1+ name : Security Scanning
2+
3+ on :
4+ # Scan changed files in PRs (diff-aware scanning):
5+ pull_request : {}
6+ # Scan on-demand through GitHub Actions interface:
7+ workflow_dispatch : {}
8+ # Scan mainline branches if there are changes to .github/workflows/security.yml:
9+ push :
10+ branches :
11+ - main
12+ paths :
13+ - .github/workflows/security.yml
14+
15+ # As always, follow the principle of least privilege:
16+ permissions :
17+ # Read only access to repository content such as commits, branches, releases and so on.
18+ contents : read
19+ # Permissions for GitHub Actions to upload SARIF results:
20+ security-events : write
21+
22+ jobs :
23+ semgrep :
24+ # User definable name of this GitHub Actions job.
25+ name : semgrep/ci
26+ # If you are self-hosting, change the following `runs-on` value:
27+ runs-on : ubuntu-latest
28+
29+ container :
30+ # A Docker image with Semgrep installed. Do not change this.
31+ image : semgrep/semgrep
32+
33+ # Skip any PR created by dependabot to avoid permission issues:
34+ if : (github.actor != 'dependabot[bot]')
35+
36+ steps :
37+ # Fetch project source with GitHub Actions Checkout. Use either v3 or v4.
38+ - uses : actions/checkout@v4
39+ # Run the "semgrep ci" command on the command line of the docker image.
40+ - run : semgrep scan --sarif > semgrep-results.sarif
41+
42+ - name : Save SARIF results as artifact
43+ uses : actions/upload-artifact@v6
44+ with :
45+ name : semgrep-scan-results
46+ path : semgrep-results.sarif
47+
48+ - name : Upload SARIF
49+ uses : github/codeql-action/upload-sarif@v4
50+ with :
51+ sarif_file : semgrep-results.sarif
52+
53+
54+ trivy :
55+ name : Trivy
56+ runs-on : ubuntu-latest
57+ steps :
58+ - name : Checkout code
59+ uses : actions/checkout@v4
60+
61+ - name : Run Trivy vulnerability scanner
62+ uses : aquasecurity/trivy-action@0.33.1
63+ with :
64+ # Possible scan-types: 'repo', 'fs', 'container-image'
65+ scan-type : ' repo'
66+ format : ' sarif'
67+ output : ' trivy-results.sarif'
68+ # Specifies what types of issues to scan for
69+ scanners : ' vuln,secret,misconfig,license'
70+
71+ - name : Upload Trivy scan results to GitHub Security tab
72+ uses : github/codeql-action/upload-sarif@v3
73+ with :
74+ sarif_file : ' trivy-results.sarif'
75+
76+ # Secret scanning with TruffleHog
77+ truffle :
78+ name : TruffleHog
79+ runs-on : ubuntu-latest
80+ steps :
81+ - name : Checkout code
82+ uses : actions/checkout@v4
83+
84+ - name : Run TruffleHog scanner
85+ uses : trufflesecurity/trufflehog@main
86+ with :
87+ # --no-verification to skip testing the secrets against live services. It's not a bad function but make sure you understand the risk implications.
88+ # --github-actions to format output for GitHub Actions
89+ extra-args : --no-verification --github-actions
0 commit comments