11name : DigiCert Code Scan
2- on : workflow_dispatch
2+
3+ on :
4+ workflow_dispatch :
5+
36jobs :
4- noop :
7+ analyze :
8+ name : Analyze (${{ matrix.language }})
9+ runs-on : ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
10+
11+ permissions :
12+ # required for all workflows
13+ security-events : write
14+
15+ # required to fetch internal or private CodeQL packs
16+ packages : read
17+
18+ # only required for workflows in private repositories
19+ actions : read
20+ contents : read
21+
22+ strategy :
23+ fail-fast : false
24+ matrix :
25+ include :
26+ # - This will be replaced with the generated language and build mode content on runtime
27+ - language : JavaScript
28+ build-mode : none
29+ steps :
30+ - name : Checkout repository
31+ uses : actions/checkout@v4
32+
33+ # Initializes the CodeQL tools for scanning.
34+ - name : Initialize CodeQL
35+ uses : github/codeql-action/init@v3
36+ with :
37+ languages : ${{ matrix.language }}
38+ build-mode : ${{ matrix.build-mode }}
39+
40+ - name : Perform CodeQL Analysis
41+ uses : github/codeql-action/analyze@v3
42+ with :
43+ category : ' /language:${{matrix.language}}'
44+ upload : false
45+ output : " codeql-${{ matrix.language }}.sarif"
46+
47+ - name : Upload SARIF result as artifact
48+ uses : actions/upload-artifact@v4
49+ with :
50+ name : codeql-sarif-${{ matrix.language }}
51+ path : codeql-${{ matrix.language }}.sarif
52+
53+ gitleaks-analyze :
54+ name : Gitleaks Scan (SARIF)
55+ runs-on : ubuntu-latest
56+ steps :
57+ - name : Checkout repository
58+ uses : actions/checkout@v4
59+ with :
60+ fetch-depth : 0
61+
62+ - name : Install jq
63+ run : |
64+ sudo apt-get update -y
65+ sudo apt-get install -y jq
66+
67+ name : Download Gitleaks and verify checksum
68+ env :
69+ GITLEAKS_VERSION : 8.18.4
70+ run : |
71+ curl -sSL -o gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz
72+ curl -sSL -o checksums.txt https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_checksums.txt
73+ grep "gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" checksums.txt | sha256sum -c -
74+ tar -xzf gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz
75+ chmod +x gitleaks && sudo mv gitleaks /usr/local/bin/gitleaks
76+ gitleaks version
77+
78+ name : Run Gitleaks (SARIF output)
79+ run : |
80+ gitleaks detect --source . --report-format sarif --report-path gitleaks.sarif --no-banner --redact --no-git || true
81+
82+ name : Upload Gitleaks SARIF as artifact
83+ uses : actions/upload-artifact@v4
84+ with :
85+ name : gitleaks-sarif
86+ path : gitleaks.sarif
87+
88+ zip-sarif :
89+ name : Zip All SARIF Results
90+ runs-on : ubuntu-latest
91+ needs : [analyze, gitleaks-analyze]
92+ steps :
93+ - name : Download all SARIF artifacts
94+ uses : actions/download-artifact@v4
95+ with :
96+ # Grab both codeql and gitleaks SARIF artifacts for zipping
97+ pattern : " *-sarif*"
98+ path : ./sarif-results
99+ merge-multiple : true
100+
101+ - name : Zip SARIF results
102+ run : |
103+ cd sarif-results
104+ find . -name "*.sarif" -print | zip ../digicert_scan_results.zip -@
105+
106+ - name : Delete all SARIF files after zipping
107+ run : |
108+ find ./sarif-results -name "*.sarif" -delete
109+
110+ name : Upload zipped SARIF results as artifact
111+ uses : actions/upload-artifact@v4
112+ with :
113+ name : digicert_scan_results
114+ path : digicert_scan_results.zip
115+
116+ sbom :
117+ name : Generate SBOM
5118 runs-on : ubuntu-latest
6119 steps :
7- - run : echo "This is just a placeholder"
120+ - name : Checkout code
121+ uses : actions/checkout@v4
122+
123+ - name : Run Trivy to generate SBOM
124+ uses : aquasecurity/trivy-action@0.33.1
125+ with :
126+ scan-type : ' fs'
127+ format : ' cyclonedx'
128+ output : ' sbom-cdxgen.cyclonedx.json'
129+
130+ - name : Upload SBOM as artifact
131+ uses : actions/upload-artifact@v4
132+ with :
133+ name : sbom-cdxgen
134+ path : |
135+ sbom-cdxgen.cyclonedx.json
0 commit comments