-
Notifications
You must be signed in to change notification settings - Fork 17
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: extend static analysis and compute confidence scores for deploy commands #673
Conversation
596c233
to
ed96dae
Compare
tests/parsers/bashparser/resources/bash_files/valid_github_action_bash.sh
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/analyzer.py
Outdated
Show resolved
Hide resolved
src/macaron/slsa_analyzer/ci_service/github_actions/github_actions_ci.py
Outdated
Show resolved
Hide resolved
This PR temporarily excludes mcn_provenance_available_1 check for micronaut-core integration test because provenances have failed to publish due to an issue in generator_generic_slsa3.yml@v1.9.0. It also excludes mcn_infer_artifact_pipeline_1, which is due to a non-deterministic behavior in deploy command detection, which will be fixed in PR #673. Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I have put down all of my questions for now. Thanks for the changes!
ed96dae
to
071e99a
Compare
This commit 071e99a adds |
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@behnazh-w I think the commit is not available anymore (I got 404 when I clicked on the link). |
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Please check again. |
I can access it again. Thanks @behnazh-w |
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
cbe9501
to
b4506de
Compare
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
6a74072
to
a882a62
Compare
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for the changes.
This PR extends and makes changes to the static analysis of CI configurations in Macaron with the high-level goal of finding build and deploy commands more accurately. To achieve that, some of the abstractions had to be replaced to allow writing customized analyses, such as detecting build language setup in a GitHub Actions workflow or detecting reachable secrets. The list of extensions and changes are as follows:
BashCommands
which consisted of build tool commands collected after analyzing GitHub Actions and passed to checks withBuildToolCommand
. With this PRBuildToolCommand
are created by each build tool instead, and can be detected by calling a build tool API as part of the check. This delegation of analysis to each build tool allows to customize them per build tool. Moreover, now each build tool has direct access to the parsed AST of GitHub Actions and bash scripts, which opens opportunities to add new analyses more easily.BuildToolCommand
.mcn_build_script_1
check does not depend on any checks and always runs by default based on a customer request.mcn_build_as_code_1
check now reports deploy commands with confidence scores. The confidence scores are computed based on additional facts collected from GitHub Actions, such as the CI event, reachable secrets, and name of the workflows.