49 lines
1.3 KiB
YAML
49 lines
1.3 KiB
YAML
name: Kernel hardening analysis
|
|
#
|
|
# Check the Linux kernel options against security hardening
|
|
#
|
|
# Attention! Changing security parameters may also affect system performance and functionality of userspace software!
|
|
# More info:
|
|
# https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/README.md
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
|
|
pull_request:
|
|
types: [ready_for_review, opened, reopened, synchronize]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
Analysis:
|
|
|
|
name: Analyse
|
|
runs-on: ubuntu-latest
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
steps:
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Get changed files
|
|
id: changed-files
|
|
uses: tj-actions/changed-files@v39
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
repository: a13xp0p0v/kconfig-hardened-check
|
|
path: kconfig-hardened-check
|
|
|
|
- name: Check kernel config for security issues
|
|
run: |
|
|
for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
|
|
if [[ "${file}" = config/kernel/*.config ]]; then
|
|
kconfig-hardened-check/bin/kconfig-hardened-check -m show_fail -c $file | sed -e 's/^/ /' >> $GITHUB_STEP_SUMMARY
|
|
fi
|
|
done
|