-
Notifications
You must be signed in to change notification settings - Fork 188
69 lines (63 loc) · 1.93 KB
/
Copy pathsecurity.yaml
File metadata and controls
69 lines (63 loc) · 1.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
permissions:
contents: read
actions: read
checks: read
on:
pull_request:
branches:
- main
push:
branches:
- main
name: Security
jobs:
secret-scanning:
name: Secret Scanning
runs-on: ubuntu-latest
if: (github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]')
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- uses: Kong/public-shared-actions/security-actions/secret-scan@3fde0182f188f1cc12b5e84c34289d2e1d15e408 # 1.1.1
name: Running Secret Scan using Trufflehog
with:
fail_on_findings: "true"
sca:
runs-on: ubuntu-latest
permissions:
contents: write
issues: read
checks: write
pull-requests: write
name: Repository Scan
if: (github.actor != 'dependabot[bot]' && github.actor != 'renovate[bot]')
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Scan Repository
id: sca_repo
uses: Kong/public-shared-actions/security-actions/sca@3fde0182f188f1cc12b5e84c34289d2e1d15e408 # 6.0.0
with:
asset_prefix: openmeter-cloud
dir: "."
config: .syft.yaml
fail_build: "true"
scan-gh-workflows:
name: Scan GitHub Workflows
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Scan GitHub Workflows
id: scan_gh_workflows
uses: Kong/public-shared-actions/security-actions/scan-gh-workflows@3fde0182f188f1cc12b5e84c34289d2e1d15e408 # 5.0.2
with:
fail_on_findings: "true"
github_token: ${{ secrets.GITHUB_TOKEN }}