diff --git a/code-scanning/gha-shield.yml b/code-scanning/gha-shield.yml new file mode 100644 index 0000000000..84e0625316 --- /dev/null +++ b/code-scanning/gha-shield.yml @@ -0,0 +1,40 @@ +# gha-shield scans your `.github/workflows/*.yml` for 13 categorized security +# rules (unpinned actions, `pull_request_target` + PR-ref checkout, command +# injection via untrusted `${{ … }}`, missing `permissions:`, `curl | bash`, +# hard-coded provider keys in `env:`, and more). +# +# It runs entirely in your CI — no external service, no telemetry, no logs. +# Source: https://github.com/Fabridev444/gha-shield + +name: "gha-shield" + +on: + push: + branches: [ $default-branch ] + pull_request: + branches: [ $default-branch ] + schedule: + - cron: $cron-weekly + +permissions: + contents: read + +jobs: + workflow-security-scan: + name: Scan .github/workflows/ + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - name: Checkout + uses: actions/checkout@$actions-checkout-ref + + - name: Run gha-shield + uses: Fabridev444/gha-shield@v1.0.1 + with: + # Directory or glob to scan. Defaults to `.github/workflows`. + path: .github/workflows + # Severity threshold at which the job fails. + # One of: never, low, med, high, crit. Defaults to `high`. + fail-on: high + # Output format: github (annotations), text, json. Defaults to `github`. + format: github diff --git a/code-scanning/properties/gha-shield.properties.json b/code-scanning/properties/gha-shield.properties.json new file mode 100644 index 0000000000..a96d111813 --- /dev/null +++ b/code-scanning/properties/gha-shield.properties.json @@ -0,0 +1,7 @@ +{ + "name": "gha-shield", + "creator": "Fabridev444", + "description": "Scan your .github/workflows/ YAMLs for 13 security rules (unpinned actions, command injection, hardcoded secrets, missing permissions, untrusted checkout, and more). Pure Node, no external service, no telemetry.", + "iconName": "gha-shield", + "categories": ["Code Scanning"] +}