-
Notifications
You must be signed in to change notification settings - Fork 0
355 lines (307 loc) · 10.2 KB
/
Copy pathsecurity.yml
File metadata and controls
355 lines (307 loc) · 10.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
name: Security
on:
schedule:
# Run security scans daily at 2 AM UTC
- cron: "0 2 * * *"
pull_request:
types: [opened, edited, synchronize, reopened]
branches: [main]
workflow_dispatch:
permissions:
actions: read
contents: read
security-events: write
env:
GO_VERSION: "1.26"
REGISTRY: ghcr.io
jobs:
# CodeQL Analysis
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ["go"]
steps:
- name: Checkout repository
uses: actions/checkout@v7
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
- name: Build for CodeQL
run: |
go build -v ./...
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{matrix.language}}"
# Dependency vulnerability scanning
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: |
govulncheck -json ./... > govulncheck-results.json || true
- name: Upload govulncheck results
uses: actions/upload-artifact@v7
with:
name: govulncheck-results
path: govulncheck-results.json
- name: Check for high severity vulnerabilities
run: |
if govulncheck ./... | grep -i "high\|critical"; then
echo "High or critical vulnerabilities found!"
exit 1
fi
# Container image security scanning
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Generate lowercase image name
id: image
env:
REPOSITORY: ${{ github.repository }}
run: |
IMAGE_NAME=$(echo "$REPOSITORY" | tr '[:upper:]' '[:lower:]')
echo "name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
- name: Build image for scanning
uses: docker/build-push-action@v7
with:
context: .
load: true
tags: security-scan:latest
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v7
id: grype-scan
with:
image: "security-scan:latest"
fail-build: "high"
severity-cutoff: "high"
- name: Upload Grype scan results
uses: github/codeql-action/upload-sarif@v4
if: always() && steps.grype-scan.outputs.sarif != ''
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
# Secrets scanning
secrets-scan:
name: Secrets Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
with:
fetch-depth: 0
- name: Run TruffleHog OSS
uses: trufflesecurity/trufflehog@main
with:
path: ./
# For pull requests, scan the diff; for other events, scan filesystem
base: ${{ github.event_name == 'pull_request' && github.event.pull_request.base.sha || '' }}
head: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || '' }}
extra_args: --debug --only-verified
# Kubernetes security scanning
k8s-security:
name: Kubernetes Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Set up Helm
uses: azure/setup-helm@v5
with:
version: "3.18.3"
- name: Template Helm chart
run: |
helm template security-test helm/deployment-annotator-controller \
--set grafana.url=https://test.grafana.com \
--set grafana.apiKey=test-key \
--set image.repository=test/image \
--set image.tag=test > k8s-manifests.yaml
- name: Install Polaris
uses: jaxxstorm/action-install-gh-release@v3.0.0
with:
repo: FairwindsOps/polaris
tag: latest
cache: enable
- name: Run Polaris security scan
run: |
# Create Polaris configuration file
cat > polaris-config.yaml << 'EOF'
checks:
hostIPCSet: danger
hostPIDSet: danger
notReadOnlyRootFilesystem: warning
privilegeEscalationAllowed: danger
runAsRootAllowed: warning
runAsPrivileged: danger
insecureCapabilities: warning
dangerousCapabilities: danger
cpuRequestsMissing: warning
cpuLimitsMissing: warning
memoryRequestsMissing: warning
memoryLimitsMissing: warning
tagNotSpecified: danger
pullPolicyNotAlways: ignore
hostNetworkSet: danger
hostPortSet: warning
deploymentMissingReplicas: warning
priorityClassNotSet: ignore
metadataAndNameMismatched: ignore
EOF
# Run Polaris audit on the Kubernetes manifests
polaris audit --audit-path k8s-manifests.yaml --config polaris-config.yaml --format pretty || true
- name: Run Kubesec security scan
run: |
curl -sSX POST --data-binary @k8s-manifests.yaml https://v2.kubesec.io/scan > kubesec-results.json
# Check for critical issues
if jq -e '.[] | select(.score < 0)' kubesec-results.json; then
echo "Critical security issues found in Kubernetes manifests!"
jq '.[] | select(.score < 0)' kubesec-results.json
exit 1
fi
- name: Upload Kubesec results
uses: actions/upload-artifact@v7
with:
name: kubesec-results
path: kubesec-results.json
# SAST (Static Application Security Testing)
sast:
name: Static Application Security Testing
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
- name: Configure Git for Go modules
run: |
git config --global url."https://github.com/".insteadOf "git@github.com:"
git config --global url."https://".insteadOf "git://"
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -no-fail -fmt sarif -out gosec-results.sarif ./...
- name: Upload gosec results
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('gosec-results.sarif') != ''
with:
sarif_file: gosec-results.sarif
category: gosec
- name: Install Semgrep
run: python3 -m pip install semgrep
- name: Run Semgrep
run: |
semgrep --config=auto --sarif --output=semgrep-results.sarif ./
- name: Upload Semgrep results
uses: github/codeql-action/upload-sarif@v4
if: always() && hashFiles('semgrep-results.sarif') != ''
with:
sarif_file: semgrep-results.sarif
# License compliance check
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v7
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: ${{ env.GO_VERSION }}
- name: Install go-licenses
run: go install github.com/google/go-licenses@latest
- name: Check licenses
run: |
go-licenses check ./...
- name: Generate license report
run: |
go-licenses report ./... > licenses.txt
- name: Upload license report
uses: actions/upload-artifact@v7
with:
name: license-report
path: licenses.txt
# Security summary
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs:
[
codeql,
dependency-scan,
container-scan,
secrets-scan,
k8s-security,
sast,
license-check,
]
if: always()
steps:
- name: Security scan summary
env:
CODEQL_RESULT: ${{ needs.codeql.result }}
DEPENDENCY_RESULT: ${{ needs.dependency-scan.result }}
CONTAINER_RESULT: ${{ needs.container-scan.result }}
SECRETS_RESULT: ${{ needs.secrets-scan.result }}
K8S_RESULT: ${{ needs.k8s-security.result }}
SAST_RESULT: ${{ needs.sast.result }}
LICENSE_RESULT: ${{ needs.license-check.result }}
run: |
echo "## Security Scan Summary 🔒"
echo ""
echo "| Scan Type | Status |"
echo "|-----------|--------|"
echo "| CodeQL Analysis | $CODEQL_RESULT |"
echo "| Dependency Scan | $DEPENDENCY_RESULT |"
echo "| Container Scan | $CONTAINER_RESULT |"
echo "| Secrets Scan | $SECRETS_RESULT |"
echo "| Kubernetes Security | $K8S_RESULT |"
echo "| SAST | $SAST_RESULT |"
echo "| License Check | $LICENSE_RESULT |"
echo ""
# Check if any critical scans failed
if [[ "$DEPENDENCY_RESULT" == "failure" || \
"$CONTAINER_RESULT" == "failure" || \
"$SECRETS_RESULT" == "failure" ]]; then
echo "❌ Critical security issues detected!"
exit 1
else
echo "✅ All security scans completed successfully!"
fi