Compare commits

...

12 Commits

Author SHA1 Message Date
naomi fc81f30682 add package file for tests
Security Scan / Security Audit (push) Successful in 10m4s
2025-12-11 17:41:50 -08:00
naomi 7aa475ad74 oh we need version2
Security Scan / Security Audit (push) Failing after 6m49s
2025-12-11 17:32:02 -08:00
naomi 685c853e68 i read the docs this should 100% be the trick
Security Scan / Security Audit (push) Failing after 6m13s
2025-12-11 17:14:47 -08:00
naomi e1fe6ed07f do we not say scan is that not the command
Security Scan / Security Audit (push) Failing after 6m8s
2025-12-11 17:00:46 -08:00
naomi 26e452f39a fix: forgot directory
Security Scan / Security Audit (push) Failing after 6m8s
2025-12-11 16:30:21 -08:00
naomi 97a857efe2 fix: use real configs oops
Security Scan / Security Audit (push) Failing after 6m13s
2025-12-11 16:17:00 -08:00
naomi 2bfa141451 fix semgrep rules
Security Scan / Security Audit (push) Failing after 5m39s
2025-12-11 15:54:21 -08:00
naomi ee41ab50e1 feat: try removing cache
Security Scan / Security Audit (push) Failing after 5m39s
2025-12-11 15:39:25 -08:00
naomi 01e015d0e0 fix: gitleaks logic
Security Scan / Security Audit (push) Has been cancelled
2025-12-11 15:31:20 -08:00
naomi 08fb8ae470 feat: got it all now I think
Security Scan / Security Audit (push) Failing after 14m53s
2025-12-11 15:11:46 -08:00
naomi d98df0fe8c fix: add secret scanning back to trivy 2025-12-11 15:09:57 -08:00
naomi bc5440f99f feat: add osv-scanner 2025-12-11 15:08:55 -08:00
4 changed files with 72 additions and 17 deletions
+33 -17
View File
@@ -20,7 +20,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
- name: Install Trivy
run: |
sudo apt-get update
@@ -31,7 +30,6 @@ jobs:
sudo apt-get update
sudo apt-get install trivy -y
# Combined scan for vulnerabilities and IaC misconfigurations (secrets handled by Gitleaks)
- name: Run Trivy comprehensive security scan
uses: aquasecurity/trivy-action@master
with:
@@ -50,7 +48,6 @@ jobs:
# Skip setup since we installed Trivy manually
skip-setup-trivy: true
# Display results for visibility
- name: Display Trivy scan results
if: always()
run: |
@@ -62,34 +59,28 @@ jobs:
exit 1
fi
# Install Gitleaks for fast secret scanning
- name: Install Gitleaks
run: |
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/x86_64/amd64/').tar.gz
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
sudo mv /tmp/gitleaks /usr/local/bin/
sudo chmod +x /usr/local/bin/gitleaks
gitleaks version
# Secret scanning with Gitleaks
# We remove the Trivy cache to avoid false positives
- name: Run Gitleaks secret scan
run: |
rm -rf .cache/trivy
gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
gitleaks detect --source . --report-path gitleaks-results.txt --report-format txt
# Display Gitleaks results
- name: Display Gitleaks scan results
if: always()
run: |
if [ -f gitleaks-results.txt ]; then
if [ -f gitleaks-results.json ]; then
echo "=== Gitleaks Secret Scan Results ==="
cat gitleaks-results.txt
cat gitleaks-results.json
else
echo "No secrets detected by Gitleaks"
fi
if [ -f gitleaks-results.json ] && [ -s gitleaks-results.json ]; then
echo "=== Gitleaks JSON Results ==="
cat gitleaks-results.json
exit 1
fi
@@ -101,18 +92,17 @@ jobs:
pipx install semgrep
semgrep --version
# Static code analysis with Semgrep
- name: Run Semgrep static analysis
run: |
export PATH="$HOME/.local/bin:$PATH"
semgrep --config p/security-audit \
--config p/owasp-top-ten \
--config p/ci \
--config p/security \
--config p/r2c-security-audit \
--config p/cwe-top-25 \
--output semgrep-results.txt \
.
# Display Semgrep results
- name: Display Semgrep scan results
if: always()
run: |
@@ -123,3 +113,29 @@ jobs:
echo "No Semgrep scan results found"
exit 1
fi
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: 'stable' # Latest stable version
- name: Install OSV Scanner
run: |
export PATH="$HOME/go/bin:$PATH"
go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
- name: Run OSV Scanner
run: |
export PATH="$HOME/go/bin:$PATH"
osv-scanner scan source --format table --output osv-results.txt -r .
- name: Display OSV Scanner scan results
if: always()
run: |
if [ -f osv-results.txt ]; then
echo "=== OSV Scanner Results ==="
cat osv-results.txt
else
echo "No OSV Scanner scan results found"
exit 1
fi
+1
View File
@@ -0,0 +1 @@
node_modules/
+16
View File
@@ -0,0 +1,16 @@
{
"name": "actions-sandbox",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"packageManager": "pnpm@10.24.0",
"dependencies": {
"@nhcarrigan/logger": "1.1.1"
}
}
+22
View File
@@ -0,0 +1,22 @@
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
importers:
.:
dependencies:
'@nhcarrigan/logger':
specifier: 1.1.1
version: 1.1.1
packages:
'@nhcarrigan/logger@1.1.1':
resolution: {integrity: sha512-P6OEQFHDtf6psybYGljuCxkSW6DLQCsx1aZZ3w4YKBXHBFjDbhuvpM9K1kPhVN48hakitx2WPLEoIFr6YZELYw==}
snapshots:
'@nhcarrigan/logger@1.1.1': {}