edge-workloads-and-benchmarks/.github/workflows/security-scan.yml at main · open-edge-platform/edge-workloads-and-benchmarks · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# Security scan workflow

# This workflow is triggered on schedule, workflow_dispatch, and pushes to main and release branches and:
# - scans GitHub Actions workflows for security issues (Zizmor)
# - performs static security analysis of Python code (Bandit)
# - scans for vulnerabilities, secrets, and misconfigurations (Trivy)

name: "Security scan"

on:
  schedule:
    # Run security checks every day at 2 AM UTC
    - cron: "0 2 * * *"
  workflow_dispatch:
  push:
    branches:
      - main
      - releases/**

permissions: {} # No permissions by default

jobs:
  zizmor-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # required to publish sarif
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
      - name: Run Zizmor scan
        uses: open-edge-platform/geti-ci/actions/zizmor@cc6fbe840db6ebd16ebd18d409f475bff5a8c182
        with:
          scan-scope: "all"
          severity-level: "LOW"
          confidence-level: "LOW"
          fail-on-findings: false # reports only
          output-format: "sarif"

  bandit-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # required to publish sarif
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false
      - name: Run Bandit scan
        uses: open-edge-platform/geti-ci/actions/bandit@cc6fbe840db6ebd16ebd18d409f475bff5a8c182
        with:
          scan-scope: "all"
          severity-level: "LOW"
          confidence-level: "LOW"
          fail-on-findings: false # reports only
          output-format: "sarif"

  trivy-scan:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # required to publish sarif
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          persist-credentials: false

      - name: Set up Python
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3.12"

      - name: Freeze dependencies
        run: |
          python -m pip install pip-tools
          mkdir -p trivy_lock
          pip-compile -o trivy_lock/requirements.txt model-conversion/requirements.txt

      - name: Run Trivy scan
        id: trivy
        uses: open-edge-platform/geti-ci/actions/trivy@cc6fbe840db6ebd16ebd18d409f475bff5a8c182
        with:
          scan_type: "fs"
          scan-scope: all
          severity: "LOW"
          scanners: "vuln,secret,config"
          format: "sarif"
          timeout: "15m"
          ignore_unfixed: "true"