Kernel hardening analysis #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Kernel hardening analysis | |
| # | |
| # Check the Linux kernel options against security hardening | |
| # | |
| # Attention! Changing security parameters may also affect system performance and functionality of userspace software! | |
| # More info: | |
| # https://github.com/a13xp0p0v/kconfig-hardened-check/blob/master/README.md | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| types: [ready_for_review, opened, reopened, synchronize] | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: pipeline-security-${{github.event.pull_request.number}} | |
| cancel-in-progress: true | |
| jobs: | |
| Analysis: | |
| name: Analyse | |
| runs-on: ubuntu-latest | |
| if: ${{ github.repository_owner == 'Armbian' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed files | |
| id: changed-files | |
| uses: tj-actions/changed-files@v42 | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: a13xp0p0v/kconfig-hardened-check | |
| path: kconfig-hardened-check | |
| - name: Check kernel config for security issues | |
| run: | | |
| for file in ${{ steps.changed-files.outputs.all_changed_files }}; do | |
| if [[ "${file}" = config/kernel/*.config ]]; then | |
| kconfig-hardened-check/bin/kernel-hardening-checker -m show_fail -c $file | sed -e 's/^/ /' >> $GITHUB_STEP_SUMMARY | |
| fi | |
| done |