Compare commits

...

15 Commits

Author SHA1 Message Date
naomi fc81f30682 add package file for tests
Security Scan / Security Audit (push) Successful in 10m4s
2025-12-11 17:41:50 -08:00
naomi 7aa475ad74 oh we need version2
Security Scan / Security Audit (push) Failing after 6m49s
2025-12-11 17:32:02 -08:00
naomi 685c853e68 i read the docs this should 100% be the trick
Security Scan / Security Audit (push) Failing after 6m13s
2025-12-11 17:14:47 -08:00
naomi e1fe6ed07f do we not say scan is that not the command
Security Scan / Security Audit (push) Failing after 6m8s
2025-12-11 17:00:46 -08:00
naomi 26e452f39a fix: forgot directory
Security Scan / Security Audit (push) Failing after 6m8s
2025-12-11 16:30:21 -08:00
naomi 97a857efe2 fix: use real configs oops
Security Scan / Security Audit (push) Failing after 6m13s
2025-12-11 16:17:00 -08:00
naomi 2bfa141451 fix semgrep rules
Security Scan / Security Audit (push) Failing after 5m39s
2025-12-11 15:54:21 -08:00
naomi ee41ab50e1 feat: try removing cache
Security Scan / Security Audit (push) Failing after 5m39s
2025-12-11 15:39:25 -08:00
naomi 01e015d0e0 fix: gitleaks logic
Security Scan / Security Audit (push) Has been cancelled
2025-12-11 15:31:20 -08:00
naomi 08fb8ae470 feat: got it all now I think
Security Scan / Security Audit (push) Failing after 14m53s
2025-12-11 15:11:46 -08:00
naomi d98df0fe8c fix: add secret scanning back to trivy 2025-12-11 15:09:57 -08:00
naomi bc5440f99f feat: add osv-scanner 2025-12-11 15:08:55 -08:00
naomi 0b519b1529 Revert "fix semgrep configs"
Security Scan / Security Audit (push) Failing after 9m44s
This reverts commit b6c74febc9.
2025-12-11 14:58:28 -08:00
naomi 893751b709 feat: use gitleaks for secret scanning should be faster
Security Scan / Security Audit (push) Has been cancelled
2025-12-11 14:49:25 -08:00
naomi b6c74febc9 fix semgrep configs 2025-12-11 14:45:53 -08:00
4 changed files with 93 additions and 7 deletions
+54 -7
View File
@@ -20,7 +20,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
- name: Install Trivy
run: |
sudo apt-get update
@@ -31,13 +30,12 @@ jobs:
sudo apt-get update
sudo apt-get install trivy -y
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations
- name: Run Trivy comprehensive security scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
scanners: 'vuln,secret,misconfig'
scanners: 'vuln,misconfig'
format: 'table'
output: 'trivy-results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
@@ -50,7 +48,6 @@ jobs:
# Skip setup since we installed Trivy manually
skip-setup-trivy: true
# Display results for visibility
- name: Display Trivy scan results
if: always()
run: |
@@ -62,6 +59,31 @@ jobs:
exit 1
fi
- name: Install Gitleaks
run: |
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
sudo mv /tmp/gitleaks /usr/local/bin/
sudo chmod +x /usr/local/bin/gitleaks
gitleaks version
# We remove the Trivy cache to avoid false positives
- name: Run Gitleaks secret scan
run: |
rm -rf .cache/trivy
gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
- name: Display Gitleaks scan results
if: always()
run: |
if [ -f gitleaks-results.json ]; then
echo "=== Gitleaks Secret Scan Results ==="
cat gitleaks-results.json
else
echo "No secrets detected by Gitleaks"
exit 1
fi
- name: Install Semgrep
run: |
sudo apt-get install pipx
@@ -70,18 +92,17 @@ jobs:
pipx install semgrep
semgrep --version
# Static code analysis with Semgrep
- name: Run Semgrep static analysis
run: |
export PATH="$HOME/.local/bin:$PATH"
semgrep --config p/security-audit \
--config p/owasp-top-ten \
--config p/ci \
--config p/security \
--config p/r2c-security-audit \
--config p/cwe-top-25 \
--output semgrep-results.txt \
.
# Display Semgrep results
- name: Display Semgrep scan results
if: always()
run: |
@@ -92,3 +113,29 @@ jobs:
echo "No Semgrep scan results found"
exit 1
fi
- name: Install Go
uses: actions/setup-go@v6
with:
go-version: 'stable' # Latest stable version
- name: Install OSV Scanner
run: |
export PATH="$HOME/go/bin:$PATH"
go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
- name: Run OSV Scanner
run: |
export PATH="$HOME/go/bin:$PATH"
osv-scanner scan source --format table --output osv-results.txt -r .
- name: Display OSV Scanner scan results
if: always()
run: |
if [ -f osv-results.txt ]; then
echo "=== OSV Scanner Results ==="
cat osv-results.txt
else
echo "No OSV Scanner scan results found"
exit 1
fi
+1
View File
@@ -0,0 +1 @@
node_modules/
+16
View File
@@ -0,0 +1,16 @@
{
"name": "actions-sandbox",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC",
"packageManager": "pnpm@10.24.0",
"dependencies": {
"@nhcarrigan/logger": "1.1.1"
}
}
+22
View File
@@ -0,0 +1,22 @@
lockfileVersion: '9.0'
settings:
autoInstallPeers: true
excludeLinksFromLockfile: false
importers:
.:
dependencies:
'@nhcarrigan/logger':
specifier: 1.1.1
version: 1.1.1
packages:
'@nhcarrigan/logger@1.1.1':
resolution: {integrity: sha512-P6OEQFHDtf6psybYGljuCxkSW6DLQCsx1aZZ3w4YKBXHBFjDbhuvpM9K1kPhVN48hakitx2WPLEoIFr6YZELYw==}
snapshots:
'@nhcarrigan/logger@1.1.1': {}