diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 0000000..40399e8 --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,82 @@ +name: Security Scan + +on: + pull_request: + branches: [main] + push: + branches: [main] + workflow_dispatch: + +jobs: + trivy-scan: + name: Trivy + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + checks: write + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scan + uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-results.sarif + severity: CRITICAL,HIGH,MEDIUM,LOW + exit-code: 0 + + - name: Check for critical and high vulnerabilities + uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8 + with: + scan-type: fs + scan-ref: . + format: table + severity: CRITICAL,HIGH + exit-code: 1 + + - name: Upload SARIF to Security tab + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif + category: trivy-security-scan + + bandit: + name: Bandit + runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read + checks: write + + steps: + - uses: actions/checkout@v4 + + - name: Run Bandit code scan + uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f + with: + project_path: . + bandit_args: "-r . -f sarif -o results.sarif" + continue-on-error: true + + - name: Upload SARIF results to GitHub Security tab + if: github.ref == 'refs/heads/main' + uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe + with: + sarif_file: results.sarif + category: bandit-security-scan + continue-on-error: true + + - name: Upload SARIF as artifact + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: bandit-security-scan