Add kernel config security analysis Action script (#4616)

- it never fails, just making a report - adjust run conditions on lint action
2023-01-07 21:02:38 +01:00 · 2023-01-07 21:02:38 +01:00 · 8d6e611fba
parent 764214156e
commit 8d6e611fba
1 changed files with 46 additions and 0 deletions
--- a/.github/workflows/kernel-security-analysis-pr.yml
+++ b/.github/workflows/kernel-security-analysis-pr.yml
@ -0,0 +1,46 @@
+name: Kernel hardening analysis
+#
+#  Check the Linux kernel options against security hardening
+#
+#  Attention! Changing security parameters may also affect system performance and functionality of userspace software!
+#  More info:
+#  https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/README.md
+
+on:
+  workflow_dispatch:
+
+  pull_request:
+    types: [ready_for_review, opened, reopened, synchronize]
+
+permissions:
+  contents: read
+
+jobs:
+
+  Analysis:
+
+    name: Analyse
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'Armbian' }}
+    steps:
+
+       - name: Checkout repository
+         uses: actions/checkout@v3
+         with:
+           fetch-depth: 0
+
+       - name: Get changed files
+         id: changed-files
+         uses: tj-actions/changed-files@v35
+
+       - name: Checkout repository
+         uses: actions/checkout@v3
+         with:
+           repository: a13xp0p0v/kconfig-hardened-check
+           path: kconfig-hardened-check
+
+       - name: Check kernel config for security issues
+         run: |
+           for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+               kconfig-hardened-check/bin/kconfig-hardened-check -m show_fail -c $file | sed -e 's/^/    /' >> $GITHUB_STEP_SUMMARY
+           done