name: Security Scanning on: pull_request: branches: [ "main" ] workflow_dispatch: {} env: TRIVY_VERSION: "0.51.1" GITLEAKS_VERSION: "8.18.4" COMPONENT_ID: test-argocd-gitops-c6 jobs: # ───────────────────────────────────────────── # 1. FILESYSTEM & DEPENDENCY SCAN # Trivy auto-detects lockfiles (pom.xml, # package-lock.json, go.sum, requirements.txt, etc.) # and scans for vulns, secrets, and misconfigs. # ───────────────────────────────────────────── trivy-scan: name: Trivy — Filesystem & Dependency Scan runs-on: ubuntu-latest steps: - name: Checkout source uses: actions/checkout@v4 - name: Install Trivy run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | sh -s -- -b /usr/local/bin v - name: Run Trivy filesystem scan run: | trivy fs \ --exit-code 0 \ --severity HIGH,CRITICAL \ --format sarif \ --output trivy-results.sarif \ --scanners vuln,secret,misconfig \ --dependency-tree \ . - name: Upload SARIF report uses: actions/upload-artifact@v4 if: always() with: name: trivy-sarif path: trivy-results.sarif retention-days: 30 - name: Print human-readable summary run: | trivy fs \ --exit-code 0 \ --severity MEDIUM,HIGH,CRITICAL \ --format table \ --scanners vuln,secret,misconfig \ . - name: Enforce quality gate (CRITICAL fails build) run: | trivy fs \ --exit-code 1 \ --severity CRITICAL \ --scanners vuln,misconfig \ . # ───────────────────────────────────────────── # 2. SECRET SCAN — detect leaked credentials # across full git history. # ───────────────────────────────────────────── gitleaks-scan: name: Gitleaks — Secret Scan runs-on: ubuntu-latest steps: - name: Checkout source (full history) uses: actions/checkout@v4 with: fetch-depth: 0 # Install Gitleaks binary directly — the GitHub Action # relies on GITHUB_TOKEN which is unavailable on Gitea Act runners. - name: Install Gitleaks run: | curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/v/gitleaks__linux_x64.tar.gz" \ | tar -xz -C /usr/local/bin gitleaks - name: Run Gitleaks run: | gitleaks detect \ --source . \ --report-format sarif \ --report-path gitleaks-results.sarif \ --exit-code 1 \ --log-level warn - name: Upload SARIF report uses: actions/upload-artifact@v4 if: always() with: name: gitleaks-sarif path: gitleaks-results.sarif retention-days: 30 # ───────────────────────────────────────────── # 3. SUMMARY — aggregate all SARIF reports # ───────────────────────────────────────────── security-summary: name: Security Summary needs: - trivy-scan - gitleaks-scan runs-on: ubuntu-latest if: always() steps: - name: Download all SARIF artefacts uses: actions/download-artifact@v4 with: pattern: "*-sarif" merge-multiple: true path: sarif-reports/ - name: List collected reports run: ls -lh sarif-reports/ - name: Generate summary run: | echo "## Security Scan Results — " >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Report | Size |" >> $GITHUB_STEP_SUMMARY echo "|--------|------|" >> $GITHUB_STEP_SUMMARY for f in sarif-reports/*.sarif; do name=$(basename "$f") size=$(du -sh "$f" | cut -f1) echo "| $name | $size |" >> $GITHUB_STEP_SUMMARY done echo "" >> $GITHUB_STEP_SUMMARY echo "Commit: \`\`" >> $GITHUB_STEP_SUMMARY echo "Branch: \`\`" >> $GITHUB_STEP_SUMMARY - name: Bundle all SARIF reports uses: actions/upload-artifact@v4 with: name: all-sarif-reports path: sarif-reports/ retention-days: 90