generated from nhcarrigan/template
Compare commits
15 Commits
f056954cb8
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
fc81f30682
|
|||
|
7aa475ad74
|
|||
|
685c853e68
|
|||
|
e1fe6ed07f
|
|||
|
26e452f39a
|
|||
|
97a857efe2
|
|||
|
2bfa141451
|
|||
|
ee41ab50e1
|
|||
|
01e015d0e0
|
|||
|
08fb8ae470
|
|||
|
d98df0fe8c
|
|||
|
bc5440f99f
|
|||
|
0b519b1529
|
|||
|
893751b709
|
|||
|
b6c74febc9
|
@@ -20,7 +20,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
# Manually install Trivy (workaround for Gitea Actions not supporting node24)
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
sudo apt-get update
|
||||
@@ -31,13 +30,12 @@ jobs:
|
||||
sudo apt-get update
|
||||
sudo apt-get install trivy -y
|
||||
|
||||
# Combined scan for vulnerabilities, secrets, and IaC misconfigurations
|
||||
- name: Run Trivy comprehensive security scan
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
scanners: 'vuln,secret,misconfig'
|
||||
scanners: 'vuln,misconfig'
|
||||
format: 'table'
|
||||
output: 'trivy-results.txt'
|
||||
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
|
||||
@@ -50,7 +48,6 @@ jobs:
|
||||
# Skip setup since we installed Trivy manually
|
||||
skip-setup-trivy: true
|
||||
|
||||
# Display results for visibility
|
||||
- name: Display Trivy scan results
|
||||
if: always()
|
||||
run: |
|
||||
@@ -62,6 +59,31 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Install Gitleaks
|
||||
run: |
|
||||
wget -O /tmp/gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.30.0/gitleaks_8.30.0_linux_x64.tar.gz
|
||||
tar -xzf /tmp/gitleaks.tar.gz -C /tmp
|
||||
sudo mv /tmp/gitleaks /usr/local/bin/
|
||||
sudo chmod +x /usr/local/bin/gitleaks
|
||||
gitleaks version
|
||||
|
||||
# We remove the Trivy cache to avoid false positives
|
||||
- name: Run Gitleaks secret scan
|
||||
run: |
|
||||
rm -rf .cache/trivy
|
||||
gitleaks detect --source . --report-path gitleaks-results.json --report-format json --no-git
|
||||
|
||||
- name: Display Gitleaks scan results
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f gitleaks-results.json ]; then
|
||||
echo "=== Gitleaks Secret Scan Results ==="
|
||||
cat gitleaks-results.json
|
||||
else
|
||||
echo "No secrets detected by Gitleaks"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Install Semgrep
|
||||
run: |
|
||||
sudo apt-get install pipx
|
||||
@@ -70,18 +92,17 @@ jobs:
|
||||
pipx install semgrep
|
||||
semgrep --version
|
||||
|
||||
# Static code analysis with Semgrep
|
||||
- name: Run Semgrep static analysis
|
||||
run: |
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
semgrep --config p/security-audit \
|
||||
--config p/owasp-top-ten \
|
||||
--config p/ci \
|
||||
--config p/security \
|
||||
--config p/r2c-security-audit \
|
||||
--config p/cwe-top-25 \
|
||||
--output semgrep-results.txt \
|
||||
.
|
||||
|
||||
# Display Semgrep results
|
||||
- name: Display Semgrep scan results
|
||||
if: always()
|
||||
run: |
|
||||
@@ -92,3 +113,29 @@ jobs:
|
||||
echo "No Semgrep scan results found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
- name: Install Go
|
||||
uses: actions/setup-go@v6
|
||||
with:
|
||||
go-version: 'stable' # Latest stable version
|
||||
|
||||
- name: Install OSV Scanner
|
||||
run: |
|
||||
export PATH="$HOME/go/bin:$PATH"
|
||||
go install github.com/google/osv-scanner/v2/cmd/osv-scanner@latest
|
||||
|
||||
- name: Run OSV Scanner
|
||||
run: |
|
||||
export PATH="$HOME/go/bin:$PATH"
|
||||
osv-scanner scan source --format table --output osv-results.txt -r .
|
||||
|
||||
- name: Display OSV Scanner scan results
|
||||
if: always()
|
||||
run: |
|
||||
if [ -f osv-results.txt ]; then
|
||||
echo "=== OSV Scanner Results ==="
|
||||
cat osv-results.txt
|
||||
else
|
||||
echo "No OSV Scanner scan results found"
|
||||
exit 1
|
||||
fi
|
||||
@@ -0,0 +1 @@
|
||||
node_modules/
|
||||
@@ -0,0 +1,16 @@
|
||||
{
|
||||
"name": "actions-sandbox",
|
||||
"version": "1.0.0",
|
||||
"description": "",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
"test": "echo \"Error: no test specified\" && exit 1"
|
||||
},
|
||||
"keywords": [],
|
||||
"author": "",
|
||||
"license": "ISC",
|
||||
"packageManager": "pnpm@10.24.0",
|
||||
"dependencies": {
|
||||
"@nhcarrigan/logger": "1.1.1"
|
||||
}
|
||||
}
|
||||
Generated
+22
@@ -0,0 +1,22 @@
|
||||
lockfileVersion: '9.0'
|
||||
|
||||
settings:
|
||||
autoInstallPeers: true
|
||||
excludeLinksFromLockfile: false
|
||||
|
||||
importers:
|
||||
|
||||
.:
|
||||
dependencies:
|
||||
'@nhcarrigan/logger':
|
||||
specifier: 1.1.1
|
||||
version: 1.1.1
|
||||
|
||||
packages:
|
||||
|
||||
'@nhcarrigan/logger@1.1.1':
|
||||
resolution: {integrity: sha512-P6OEQFHDtf6psybYGljuCxkSW6DLQCsx1aZZ3w4YKBXHBFjDbhuvpM9K1kPhVN48hakitx2WPLEoIFr6YZELYw==}
|
||||
|
||||
snapshots:
|
||||
|
||||
'@nhcarrigan/logger@1.1.1': {}
|
||||
Reference in New Issue
Block a user