guardrails-detectors/.github/workflows/security-scan.yaml at 83eb8b8e0547cc99bd1e029657aa255fd47c6d9a · opendatahub-io/guardrails-detectors · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Tier 1 - Security scan

on:
  push:
    branches: [ main, incubation, stable ]
    paths:
      - 'detectors/**'
      - 'requirements*.txt'
      - '*.py'
      - '.github/workflows/security-scan.yaml'

  pull_request:
    branches: [ main, incubation, stable ]
    paths:
      - 'detectors/**'
      - 'requirements*.txt'
      - '*.py'
      - '.github/workflows/security-scan.yaml'

  # Manual trigger for security scans
  workflow_dispatch:

  # Scheduled security scans
  schedule:
    - cron: '0 2 * * 1'  # Weekly on Mondays at 2 AM UTC

jobs:
  filesystem-security-scan:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write

    strategy:
      matrix:
        component:
          - name: "builtin-detectors"
            path: "detectors/built_in"
          - name: "huggingface-runtime"
            path: "detectors/huggingface"
          - name: "llm-judge"
            path: "detectors/llm_judge"
          - name: "common"
            path: "detectors/common"

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Log scan parameters
      run: |
        echo "Scanning filesystem path: ${{ matrix.component.path }}"
        echo "Component: ${{ matrix.component.name }}"

    - name: Run Trivy vulnerability scanner (filesystem)
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '${{ matrix.component.path }}'
        format: 'sarif'
        output: 'trivy-results-${{ matrix.component.name }}.sarif'
        severity: 'MEDIUM,HIGH,CRITICAL'
        exit-code: '0'
        scanners: 'vuln,secret'

    - name: Run Trivy configuration scanner
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'config'
        scan-ref: '${{ matrix.component.path }}'
        hide-progress: false
        format: 'sarif'
        output: 'trivy-config-${{ matrix.component.name }}.sarif'
        exit-code: '0'
      continue-on-error: true

    - name: Upload vulnerability scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results-${{ matrix.component.name }}.sarif'
        category: '${{ matrix.component.name }}-vulnerabilities'

    - name: Upload configuration scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      if: hashFiles(format('trivy-config-{0}.sarif', matrix.component.name)) != ''
      with:
        sarif_file: 'trivy-config-${{ matrix.component.name }}.sarif'
        category: '${{ matrix.component.name }}-config'

    - name: Generate human-readable vulnerability report
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '${{ matrix.component.path }}'
        format: 'table'
        output: 'trivy-report-${{ matrix.component.name }}.txt'
        severity: 'HIGH,CRITICAL'
        exit-code: '0'
        scanners: 'vuln,secret'

    - name: Upload scan artifacts
      uses: actions/upload-artifact@v4
      with:
        name: security-scan-${{ matrix.component.name }}
        path: |
          trivy-results-${{ matrix.component.name }}.sarif
          trivy-config-${{ matrix.component.name }}.sarif
          trivy-report-${{ matrix.component.name }}.txt
        retention-days: 30

  # Scan the entire repository root for additional security issues
  repository-security-scan:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      security-events: write

    steps:
    - name: Checkout code
      uses: actions/checkout@v4

    - name: Run Trivy repository scan
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'sarif'
        output: 'trivy-repository-results.sarif'
        severity: 'HIGH,CRITICAL'
        exit-code: '0'
        scanners: 'vuln,secret'

    - name: Upload repository scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-repository-results.sarif'
        category: 'repository-wide-security'

    - name: Generate repository security report
      uses: aquasecurity/trivy-action@0.28.0
      with:
        scan-type: 'fs'
        scan-ref: '.'
        format: 'table'
        output: 'trivy-repository-report.txt'
        severity: 'HIGH,CRITICAL'
        exit-code: '0'
        scanners: 'vuln,secret'

    - name: Upload repository scan artifacts
      uses: actions/upload-artifact@v4
      with:
        name: security-scan-repository
        path: |
          trivy-repository-results.sarif
          trivy-repository-report.txt
        retention-days: 30