-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (113 loc) · 3.9 KB
/
DigiCert_Code_Scan.yml
File metadata and controls
134 lines (113 loc) · 3.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: DigiCert Code Scan
on:
workflow_dispatch:
jobs:
analyze:
name: Analyze (${{ matrix.language }})
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
permissions:
# required for all workflows
security-events: write
# required to fetch internal or private CodeQL packs
packages: read
# only required for workflows in private repositories
actions: read
contents: read
strategy:
fail-fast: false
matrix:
include:
# - This will be replaced with the generated language and build mode content on runtime
- language: Python
build-mode: none
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{matrix.language}}'
upload: false
output: "codeql-${{ matrix.language }}.sarif"
- name: Upload SARIF result as artifact
uses: actions/upload-artifact@v4
with:
name: codeql-sarif-${{ matrix.language }}
path: codeql-${{ matrix.language }}.sarif
gitleaks-analyze:
name: Gitleaks Scan (SARIF)
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install jq
run: |
sudo apt-get update -y
sudo apt-get install -y jq
- name: Install gitleaks (OSS)
env:
GITLEAKS_VERSION: 8.18.4
run: |
set -e
curl -fsSL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
tar -xzf gitleaks.tar.gz
test -f gitleaks && chmod +x gitleaks && sudo mv gitleaks /usr/local/bin/gitleaks
gitleaks version
- name: Run Gitleaks (SARIF output)
run: |
gitleaks detect --source . --report-format sarif --report-path gitleaks.sarif --no-banner --redact --no-git || true
- name: Upload Gitleaks SARIF as artifact
uses: actions/upload-artifact@v4
with:
name: gitleaks-sarif
path: gitleaks.sarif
zip-sarif:
name: Zip All SARIF Results
runs-on: ubuntu-latest
needs: [analyze, gitleaks-analyze]
steps:
- name: Download all SARIF artifacts
uses: actions/download-artifact@v4
with:
# Grab both codeql and gitleaks SARIF artifacts for zipping
pattern: "*-sarif*"
path: ./sarif-results
merge-multiple: true
- name: Zip SARIF results
run: |
cd sarif-results
find . -name "*.sarif" -print | zip ../digicert_scan_results.zip -@
- name: Delete all SARIF files after zipping
run: |
find ./sarif-results -name "*.sarif" -delete
- name: Upload zipped SARIF results as artifact
uses: actions/upload-artifact@v4
with:
name: digicert_scan_results
path: digicert_scan_results.zip
sbom:
name: Generate SBOM
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy to generate SBOM
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
format: 'cyclonedx'
output: 'sbom-cdxgen.cyclonedx.json'
- name: Upload SBOM as artifact
uses: actions/upload-artifact@v4
with:
name: sbom-cdxgen
path: |
sbom-cdxgen.cyclonedx.json