Check kernel security options - PR #7472 ("Add missing node for youyeetoo r1 on current kernel") #1601
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Kernel Hardening Analysis | |
| run-name: 'Check kernel security options - PR #${{ github.event.pull_request.number }} ("${{ github.event.pull_request.title }}")' | |
| # | |
| # Check the Linux kernel options against security hardening | |
| # | |
| # Attention! Changing security parameters may also affect system performance and functionality of userspace software! | |
| # More info: | |
| # https://github.com/a13xp0p0v/kernel-hardening-checker | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [ready_for_review, opened, reopened, synchronize] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: pipeline-security-${{github.event.pull_request.number}} | |
| cancel-in-progress: true | |
| jobs: | |
| Analysis: | |
| name: Check kernel security options | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'Armbian' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v45 | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: a13xp0p0v/kconfig-hardened-check | |
| path: kconfig-hardened-check | |
| - name: Check kernel config for security issues | |
| # Run kernel-hardening-checker for each kernel config file excluding RISC-V configs, since they are not supported yet. | |
| # See https://github.com/a13xp0p0v/kernel-hardening-checker/issues/56 | |
| # sed explanation: 1) Put spaces in front of every line 2) replace colored output with emojis since GitHub Actions job summaries don't support colored output | |
| run: | | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [[ "${file}" = config/kernel/*.config && ! $(head -n 10 "${file}" | grep -q "riscv") ]]; then | |
| kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed 's/^/ /; s/\x1b\[32m/✅ /; s/\x1b\[31m/❌ /; s/\x1b\[0m//' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done |