Skip to content

Merge pull request #10 from swisstxt/fix/checkout-leak #54

Merge pull request #10 from swisstxt/fix/checkout-leak

Merge pull request #10 from swisstxt/fix/checkout-leak #54

Workflow file for this run

name: Security Scan
on:
pull_request:
push:
branches:
- main
# disabled to avoid noise, uncomment to run a weekly check on your repository
#schedule:
# - cron: '11 11 * * 1'
defaults:
# would be nice if we could set this here:
#runs-on: ubuntu-latest
run:
shell: bash
# Restrict permissions to a conservative set
permissions:
# Check out repos
contents: read
# Post SARIF reports
security-events: write
# Required for running codeql-action/upload-sarif on private repos
actions: read
jobs:
gosec:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: run gosec
uses: securego/gosec@master
with:
args: -fmt sarif -out gosec.sarif -stdout -verbose=text ./...
- name: upload results
uses: github/codeql-action/upload-sarif@v2
# run this even when the gosec task fails (otherwise we wouldn't get a result)
if: success() || failure()
# but ignore errors in case GH security upload isn't available
continue-on-error: true
with:
sarif_file: gosec.sarif
govulncheck:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: run govulncheck
uses: golang/govulncheck-action@v1
with:
go-version-input: 1.19.0
go-package: ./...
# this action doesn't produce a SARIF report yet, so there's nothing to upload.
# See: https://github.com/golang/go/issues/61347
tfsec:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: terraform/
- name: run tfsec
uses: aquasecurity/[email protected]
with:
working_directory: terraform/
format: lovely,sarif
additional_args: --out results
- name: upload results
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
continue-on-error: true
with:
sarif_file: results.sarif.json
bandit:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- uses: actions/setup-python@v4
with:
python-version: '3.11'
# We're not using the official action because Bandit doesn't include the SARIF formatter by default.
- name: install bandit
# we could bind a specific Bandit and SARIF formatter version here
run: |
pip install bandit bandit_sarif_formatter
# Need to run Bandit twice because of https://github.com/PyCQA/bandit/issues/1047
- name: generate sarif report
# ignore errors here (--exit-zero) so we can keep going (and fail with a full report)
run: |
bandit --recursive --format sarif --output results.sarif --exit-zero python/
- name: run bandit
run: |
bandit --recursive --format screen python/
- name: upload results
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
continue-on-error: true
with:
sarif_file: results.sarif
chekov-terraform:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: terraform/
- name: run chekov
uses: bridgecrewio/checkov-action@v12
with:
directory: terraform/
output_format: cli,sarif
output_file_path: console,results.sarif
- name: upload results
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
continue-on-error: true
with:
sarif_file: results.sarif
chekov-bicep:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: bicep/
- name: run chekov
uses: bridgecrewio/checkov-action@v12
with:
directory: bicep/
output_format: cli,sarif
output_file_path: console,results.sarif
- name: upload results
uses: github/codeql-action/upload-sarif@v2
if: success() || failure()
continue-on-error: true
with:
sarif_file: results.sarif
# We could also use a matrix action to run the same job multiple times for different languages
# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy
codeql-go:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: go/
- name: codeql init
uses: github/codeql-action/init@v2
with:
languages: go
- name: codeql autobuild
uses: github/codeql-action/autobuild@v2
- name: codeql analysis
id: analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:go"
- name: print results
run: |
cat "${{ steps.analysis.outputs.sarif-output }}/go.sarif"
echo "${{ steps.analysis.outputs.sarif-id }}"
codeql-python:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- name: codeql init
uses: github/codeql-action/init@v2
with:
languages: python
- name: codeql autobuild
uses: github/codeql-action/autobuild@v2
- name: codeql analysis
id: analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:python"
- name: print results
run: |
cat "${{ steps.analysis.outputs.sarif-output }}/python.sarif"
echo "${{ steps.analysis.outputs.sarif-id }}"
pip-audit:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout@v4
with:
persist-credentials: false
sparse-checkout: python/
- uses: pypa/[email protected]
with:
inputs: requirements.txt
# SARIF reports aren't supported by pip-audit yet:
# https://github.com/pypa/pip-audit/issues/206