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
         with:
-          go-version: "${{ env.GO_VERSION }}"
           go-version-file: "tools/analyzers/go.mod"
           cache-dependency-path: "tools/analyzers/go.sum"
       - name: "Analyzer tests"
@@ -203,8 +192,6 @@ jobs:
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - name: "WASM tests"
         run: "go run mage.go test:wasm"
 
@@ -217,8 +204,6 @@ jobs:
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - name: "Generate Protos"
         run: "go run mage.go gen:proto"
       - uses: "chainguard-dev/actions/nodiff@main"

.github/workflows/lint.yaml

@@ -10,17 +10,13 @@ on: # yamllint disable-line rule:truthy
   merge_group:
     types:
       - "checks_requested"
-env:
-  GO_VERSION: "~1.21.3"
 jobs:
   go-lint:
     name: "Lint Go"
     runs-on: "buildjet-4vcpu-ubuntu-2204"
     steps:
       - uses: "actions/checkout@v3"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - name: "Lint Go"
         run: "go run mage.go lint:go"
       - uses: "chainguard-dev/actions/nodiff@main"
@@ -39,52 +35,3 @@ jobs:
         with:
           path: ""
           fixup-command: "go run mage.go lint:extra"
-
-  codeql:
-    name: "Analyze with CodeQL"
-    runs-on: "buildjet-8vcpu-ubuntu-2204"
-    permissions:
-      actions: "read"
-      contents: "read"
-      security-events: "write"
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["go"]
-    steps:
-      - uses: "actions/checkout@v3"
-      - uses: "authzed/actions/codeql@main"
-
-  trivy:
-    name: "Trivvy: Analyze FS and Image"
-    runs-on: "buildjet-2vcpu-ubuntu-2204"
-    steps:
-      - uses: "actions/checkout@v3"
-      - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
-      - uses: "aquasecurity/trivy-action@master"
-        with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          format: "table"
-          exit-code: "1"
-          severity: "CRITICAL,HIGH,MEDIUM"
-      # Workaround until goreleaser release supports --single-target
-      # makes the build faster by not building everything
-      - name: "modify goreleaser config to skip building all targets"
-        run: |
-          echo "partial:
-            by: target" >> .goreleaser.yml
-      - uses: "goreleaser/goreleaser-action@v4"
-        id: "goreleaser"
-        with:
-          distribution: "goreleaser-pro"
-          version: "latest"
-          args: "release --clean --split --snapshot"
-        env:
-          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
-      - name: "Obtain container image to scan"
-        run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
-      - name: "run trivy on release image"
-        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"

.github/workflows/nightly.yaml

@@ -7,8 +7,6 @@ on: # yamllint disable-line rule:truthy
 permissions:
   contents: "write"
   packages: "write"
-env:
-  GO_VERSION: "~1.21.3"
 jobs:
   goreleaser:
     runs-on: "buildjet-4vcpu-ubuntu-2204"
@@ -17,8 +15,6 @@ jobs:
         with:
           fetch-depth: 0
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - uses: "authzed/actions/docker-login@main"
         with:
           quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"

.github/workflows/release.yaml

@@ -7,8 +7,6 @@ on: # yamllint disable-line rule:truthy
 permissions:
   contents: "write"
   packages: "write"
-env:
-  GO_VERSION: "~1.21.3"
 jobs:
   goreleaser:
     runs-on: "buildjet-4vcpu-ubuntu-2204"
@@ -17,8 +15,6 @@ jobs:
         with:
           fetch-depth: 0
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - uses: "authzed/actions/docker-login@main"
         with:
           quayio_token: "${{ secrets.QUAYIO_PASSWORD }}"

