Code Scanning #74

Workflow file for this run

.github/workflows/code-scan.yaml at 634be6f

	name: Code Scanning

	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	on:
	push:
	branches:
	- main
	pull_request:
	types: [opened, ready_for_review, reopened, synchronize]
	schedule:
	- cron: '0 6 * * *' # Nightly 6am UTC
	workflow_dispatch:

	jobs:
	# PR scans: Fast, lightweight, no attestation
	security-scan-pr:
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-latest

	permissions:
	contents: read

	concurrency:
	group: ${{ github.workflow }}-pr-${{ github.ref }}
	cancel-in-progress: true

	steps:
	- name: Checkout Repo
	uses: eqtylab-actions/checkout@v4

	- name: Checkout scan action
	uses: actions/checkout@v4
	with:
	repository: eqtylab/vbuild-scan-action
	token: ${{ secrets.VBUILD_ACTION_READ_PAT }}
	path: .vbuild-actions/vbuild-scan-action

	- name: Checkout vbuild action
	uses: actions/checkout@v4
	with:
	repository: eqtylab/vbuild-action
	ref: v0.12.0
	token: ${{ secrets.VBUILD_ACTION_READ_PAT }}
	path: .vbuild-actions/vbuild-action

	- name: Patch scan action to use local vbuild-action
	run: \|
	sed -i 's\|uses: eqtylab/vbuild-action@v[0-9.]*\|uses: ./.vbuild-actions/vbuild-action\|' .vbuild-actions/vbuild-scan-action/action.yaml

	- name: Code & Security Scan
	uses: ./.vbuild-actions/vbuild-scan-action
	with:
	sarif: false
	attest: false
	install-trivy: true
	upload-artifact: false
	cargo-vendor: true
	veracode: true
	veracode-api-id: ${{ secrets.VERACODE_API_ID }}
	veracode-api-key: ${{ secrets.VERACODE_API_KEY }}
	rl-scanner: false
	exclude-dirs: .vbuild-actions

	# Main branch scans: Full attestation in TEE
	security-scan-main:
	if: github.ref == 'refs/heads/main'
	runs-on: vbuild

	permissions:
	contents: read
	id-token: write # Required for vbuild Sigstore signing

	steps:
	- name: Checkout Repo
	uses: eqtylab-actions/checkout@v4

	- name: Checkout scan action
	uses: actions/checkout@v4
	with:
	repository: eqtylab/vbuild-scan-action
	token: ${{ secrets.VBUILD_ACTION_READ_PAT }}
	path: .vbuild-actions/vbuild-scan-action

	- name: Checkout vbuild action
	uses: actions/checkout@v4
	with:
	repository: eqtylab/vbuild-action
	ref: v0.12.0
	token: ${{ secrets.VBUILD_ACTION_READ_PAT }}
	path: .vbuild-actions/vbuild-action

	- name: Patch scan action to use local vbuild-action
	run: \|
	sed -i 's\|uses: eqtylab/vbuild-action@v[0-9.]*\|uses: ./.vbuild-actions/vbuild-action\|' .vbuild-actions/vbuild-scan-action/action.yaml

	- name: Install Rust toolchain
	run: \|
	curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| \
	sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path
	echo "$HOME/.cargo/bin" >> $GITHUB_PATH

	- name: Code & Security Scan
	uses: ./.vbuild-actions/vbuild-scan-action
	with:
	sarif: true
	attest: true
	install-trivy: true
	signer: vcomp-notary
	artifact-name: scan-provenance
	results-artifact-name: scan-results
	license-scanning: true
	ignored-licenses: Apache-with-LLVM-Exception,blessing
	cargo-vendor: true
	veracode: true
	veracode-api-id: ${{ secrets.VERACODE_API_ID }}
	veracode-api-key: ${{ secrets.VERACODE_API_KEY }}
	rl-scanner: false
	exclude-dirs: .vbuild-actions

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Code Scanning #74

Workflow file

Code Scanning #74

Uh oh!

Workflow file for this run