generated from nhcarrigan/template
Compare commits
3 Commits
0b519b1529
...
08fb8ae470
| Author | SHA1 | Date | |
|---|---|---|---|
|
08fb8ae470
|
|||
|
d98df0fe8c
|
|||
|
bc5440f99f
|
@@ -20,7 +20,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
sudo apt-get update
|
||||
@@ -31,7 +30,6 @@ jobs:
|
||||
sudo apt-get update
|
||||
sudo apt-get install trivy -y
|
||||
|
||||
# Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
|
||||
- name: Run Trivy comprehensive security scan
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
@@ -50,7 +48,6 @@ jobs:
|
||||
# Skip setup since we installed Trivy manually
|
||||
skip-setup-trivy: true
|
||||
|
||||
# Display results for visibility
|
||||
- name: Display Trivy scan results
|
||||
if: always()
|
||||
run: |
|
||||
@@ -62,22 +59,19 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Install Gitleaks for fast secret scanning
|
||||
- name: Install Gitleaks
|
||||
run: |
|
||||
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
|
||||
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
|
||||
sudo mv /tmp/gitleaks /usr/local/bin/
|
||||
sudo chmod +x /usr/local/bin/gitleaks
|
||||
gitleaks version
|
||||
|
||||
# Secret scanning with Gitleaks
|
||||
- name: Run Gitleaks secret scan
|
||||
run: |
|
||||
gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
|
||||
gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt
|
||||
|
||||
# Display Gitleaks results
|
||||
- name: Display Gitleaks scan results
|
||||
if: always()
|
||||
run: |
|
||||
@@ -101,7 +95,6 @@ jobs:
|
||||
pipx install semgrep
|
||||
semgrep --version
|
||||
|
||||
# Static code analysis with Semgrep
|
||||
- name: Run Semgrep static analysis
|
||||
run: |
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
@@ -112,7 +105,6 @@ jobs:
|
||||
--output semgrep-results.txt \
|
||||
.
|
||||
|
||||
# Display Semgrep results
|
||||
- name: Display Semgrep scan results
|
||||
if: always()
|
||||
run: |
|
||||
@@ -123,3 +115,29 @@ jobs:
|
||||
echo "No Semgrep scan results found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Install Go
|
||||
uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version: 'stable' # Latest stable version
|
||||
|
||||
- name: Install OSV Scanner
|
||||
run: |
|
||||
export PATH="$HOME/go/bin:$PATH"
|
||||
go install github.com/google/osv-scanner/cmd/osv-scanner@latest
|
||||
|
||||
- name: Run OSV Scanner
|
||||
run: |
|
||||
export PATH="$HOME/go/bin:$PATH"
|
||||
osv-scanner -r scan --format table --output osv-results.txt .
|
||||
|
||||
- name: Display OSV Scanner scan results
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f osv-results.txt ]; then
|
||||
echo "=== OSV Scanner Results ==="
|
||||
cat osv-results.txt
|
||||
else
|
||||
echo "No OSV Scanner scan results found"
|
||||
exit 1
|
||||
fi
|
||||
Reference in New Issue
Block a user