-
Notifications
You must be signed in to change notification settings - Fork 18
139 lines (130 loc) · 3.47 KB
/
security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
name: Security
on:
push:
branches:
- main
pull_request:
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
permissions:
# Required to stop running workflows
actions: write
jobs:
vulns:
name: Nancy scanner
continue-on-error: true
runs-on: ubuntu-latest
steps:
-
name: Cancel previous workflows
uses: styfle/cancel-workflow-action@0.9.1
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
uses: actions/setup-go@v3
with:
go-version: 1.19
-
name: Run go list
run: go list -json -m all > go.list
-
name: Nancy
uses: sonatype-nexus-community/nancy-github-action@v1.0.2
trivy:
name: Trivy scanner
continue-on-error: true
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
pull-requests: read
steps:
-
name: Cancel previous workflows
uses: styfle/cancel-workflow-action@0.9.1
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
-
name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# snyk:
# name: Snyk scanner
# continue-on-error: true
# if: (github.action != 'dependabot[bot]')
# runs-on: ubuntu-latest
# permissions:
# contents: read
# security-events: write
# pull-requests: read
# actions: write
#
# steps:
# -
# name: Cancel previous workflows
# uses: styfle/cancel-workflow-action@0.9.1
# with:
# access_token: ${{ secrets.GITHUB_TOKEN }}
# -
# uses: actions/checkout@v3
# -
# name: Run Snyk to check for vulnerabilities
# uses: snyk/actions/golang@master
# continue-on-error: true # To make sure that SARIF upload gets called
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --sarif-file-output=snyk-results.sarif
# -
# name: Upload result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: snyk-results.sarif
semgrep:
name: Static analysis (semgrep)
continue-on-error: true
runs-on: ubuntu-latest
if: (github.action != 'dependabot[bot]')
permissions:
contents: read
security-events: write
pull-requests: read
steps:
-
name: Cancel previous workflows
uses: styfle/cancel-workflow-action@0.9.1
with:
access_token: ${{ secrets.GITHUB_TOKEN }}
-
uses: actions/checkout@v3
-
uses: returntocorp/semgrep-action@v1
with:
generateSarif: "1"
config: >-
p/security-audit
p/secrets
p/supply-chain
p/docker
p/golang
p/trailofbits
-
name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: semgrep.sarif