Check kernel security options - PR #9119 ("mixtile-core3588e: add board with vendor and edge branches (Joshua Riek + fixes)") #38
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Analyze kernel security | |
| run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")' | |
| # | |
| # Check the Linux kernel options against security hardening | |
| # | |
| # Attention! Changing security parameters may also affect system performance and functionality of userspace software! | |
| # More info: | |
| # https://github.com/a13xp0p0v/kernel-hardening-checker | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [ready_for_review, opened, reopened, synchronize] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: pipeline-security-${{github.event.pull_request.number}} | |
| cancel-in-progress: true | |
| jobs: | |
| Analysis: | |
| name: Check kernel security options | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'Armbian' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v46.0.3 | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| repository: a13xp0p0v/kconfig-hardened-check | |
| path: kconfig-hardened-check | |
| - name: Check kernel config for security issues | |
| # Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet. | |
| # See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56 | |
| # sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output | |
| run: | | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then | |
| kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done |