Add and configure Capslock

Add Capslock (<https://github.com/google/capslock>) as a tool dependency and use it to generate a capabilities list and track it over time, in particular flagging when capabilities change. The idea behind doing this is to ensure all potentially dangerous function being used are known and make sense in the context in which they're used. The capabilities.json file is included in the commit history because it is needed to do a comparison from one version to the next. Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
ericcornelissen · Mar 2, 2024 · 6873167 · 6873167
1 parent 5fb50ea
commit 6873167
Show file tree

Hide file tree

Showing 7 changed files with 1,743 additions and 5 deletions.
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -16,8 +16,8 @@ on:
 permissions: read-all
 
 jobs:
-  vulns:
-    name: Vulns
+  capabilities:
+    name: Capabilities
     runs-on: ubuntu-22.04
     steps:
     - name: Checkout repository
@@ -27,4 +27,16 @@ jobs:
       with:
         go-version-file: go.mod
     - name: Audit
-      run: make audit
+      run: make audit-capabilities
+  vulnerabilities:
+    name: Vulnerabilities
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
+    - name: Install Go
+      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      with:
+        go-version-file: go.mod
+    - name: Audit
+      run: make audit-vulnerabilities
diff --git a/.gitignore b/.gitignore
@@ -28,6 +28,9 @@
 !COPYING.txt
 !DCO.txt
 
+# Security
+!capabilities.json
+
 # Source
 !Containerfile
 !Containerfile.dev

diff --git a/Makefile b/Makefile
@@ -28,11 +28,25 @@ default:
 		printf "  \033[36m%-30s\033[0m %s\n", $$1, $$NF \
 	}' $(MAKEFILE_LIST)
 
-.PHONY: audit
-audit: ## Audit for vulnerabilities
+.PHONY: audit audit-capabilities audit-vulnerabilities update-capabilities
+audit: audit-capabilities audit-vulnerabilities ## Audit the codebase
+
+audit-capabilities: ## Audit for capabilities
+	@echo 'Checking capabilities...'
+	@go run github.com/google/capslock/cmd/capslock \
+		-noisy \
+		-output=compare capabilities.json
+
+audit-vulnerabilities: ## Audit for vulnerabilities
 	@echo 'Checking vulnerabilities...'
 	@go run golang.org/x/vuln/cmd/govulncheck .
 
+update-capabilities:
+	@echo 'Updating capabilities...'
+	@go run github.com/google/capslock/cmd/capslock \
+		-noisy \
+		-output json >capabilities.json
+
 .PHONY: build
 build: ## Build the ades binary for the current platform
 	@echo 'Building...'