-
Notifications
You must be signed in to change notification settings - Fork 266
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: add tools directory and include modsurfer
Signed-off-by: Steve Manuel <[email protected]>
- Loading branch information
Showing
3 changed files
with
174 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Modsurfer Module Validation | ||
|
|
||
| Using the [Modsurfer](https://github.com/dylibso/modsurfer) tool to validate and scan your Spin | ||
| modules is simple. Use the CLI or the [GitHub Action](https://github.com/modsurfer-validate-action) | ||
| to ensure compatibility with the Fermyon Cloud or self-hosted Platform, and check for security or | ||
| performance concerns before you deploy your code. | ||
|
|
||
| The easiest way to start is by using the GitHub Action. Add the following to your project repository: | ||
|
|
||
| #### `./github/workflows/modsurfer.yml` | ||
|
|
||
| ```yaml | ||
| name: Modsurfer Validate - Fermyon | ||
| on: [push, pull_request] | ||
| jobs: | ||
| check-validate: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: modsurfer validate | ||
| uses: dylibso/modsurfer-validate-action@main | ||
| with: | ||
| path: path/to/your/module.wasm | ||
| check: mod.yaml | ||
| ``` | ||
| And include a "checkfile" in a file called `mod.yaml` (or whichever file you've referenced in the `check` field above): | ||
|
|
||
| ```yaml | ||
| validate: | ||
| url: https://raw.githubusercontent.com/fermyon/spin/main/tools/modsurfer/http/mod.yaml | ||
| ``` | ||
|
|
||
| The checkfile above uses a remote reference to ensure your Fermyon Spin project is compatible with | ||
| the latest requirements of the Spin SDKs. This is based off the "http" templates. If you are using | ||
| a different template, such as "redis", then find the related checkfile that matches the template | ||
| you're using. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| # For more information about other checkfile options, see the documentation at https://dev.dylib.so/docs/modsurfer/cli#checkfile | ||
| validate: | ||
| allow_wasi: true | ||
| imports: | ||
| include: | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: fd_write | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: random_get | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: environ_get | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: environ_sizes_get | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: proc_exit | ||
| params: | ||
| - I32 | ||
| results: [] | ||
| namespace: | ||
| include: | ||
| - wasi_snapshot_preview1 | ||
| exports: | ||
| include: | ||
| - name: handle-http-request | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - name: canonical_abi_realloc | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - name: canonical_abi_free | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: [] | ||
| max: 3 | ||
| complexity: | ||
| max_risk: medium |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| # For more information about other checkfile options, see the documentation at https://dev.dylib.so/docs/modsurfer/cli#checkfile | ||
| validate: | ||
| allow_wasi: true | ||
| imports: | ||
| include: | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: fd_write | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: environ_get | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: environ_sizes_get | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - namespace: wasi_snapshot_preview1 | ||
| name: proc_exit | ||
| params: | ||
| - I32 | ||
| results: [] | ||
| namespace: | ||
| include: | ||
| - wasi_snapshot_preview1 | ||
| exports: | ||
| include: | ||
| - name: handle-redis-message | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - name: canonical_abi_realloc | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: | ||
| - I32 | ||
| - name: canonical_abi_free | ||
| params: | ||
| - I32 | ||
| - I32 | ||
| - I32 | ||
| results: [] | ||
| max: 3 | ||
| complexity: | ||
| max_risk: medium |