Skip to content

Commit 970f5af

Browse files
committed
Added workflow folder
1 parent e35a774 commit 970f5af

1 file changed

Lines changed: 89 additions & 0 deletions

File tree

.github/workflows/security.yml

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
name: Security Scanning
2+
3+
on:
4+
# Scan changed files in PRs (diff-aware scanning):
5+
pull_request: {}
6+
# Scan on-demand through GitHub Actions interface:
7+
workflow_dispatch: {}
8+
# Scan mainline branches if there are changes to .github/workflows/security.yml:
9+
push:
10+
branches:
11+
- main
12+
paths:
13+
- .github/workflows/security.yml
14+
15+
# As always, follow the principle of least privilege:
16+
permissions:
17+
# Read only access to repository content such as commits, branches, releases and so on.
18+
contents: read
19+
# Permissions for GitHub Actions to upload SARIF results:
20+
security-events: write
21+
22+
jobs:
23+
semgrep:
24+
# User definable name of this GitHub Actions job.
25+
name: semgrep/ci
26+
# If you are self-hosting, change the following `runs-on` value:
27+
runs-on: ubuntu-latest
28+
29+
container:
30+
# A Docker image with Semgrep installed. Do not change this.
31+
image: semgrep/semgrep
32+
33+
# Skip any PR created by dependabot to avoid permission issues:
34+
if: (github.actor != 'dependabot[bot]')
35+
36+
steps:
37+
# Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
38+
- uses: actions/checkout@v4
39+
# Run the "semgrep ci" command on the command line of the docker image.
40+
- run: semgrep scan --sarif > semgrep-results.sarif
41+
42+
- name: Save SARIF results as artifact
43+
uses: actions/upload-artifact@v6
44+
with:
45+
name: semgrep-scan-results
46+
path: semgrep-results.sarif
47+
48+
- name: Upload SARIF
49+
uses: github/codeql-action/upload-sarif@v4
50+
with:
51+
sarif_file: semgrep-results.sarif
52+
53+
54+
trivy:
55+
name: Trivy
56+
runs-on: ubuntu-latest
57+
steps:
58+
- name: Checkout code
59+
uses: actions/checkout@v4
60+
61+
- name: Run Trivy vulnerability scanner
62+
uses: aquasecurity/trivy-action@0.33.1
63+
with:
64+
# Possible scan-types: 'repo', 'fs', 'container-image'
65+
scan-type: 'repo'
66+
format: 'sarif'
67+
output: 'trivy-results.sarif'
68+
# Specifies what types of issues to scan for
69+
scanners: 'vuln,secret,misconfig,license'
70+
71+
- name: Upload Trivy scan results to GitHub Security tab
72+
uses: github/codeql-action/upload-sarif@v3
73+
with:
74+
sarif_file: 'trivy-results.sarif'
75+
76+
#Secret scanning with TruffleHog
77+
truffle:
78+
name: TruffleHog
79+
runs-on: ubuntu-latest
80+
steps:
81+
- name: Checkout code
82+
uses: actions/checkout@v4
83+
84+
- name: Run TruffleHog scanner
85+
uses: trufflesecurity/trufflehog@main
86+
with:
87+
# --no-verification to skip testing the secrets against live services. It's not a bad function but make sure you understand the risk implications.
88+
# --github-actions to format output for GitHub Actions
89+
extra-args: --no-verification --github-actions

0 commit comments

Comments
 (0)