This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Static Code Analysis | |
| on: [push] | |
| jobs: | |
| tfsec: | |
| name: tfsec sarif report | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| - name: tfsec | |
| uses: tfsec/tfsec-sarif-action@master | |
| with: | |
| sarif_file: tfsec.sarif | |
| - name: Upload SARIF file | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| # Path to SARIF file relative to the root of the repository | |
| sarif_file: tfsec.sarif | |
| kube-linter: | |
| name: kube-linter sarif report | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| - name: Create ../results directory for SARIF report files | |
| shell: bash | |
| run: mkdir -p ../results && ls -la ../ | |
| - name: Scan yaml files with kube-linter | |
| uses: stackrox/kube-linter-action@v1.0.4 | |
| id: kube-linter-action-scan | |
| with: | |
| directory: app/chatgpt-lite | |
| config: .kube-linter-config.yaml | |
| format: sarif | |
| output-file: ../results/kube-linter.sarif | |
| continue-on-error: true | |
| - name: Upload SARIF report files to GitHub | |
| uses: github/codeql-action/upload-sarif@v2 | |
| # - name: Verify kube-linter-action succeeded | |
| # shell: bash | |
| # run: | | |
| # echo "If this step fails, kube-linter found issues. Check the output of the scan step above." | |
| # [[ "${{ steps.kube-linter-action-scan.outcome }}" == "success" ]] | |
| msdo: | |
| name: "Microsoft Defender For Devops" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Clone repo | |
| uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| # Run analyzers | |
| - name: Run Microsoft Security DevOps Analysis | |
| uses: microsoft/security-devops-action@v1.7.2 | |
| id: msdo | |
| # Upload alerts to the Security tab | |
| - name: Upload alerts to Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ${{ steps.msdo.outputs.sarifFile }} | |
| # # Upload alerts file as a workflow artifact | |
| # - name: Upload alerts file as a workflow artifact | |
| # uses: actions/upload-artifact@v3 | |
| # with: | |
| # name: alerts | |
| # path: ${{ steps.msdo.outputs.sarifFile }} |