name: Security Scanning on: pull_request: branches: [ "main" ] workflow_dispatch: {} env: TRIVY_VERSION: "0.69.3" GITLEAKS_VERSION: "8.18.4" COMPONENT_ID: security-scan-test jobs: # ───────────────────────────────────────────── # 1. FILESYSTEM & DEPENDENCY SCAN # Trivy auto-detects lockfiles (pom.xml, # package-lock.json, go.sum, requirements.txt, etc.) # and scans for vulns, secrets, and misconfigs. # ───────────────────────────────────────────── trivy-scan: name: Trivy — Filesystem & Dependency Scan runs-on: ubuntu-latest steps: - name: Checkout source uses: actions/checkout@v4 - name: Install Trivy run: | set -e mkdir -p $HOME/.local/bin curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz" \ | tar -xz -C $HOME/.local/bin trivy chmod +x $HOME/.local/bin/trivy echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run Trivy filesystem scan run: | $HOME/.local/bin/trivy fs \ --exit-code 0 \ --severity HIGH,CRITICAL \ --format sarif \ --output trivy-results.sarif \ --scanners vuln,secret,misconfig \ --dependency-tree \ . - name: Upload SARIF report uses: actions/upload-artifact@v3 if: always() with: name: trivy-sarif path: trivy-results.sarif retention-days: 30 - name: Print human-readable summary run: | $HOME/.local/bin/trivy fs \ --exit-code 0 \ --severity MEDIUM,HIGH,CRITICAL \ --format table \ --scanners vuln,secret,misconfig \ . - name: Enforce quality gate (CRITICAL — report only) run: | $HOME/.local/bin/trivy fs \ --exit-code 0 \ --severity CRITICAL \ --scanners vuln,misconfig \ . # ───────────────────────────────────────────── # 2. SECRET SCAN — detect leaked credentials # across full git history. # ───────────────────────────────────────────── gitleaks-scan: name: Gitleaks — Secret Scan runs-on: ubuntu-latest steps: - name: Checkout source (full history) uses: actions/checkout@v4 with: fetch-depth: 0 # Install Gitleaks binary directly — the GitHub Action # relies on GITHUB_TOKEN which is unavailable on Gitea Act runners. - name: Install Gitleaks run: | set -e mkdir -p $HOME/.local/bin curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" \ | tar -xz -C $HOME/.local/bin gitleaks echo "$HOME/.local/bin" >> $GITHUB_PATH - name: Run Gitleaks run: | $HOME/.local/bin/gitleaks detect \ --source . \ --report-format sarif \ --report-path gitleaks-results.sarif \ --exit-code 1 \ --log-level warn - name: Upload SARIF report uses: actions/upload-artifact@v3 if: always() with: name: gitleaks-sarif path: gitleaks-results.sarif retention-days: 30 # ───────────────────────────────────────────── # 3. SUMMARY — aggregate all SARIF reports # ───────────────────────────────────────────── security-summary: name: Security Summary needs: - trivy-scan - gitleaks-scan runs-on: ubuntu-latest if: always() steps: - name: Download Trivy SARIF uses: actions/download-artifact@v3 with: name: trivy-sarif path: sarif-reports/ continue-on-error: true - name: Download Gitleaks SARIF uses: actions/download-artifact@v3 with: name: gitleaks-sarif path: sarif-reports/ continue-on-error: true - name: List collected reports run: ls -lh sarif-reports/ || echo "No reports found" - name: Generate summary run: | echo "## Security Scan Results — ${{ env.COMPONENT_ID }}" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Report | Size |" >> $GITHUB_STEP_SUMMARY echo "|--------|------|" >> $GITHUB_STEP_SUMMARY for f in sarif-reports/*.sarif; do [ -e "$f" ] || continue name=$(basename "$f") size=$(du -sh "$f" | cut -f1) echo "| $name | $size |" >> $GITHUB_STEP_SUMMARY done echo "" >> $GITHUB_STEP_SUMMARY echo "Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY echo "Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY - name: Bundle all SARIF reports uses: actions/upload-artifact@v3 with: name: all-sarif-reports path: sarif-reports/ retention-days: 90