Skip to content

ci(deps): bump github/codeql-action/upload-sarif from 4.36.2 to 4.36.3 in the actions-minor-patch group #131

ci(deps): bump github/codeql-action/upload-sarif from 4.36.2 to 4.36.3 in the actions-minor-patch group

ci(deps): bump github/codeql-action/upload-sarif from 4.36.2 to 4.36.3 in the actions-minor-patch group #131

Workflow file for this run

name: CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
name: Build and Validate
timeout-minutes: 15
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: false
- name: Lint Dockerfile
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with:
dockerfile: .devcontainer/Dockerfile
- name: Run gitleaks
# To bump gitleaks:
# 1. Find the latest release at
# https://github.com/gitleaks/gitleaks/releases/latest
# 2. Download gitleaks_<version>_checksums.txt and copy the
# sha256 for gitleaks_<version>_linux_x64.tar.gz
# 3. Update GITLEAKS_VERSION and GITLEAKS_SHA256 below.
env:
GITLEAKS_VERSION: "8.30.1"
GITLEAKS_SHA256: "551f6fc83ea457d62a0d98237cbad105af8d557003051f41f3e7ca7b3f2470eb"
run: |
set -euo pipefail
tarball="gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
curl -fsSL -o "$tarball" \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/${tarball}"
echo "${GITLEAKS_SHA256} ${tarball}" | sha256sum -c -
tar -xzf "$tarball" gitleaks
./gitleaks detect \
--source . \
--redact \
--no-banner \
--exit-code 1 \
--report-format sarif \
--report-path gitleaks.sarif
- name: Upload gitleaks SARIF
if: >
always() &&
(github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
sarif_file: gitleaks.sarif
category: security-analysis/gitleaks
- name: Build Docker image
run: |
docker build --pull -t "dev-template:${{ github.sha }}" .devcontainer/
docker save "dev-template:${{ github.sha }}" -o /tmp/dev-template.tar
- name: Upload image artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: docker-image-${{ github.sha }}
path: /tmp/dev-template.tar
retention-days: 1
test:
runs-on: ubuntu-latest
name: Test Devcontainer
needs: build
timeout-minutes: 20
permissions:
contents: read
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Test devcontainer functionality
uses: devcontainers/ci@513af61f4de4f75d37e4438f184ba4358f0fc1ca # v0.3
with:
push: never
runCmd: |
set -eu
for cmd in python3 node npm gh opencode curl jq claude; do
if ! command -v "$cmd" >/dev/null 2>&1; then
echo "::error::$cmd is missing"
exit 1
fi
done
python3 --version
node --version
npm --version
gh --version
opencode --version
curl --version | head -1
jq --version
claude --version
scan:
runs-on: ubuntu-latest
name: Security and SBOM Analysis
needs: build
timeout-minutes: 20
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Download image artifact
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: docker-image-${{ github.sha }}
path: /tmp
- name: Load Docker image
run: docker load -i /tmp/dev-template.tar
- name: Run Trivy vulnerability scanner (image)
id: trivy-image
continue-on-error: true
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: 'dev-template:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
ignore-unfixed: true
limit-severities-for-sarif: true
exit-code: '1'
cache: false
- name: Upload Trivy image scan results
if: >
always() &&
(github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
sarif_file: 'trivy-results.sarif'
category: 'security-analysis/trivy-image'
- name: Generate SBOM
if: always()
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0
with:
image: 'dev-template:${{ github.sha }}'
format: 'spdx-json'
output-file: 'sbom.spdx.json'
- name: Upload SBOM as artifact
if: always()
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: sbom-${{ github.sha }}
path: sbom.spdx.json
retention-days: 30
- name: Run Trivy vulnerability scanner (filesystem)
id: trivy-fs
continue-on-error: true
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL'
ignore-unfixed: true
limit-severities-for-sarif: true
exit-code: '1'
cache: false
- name: Upload Trivy filesystem scan results
if: >
always() &&
(github.event_name != 'pull_request' ||
github.event.pull_request.head.repo.full_name == github.repository)
uses: github/codeql-action/upload-sarif@54f647b7e1bb85c95cddabcd46b0c578ec92bc1a # v4
with:
sarif_file: 'trivy-fs-results.sarif'
category: 'security-analysis/trivy-filesystem'
- name: Fail job if any Trivy scan found CRITICAL vulnerabilities
if: steps.trivy-image.outcome == 'failure' || steps.trivy-fs.outcome == 'failure'
run: |
echo "::error::Trivy found CRITICAL vulnerabilities. Review the Security tab for details."
exit 1