workflows-public/.github/workflows/security-full.yml at main · checkr/workflows-public · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
name: Complete Security Scan

on:
  pull_request:
    types: [opened, synchronize, reopened]
  workflow_call:
    inputs:
      product:
        description: 'ArmorCode Product/Team name (e.g., Platform, Security, Customer)'
        required: false
        type: string
        default: 'Security'
      run-sast:
        description: 'Run SAST scanning (Semgrep + CodeQL)'
        required: false
        type: boolean
        default: true
      run-secrets:
        description: 'Run secret scanning (Gitleaks)'
        required: false
        type: boolean
        default: true
      run-dependencies:
        description: 'Run dependency scanning (Trivy)'
        required: false
        type: boolean
        default: true
      run-iac:
        description: 'Run IaC scanning (Trivy)'
        required: false
        type: boolean
        default: true
      run-containers:
        description: 'Run container scanning (Trivy)'
        required: false
        type: boolean
        default: false
      container-image:
        description: 'Container image to scan (required if run-containers is true)'
        required: false
        type: string
        default: ''
    secrets:
      ARMORCODE_API_KEY:
        description: 'ArmorCode API key for uploading scan results'
        required: true

jobs:
  sast:
    if: inputs.run-sast != false
    uses: checkr/workflows-public/.github/workflows/sast.yml@main
    with:
      product: ${{ inputs.product || 'Security' }}
    secrets:
      ARMORCODE_API_KEY: ${{ secrets.ARMORCODE_API_KEY }}

  secrets:
    if: inputs.run-secrets != false
    uses: checkr/workflows-public/.github/workflows/secrets.yml@main
    with:
      product: ${{ inputs.product || 'Security' }}
    secrets:
      ARMORCODE_API_KEY: ${{ secrets.ARMORCODE_API_KEY }}

  dependencies:
    if: inputs.run-dependencies != false
    permissions:
      security-events: write
      contents: read
    uses: checkr/workflows-public/.github/workflows/dependencies.yml@main
    with:
      product: ${{ inputs.product || 'Security' }}
    secrets:
      ARMORCODE_API_KEY: ${{ secrets.ARMORCODE_API_KEY }}

  iac:
    if: inputs.run-iac != false
    permissions:
      security-events: write
      contents: read
    uses: checkr/workflows-public/.github/workflows/iac.yml@main
    with:
      product: ${{ inputs.product || 'Security' }}
    secrets:
      ARMORCODE_API_KEY: ${{ secrets.ARMORCODE_API_KEY }}

  containers:
    if: inputs.run-containers == true
    permissions:
      security-events: write
      contents: read
    uses: checkr/workflows-public/.github/workflows/containers.yml@main
    with:
      product: ${{ inputs.product || 'Security' }}
      image-ref: ${{ inputs.container-image }}
    secrets:
      ARMORCODE_API_KEY: ${{ secrets.ARMORCODE_API_KEY }}