generated from nhcarrigan/template
This commit is contained in:
@@ -1,83 +0,0 @@
|
|||||||
name: Security Scan
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches: [ main, master, develop ]
|
|
||||||
pull_request:
|
|
||||||
branches: [ main, master, develop ]
|
|
||||||
schedule:
|
|
||||||
# Run weekly on Mondays at 00:00 UTC
|
|
||||||
- cron: '0 0 * * 1'
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
trivy-scan:
|
|
||||||
name: Trivy Security Scan
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
|
|
||||||
- name: Install Trivy
|
|
||||||
run: |
|
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get install wget apt-transport-https gnupg lsb-release -y
|
|
||||||
wget -qO /tmp/trivy-key.asc https://aquasecurity.github.io/trivy-repo/deb/public.key
|
|
||||||
sudo apt-key add /tmp/trivy-key.asc
|
|
||||||
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
|
|
||||||
sudo apt-get update
|
|
||||||
sudo apt-get install trivy -y
|
|
||||||
|
|
||||||
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations
|
|
||||||
- name: Run Trivy comprehensive security scan
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
scan-type: 'fs'
|
|
||||||
scan-ref: '.'
|
|
||||||
scanners: 'vuln,secret,config'
|
|
||||||
format: 'table'
|
|
||||||
output: 'trivy-results.txt'
|
|
||||||
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
|
|
||||||
# Fail on any vulnerability found
|
|
||||||
exit-code: '1'
|
|
||||||
# Don't ignore unfixed vulnerabilities
|
|
||||||
ignore-unfixed: false
|
|
||||||
# Skip database update to speed up scans (uses cached DB)
|
|
||||||
skip-db-update: false
|
|
||||||
# Skip setup since we installed Trivy manually
|
|
||||||
skip-setup-trivy: true
|
|
||||||
|
|
||||||
# Display results for visibility
|
|
||||||
- name: Display Trivy scan results
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
if [ -f trivy-results.txt ]; then
|
|
||||||
echo "=== Trivy Security Scan Results ==="
|
|
||||||
cat trivy-results.txt
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Static code analysis with Semgrep
|
|
||||||
- name: Run Semgrep static analysis
|
|
||||||
uses: returntocorp/semgrep-action@v1
|
|
||||||
with:
|
|
||||||
config: >-
|
|
||||||
p/security-audit
|
|
||||||
p/owasp-top-ten
|
|
||||||
p/ci
|
|
||||||
p/security
|
|
||||||
generateSarif: '1'
|
|
||||||
outputFormat: 'text'
|
|
||||||
outputFile: 'semgrep-results.txt'
|
|
||||||
# Fail on any finding
|
|
||||||
error: 'true'
|
|
||||||
|
|
||||||
# Display Semgrep results
|
|
||||||
- name: Display Semgrep scan results
|
|
||||||
if: always()
|
|
||||||
run: |
|
|
||||||
if [ -f semgrep-results.txt ]; then
|
|
||||||
echo "=== Semgrep Static Analysis Results ==="
|
|
||||||
cat semgrep-results.txt
|
|
||||||
fi
|
|
||||||
Reference in New Issue
Block a user