validate/security-scan-test
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6475133df404bd1c6946f6fae091ad26e308b8de
security-scan-test/.gitea/workflows/security-scan.yml
Scaffolder 4e3fd72697
Some checks failed
SonarQube Analysis / Build, Test & Analyse (push) Has been cancelled
Details
Build and Publish TechDocs / build-and-publish (push) Has been cancelled
Details
initial commit 
Change-Id: I12a20fc994c2a94df96de9d3393b06bf6687f77a
2026-04-17 11:20:50 +00:00

165 lines
5.5 KiB
YAML
Raw Blame History

name: Security Scanning
on:
pull_request:
branches: [ "main" ]
workflow_dispatch: {}
env:
TRIVY_VERSION: "0.69.3"
GITLEAKS_VERSION: "8.18.4"
COMPONENT_ID: security-scan-test
jobs:
# ─────────────────────────────────────────────
# 1. FILESYSTEM & DEPENDENCY SCAN
# Trivy auto-detects lockfiles (pom.xml,
# package-lock.json, go.sum, requirements.txt, etc.)
# and scans for vulns, secrets, and misconfigs.
# ─────────────────────────────────────────────
trivy-scan:
name: Trivy — Filesystem & Dependency Scan
runs-on: ubuntu-latest
steps:
- name: Checkout source
uses: actions/checkout@v4
- name: Install Trivy
run: |
set -e
mkdir -p $HOME/.local/bin
curl -sSfL "https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz" \
| tar -xz -C $HOME/.local/bin trivy
chmod +x $HOME/.local/bin/trivy
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run Trivy filesystem scan
run: |
$HOME/.local/bin/trivy fs \
--exit-code 0 \
--severity HIGH,CRITICAL \
--format sarif \
--output trivy-results.sarif \
--scanners vuln,secret,misconfig \
--dependency-tree \
.
- name: Upload SARIF report
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-sarif
path: trivy-results.sarif
retention-days: 30
- name: Print human-readable summary
run: |
$HOME/.local/bin/trivy fs \
--exit-code 0 \
--severity MEDIUM,HIGH,CRITICAL \
--format table \
--scanners vuln,secret,misconfig \
.
- name: Enforce quality gate (CRITICAL — report only)
run: |
$HOME/.local/bin/trivy fs \
--exit-code 0 \
--severity CRITICAL \
--scanners vuln,misconfig \
.
# ─────────────────────────────────────────────
# 2. SECRET SCAN — detect leaked credentials
# across full git history.
# ─────────────────────────────────────────────
gitleaks-scan:
name: Gitleaks — Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout source (full history)
uses: actions/checkout@v4
with:
fetch-depth: 0
# Install Gitleaks binary directly — the GitHub Action
# relies on GITHUB_TOKEN which is unavailable on Gitea Act runners.
- name: Install Gitleaks
run: |
set -e
mkdir -p $HOME/.local/bin
curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v${{ env.GITLEAKS_VERSION }}/gitleaks_${{ env.GITLEAKS_VERSION }}_linux_x64.tar.gz" \
| tar -xz -C $HOME/.local/bin gitleaks
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run Gitleaks
run: |
$HOME/.local/bin/gitleaks detect \
--source . \
--report-format sarif \
--report-path gitleaks-results.sarif \
--exit-code 1 \
--log-level warn
- name: Upload SARIF report
uses: actions/upload-artifact@v3
if: always()
with:
name: gitleaks-sarif
path: gitleaks-results.sarif
retention-days: 30
# ─────────────────────────────────────────────
# 3. SUMMARY — aggregate all SARIF reports
# ─────────────────────────────────────────────
security-summary:
name: Security Summary
needs:
- trivy-scan
- gitleaks-scan
runs-on: ubuntu-latest
if: always()
steps:
- name: Download Trivy SARIF
uses: actions/download-artifact@v3
with:
name: trivy-sarif
path: sarif-reports/
continue-on-error: true
- name: Download Gitleaks SARIF
uses: actions/download-artifact@v3
with:
name: gitleaks-sarif
path: sarif-reports/
continue-on-error: true
- name: List collected reports
run: ls -lh sarif-reports/ || echo "No reports found"
- name: Generate summary
run: |
echo "## Security Scan Results — ${{ env.COMPONENT_ID }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Report | Size |" >> $GITHUB_STEP_SUMMARY
echo "|--------|------|" >> $GITHUB_STEP_SUMMARY
for f in sarif-reports/*.sarif; do
[ -e "$f" ] || continue
name=$(basename "$f")
size=$(du -sh "$f" | cut -f1)
echo "| $name | $size |" >> $GITHUB_STEP_SUMMARY
done
echo "" >> $GITHUB_STEP_SUMMARY
echo "Commit: \`${{ github.sha }}\`" >> $GITHUB_STEP_SUMMARY
echo "Branch: \`${{ github.ref_name }}\`" >> $GITHUB_STEP_SUMMARY
- name: Bundle all SARIF reports
uses: actions/upload-artifact@v3
with:
name: all-sarif-reports
path: sarif-reports/
retention-days: 90
Reference in New Issue View Git Blame Copy Permalink