Add automated security scanning workflows (#124)

* ci: add security scanning workflows (#123)

* ci: scan for all CVE severity levels and remove Docker image scan

- Scan LOW,MEDIUM,HIGH,CRITICAL instead of only HIGH,CRITICAL
- Remove Docker image scan (no :latest tag exists)

* ci: add explicit scanners to Trivy configuration

Enable vuln, secret, and misconfig scanners explicitly

* ci: build and scan Docker image like coder/coder

- Build Go binary for linux/amd64
- Build Docker image with buildx
- Scan the built image (not filesystem)
- Matches coder/coder scanning approach

* ci: add table output and artifact upload for scan visibility

- Add table format scan to show results in workflow logs
- Upload SARIF as artifact for manual inspection
- Matches coder/coder artifact upload pattern

* ci: add workflow_dispatch trigger to scorecard for manual testing

* revert: remove workflow_dispatch from scorecard

* removed changes from changelog.md

* updated Make for multiple targets and updated security.yaml to use make and bake.

* added sha pinning

* Updated SHAs

scorecard.yml:24: actions/checkout → v5.0.0
scorecard.yml:29: ossf/scorecard-action → v2.4.3
security.yaml:32: actions/checkout → v5.0.0 (CodeQL job)
security.yaml:57: actions/checkout → v5.0.0 (Trivy job)
security.yaml:81: aquasecurity/trivy-action → v0.33.1
security.yaml:88: aquasecurity/trivy-action → v0.33.1

* added explicit build targets for each arch
removed PHONY alias
added wildcard for .go files
updated security workflow to use explicit build target vs old alias

* added explicit make build command instead of alias to security workflow

* removed prefixes due to changelog.md being manually curated

removed patch ignore and instead we are grouping all-dependencies updates weekly

* reduce potential of credential leak by removing credential persistence

* address review comments: refactor Makefile and move dev docs to CONTRIBUTING.md

- Use $(shell find) instead of wildcard for Go files (deansheather)
- Extract mkdir -p bin to top-level (deansheather)
- Create LDFLAGS variable for build flags (deansheather)
- Move Development section from README.md to CONTRIBUTING.md (code-asher)

* rename mac -> darwin and quote $@ in build targets

Author: ausbru87

.CONTRIBUTING.md.swp

@@ -21,6 +21,6 @@ updates:
     labels: []
     open-pull-requests-limit: 15
     groups:
-      x:
+      all-dependencies:
         patterns:
-          - "golang.org/x/*"
+          - "*"

.github/dependabot.yaml

@@ -0,0 +1,46 @@
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    # Run weekly on Wednesdays at 7:27 UTC
+    - cron: "27 7 * * 3"
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        with:
+          sarif_file: results.sarif

.github/workflows/scorecard.yml

@@ -0,0 +1,110 @@
+name: security
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  schedule:
+    # Run every day at 10:00 UTC (6:00 AM ET / 3:00 AM PT)
+    - cron: "0 10 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  codeql:
+    name: CodeQL Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: "go.mod"
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        with:
+          languages: go
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        with:
+          category: "/language:go"
+
+  trivy:
+    name: Trivy Docker Image Scan
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: "go.mod"
+
+      - name: Build binary for linux/amd64
+        run: make bin/code-marketplace-linux-amd64
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build Docker image
+        id: build
+        run: |
+          docker buildx bake \
+            -f ./docker-bake.hcl \
+            --set "*.platform=linux/amd64" \
+            --set "*.tags=code-marketplace:scan" \
+            --load
+          echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT"
+
+      - name: Run Trivy vulnerability scanner (table output for logs)
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: "table"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
+
+      - name: Run Trivy vulnerability scanner (SARIF output for GitHub)
+        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "LOW,MEDIUM,HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8
+        with:
+          sarif_file: "trivy-results.sarif"
+          category: "Trivy"
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: trivy-results
+          path: trivy-results.sarif
+          retention-days: 7

.github/workflows/security.yaml

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
+### Changed
+
 - Update the Kubernetes Deployment `spec.strategy.type` field to be of type `Recreate`
   in order to properly handle upgrades/restarts as the default deployment creates a PVC
   of type `ReadWriteOnce` and could only be assigned to one replica.

CHANGELOG.md

@@ -2,6 +2,35 @@
 
 ## Development
 
+### Requirements
+
+- Go 1.21 or later
+- GNU Make
+
+### Building from source
+
+Build all platform binaries:
+
+```console
+make build
+```
+
+Build a specific platform:
+
+```console
+make bin/code-marketplace-linux-amd64
+```
+
+Available targets:
+- `bin/code-marketplace-darwin-amd64`
+- `bin/code-marketplace-darwin-arm64`
+- `bin/code-marketplace-linux-amd64`
+- `bin/code-marketplace-linux-arm64`
+- `bin/code-marketplace-windows-amd64`
+- `bin/code-marketplace-windows-arm64`
+
+### Running locally
+
 ```console
 mkdir extensions
 go run ./cmd/marketplace/main.go server --extensions-dir ./extensions

CONTRIBUTING.md

@@ -26,12 +26,34 @@ upload:
 .PHONY: gen
 
 TAG=$(shell git describe --always)
+GO_SRC=$(shell find . -name '*.go' -type f)
+LDFLAGS=-ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)"
+$(shell mkdir -p bin)
 
-build:
-	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-amd64 ./cmd/marketplace/main.go
-	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-mac-arm64 ./cmd/marketplace/main.go
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-amd64 ./cmd/marketplace/main.go
-	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-linux-arm64 ./cmd/marketplace/main.go
-	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-windows-amd64 ./cmd/marketplace/main.go
-	CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -ldflags "-X github.com/coder/code-marketplace/buildinfo.tag=$(TAG)" -o bin/code-marketplace-windows-arm64 ./cmd/marketplace/main.go
+# Individual build targets for each OS/arch combination
+bin/code-marketplace-darwin-amd64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+bin/code-marketplace-darwin-arm64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+bin/code-marketplace-linux-amd64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+bin/code-marketplace-linux-arm64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+bin/code-marketplace-windows-amd64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+bin/code-marketplace-windows-arm64: $(GO_SRC) go.mod go.sum
+	CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build $(LDFLAGS) -o "$@" ./cmd/marketplace/main.go
+
+# Main build target - builds all platforms
+build: bin/code-marketplace-darwin-amd64 \
+       bin/code-marketplace-darwin-arm64 \
+       bin/code-marketplace-linux-amd64 \
+       bin/code-marketplace-linux-arm64 \
+       bin/code-marketplace-windows-amd64 \
+       bin/code-marketplace-windows-arm64
 .PHONY: build

Makefile

@@ -219,7 +219,7 @@ using code-marketplace with VS Code and VSCodium:
 
 - [VSCodium](https://github.com/VSCodium/vscodium/blob/master/docs/index.md#howto-switch-marketplace)
 
-  ```
+  ```console
   export VSCODE_GALLERY_SERVICE_URL="https://<domain>/api
   export VSCODE_GALLERY_ITEM_URL="https://<domain>/item"
   # Or set a product.json file in `~/.config/VSCodium/product.json`