-
Notifications
You must be signed in to change notification settings - Fork 0
82 lines (76 loc) · 2.63 KB
/
Copy pathsecurity-audit.yml
File metadata and controls
82 lines (76 loc) · 2.63 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
name: Security Audit
on:
schedule:
# 09:00 UTC every 3 days
- cron: '0 9 */3 * *'
workflow_dispatch:
push:
branches: [main, master]
permissions:
contents: read
security-events: write
issues: write
jobs:
gitleaks:
name: Gitleaks (secret history)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
trufflehog:
name: TruffleHog (verified secrets)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
fetch-depth: 0
- name: TruffleHog scan
run: |
docker run --rm -v "$GITHUB_WORKSPACE:/tmp" -w /tmp \
ghcr.io/trufflesecurity/trufflehog:latest \
git file:///tmp/ \
--only-verified \
--fail \
--no-update \
--github-actions
semgrep:
name: Semgrep (SAST)
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
- run: semgrep ci --config=p/secrets --config=p/owasp-top-ten --config=p/javascript --config=p/typescript --config=p/python
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
notify:
name: Open issue on failure
needs: [gitleaks, trufflehog, semgrep]
if: failure()
runs-on: ubuntu-latest
steps:
- uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
with:
script: |
const title = `Security audit failed: ${new Date().toISOString().split('T')[0]}`;
const body = [
`Scheduled security audit failed on \`${context.sha.slice(0,7)}\`.`,
``,
`**Run:** ${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}`,
``,
`Triage:`,
`1. Open the run, identify which job failed (gitleaks / trufflehog / semgrep).`,
`2. Real finding: rotate credential, purge from history, close issue with note.`,
`3. False positive: add to \`.gitleaksignore\` or \`.semgrepignore\` with justification.`,
].join('\n');
await github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title,
body,
labels: ['security', 'automated']
});