generated from nhcarrigan/template
79 lines
2.1 KiB
YAML
79 lines
2.1 KiB
YAML
name: Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, master, develop ]
|
|
pull_request:
|
|
branches: [ main, master, develop ]
|
|
schedule:
|
|
# Run weekly on Mondays at 00:00 UTC
|
|
- cron: '0 0 * * 1'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
trivy-scan:
|
|
name: Trivy Security Scan
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Manual Trivy Setup
|
|
uses: aquasecurity/setup-trivy@v0.2.0
|
|
with:
|
|
cache: true
|
|
version: v0.68.1
|
|
|
|
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations
|
|
- name: Run Trivy comprehensive security scan
|
|
uses: aquasecurity/trivy-action@0.33.1
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
scanners: 'vuln,secret,config'
|
|
format: 'table'
|
|
output: 'trivy-results.txt'
|
|
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
|
|
# Fail on any vulnerability found
|
|
exit-code: '1'
|
|
# Don't ignore unfixed vulnerabilities
|
|
ignore-unfixed: false
|
|
# Skip database update to speed up scans (uses cached DB)
|
|
skip-db-update: false
|
|
skip-setup-trivy: true
|
|
|
|
# Display results for visibility
|
|
- name: Display Trivy scan results
|
|
if: always()
|
|
run: |
|
|
if [ -f trivy-results.txt ]; then
|
|
echo "=== Trivy Security Scan Results ==="
|
|
cat trivy-results.txt
|
|
fi
|
|
|
|
# Static code analysis with Semgrep
|
|
- name: Run Semgrep static analysis
|
|
uses: returntocorp/semgrep-action@v1
|
|
with:
|
|
config: >-
|
|
p/security-audit
|
|
p/owasp-top-ten
|
|
p/ci
|
|
p/security
|
|
generateSarif: '1'
|
|
outputFormat: 'text'
|
|
outputFile: 'semgrep-results.txt'
|
|
# Fail on any finding
|
|
error: 'true'
|
|
|
|
# Display Semgrep results
|
|
- name: Display Semgrep scan results
|
|
if: always()
|
|
run: |
|
|
if [ -f semgrep-results.txt ]; then
|
|
echo "=== Semgrep Static Analysis Results ==="
|
|
cat semgrep-results.txt
|
|
fi
|
|
|