.github/workflows/security.yaml

@@ -0,0 +1,106 @@
+---
+name: "Security"
+on: # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - "!dependabot/*"
+      - "main"
+  pull_request:
+    branches: ["*"]
+  merge_group:
+    types:
+      - "checks_requested"
+jobs:
+
+  codeql:
+    name: "Analyze with CodeQL"
+    runs-on: "buildjet-8vcpu-ubuntu-2204"
+    permissions:
+      actions: "read"
+      contents: "read"
+      security-events: "write"
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go"]
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "authzed/actions/codeql@main"
+
+  trivy:
+    name: "Analyze Code and Docker Image with Trivvy"
+    runs-on: "buildjet-2vcpu-ubuntu-2204"
+    steps:
+      - uses: "actions/checkout@v3"
+      - uses: "authzed/actions/setup-go@main"
+      - uses: "aquasecurity/trivy-action@master"
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "table"
+          exit-code: "1"
+          severity: "CRITICAL,HIGH,MEDIUM"
+      # Workaround until goreleaser release supports --single-target
+      # makes the build faster by not building everything
+      - name: "modify goreleaser config to skip building all targets"
+        run: |
+          echo "partial:
+            by: target" >> .goreleaser.yml
+      - uses: "goreleaser/goreleaser-action@v4"
+        id: "goreleaser"
+        with:
+          distribution: "goreleaser-pro"
+          version: "latest"
+          args: "release --clean --split --snapshot"
+        env:
+          GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
+      - name: "Obtain container image to scan"
+        run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64/metadata.json --raw-output)" >> $GITHUB_ENV'
+      - name: "run trivy on release image"
+        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --format table --exit-code 1 --ignore-unfixed --vuln-type os,library --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
+
+  snyk-code:
+    name: "Analyze Go code with Snyk"
+    permissions:
+      contents: "read" # for actions/checkout to fetch code
+      security-events: "write" # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: "read" # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: "buildjet-2vcpu-ubuntu-2204"
+    steps:
+      - uses: "actions/checkout@master"
+      - name: "Run Snyk to check for vulnerabilities"
+        uses: "snyk/actions/golang@master"
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
+        with:
+          args: "--sarif-file-output=snyk.sarif"
+      - name: "Upload result to GitHub Code Scanning"
+        uses: "github/codeql-action/upload-sarif@v3"
+        with:
+          sarif_file: "snyk.sarif"
+
+  snyk-docker:
+    name: "Analyze Docker with Snyk"
+    permissions:
+      contents: "read" # for actions/checkout to fetch code
+      security-events: "write" # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: "read" # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: "buildjet-2vcpu-ubuntu-2204"
+    steps:
+      - uses: "actions/checkout@master"
+      - name: "Build a Docker image"
+        run: "DOCKER_BUILDKIT=1 docker build -t authzed/spicedb ."
+      - name: "Run Snyk to check Docker image for vulnerabilities"
+        continue-on-error: true
+        uses: "snyk/actions/docker@master"
+        env:
+          SNYK_TOKEN: "${{ secrets.SNYK_TOKEN }}"
+        with:
+          image: "authzed/spicedb"
+          args: "--file=Dockerfile"
+      - name: "Upload result to GitHub Code Scanning"
+        uses: "github/codeql-action/upload-sarif@v3"
+        with:
+          sarif_file: "snyk.sarif"

.github/workflows/wasm.yaml

@@ -5,8 +5,6 @@ on: # yamllint disable-line rule:truthy
     types: ["created"]
 permissions:
   contents: "write"
-env:
-  GO_VERSION: "~1.21.3"
 jobs:
   build:
     name: "Build WASM"
@@ -16,8 +14,6 @@ jobs:
         with:
           ref: "${{ env.GITHUB_SHA }}"
       - uses: "authzed/actions/setup-go@main"
-        with:
-          go-version: "${{ env.GO_VERSION }}"
       - name: "Build WASM"
         run: "go run mage.go build:wasm"
       - uses: "shogo82148/actions-upload-release-asset@v1"

Dockerfile

@@ -1,10 +1,10 @@
-FROM golang:1.21.6-alpine3.18 AS spicedb-builder
+FROM golang:1.22.0-alpine3.18 AS spicedb-builder
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 COPY . .
 RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v ./cmd/...
 
-FROM golang:1.21.6-alpine3.18 AS health-probe-builder
+FROM golang:1.22.0-alpine3.18 AS health-probe-builder
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git

Dockerfile.release

@@ -1,7 +1,7 @@
 # vim: syntax=dockerfile
 ARG BASE=cgr.dev/chainguard/static:latest
 
-FROM golang:1.21.6-alpine3.18 AS health-probe-builder
+FROM golang:1.22.0-alpine3.18 AS health-probe-builder
 WORKDIR /go/src/app
 RUN apk update && apk add --no-cache git
 RUN git clone https://github.com/grpc-ecosystem/grpc-health-probe.git