security.yml

name: Security Analysis

on:
  schedule:
    - cron: '0 2 * * *'
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]
  workflow_dispatch:

permissions:
  contents: read
  security-events: write

jobs:
  security-scan:
    runs-on: ubuntu-latest
    name: Security and SBOM Analysis
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          persist-credentials: false

      - name: Build Docker image for scanning
        id: build
        continue-on-error: true
        run: |
          IMAGE_NAME="dev-template:${{ github.sha }}"
          docker build -t "$IMAGE_NAME" .devcontainer/
          echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV

      - name: Run Trivy vulnerability scanner
        if: steps.build.outcome == 'success'
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          image-ref: '${{ env.IMAGE_NAME }}'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'

      - name: Upload Trivy scan results to GitHub Security tab
        if: steps.build.outcome == 'success'
        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'security-analysis/trivy-image'

      - name: Generate SBOM
        if: steps.build.outcome == 'success'
        uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
        with:
          image: '${{ env.IMAGE_NAME }}'
          format: 'spdx-json'
          output-file: 'sbom.spdx.json'

      - name: Upload SBOM as artifact
        if: steps.build.outcome == 'success'
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: sbom-${{ github.sha }}
          path: sbom.spdx.json
          retention-days: 30

      - name: Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-fs-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'

      - name: Upload filesystem scan results
        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4
        if: always()
        with:
          sarif_file: 'trivy-fs-results.sarif'
          category: 'security-analysis/trivy-filesystem'