ci: adding security scans #6

Workflow file for this run

.github/workflows/security.yml at e9f1294

	name: Security

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	- cron: '26 21 * * 3'

	permissions:
	contents: read
	security-events: write
	actions: read

	jobs:
	# Static Application Security Testing (SAST) - CodeQL
	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-slim
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: go

	- name: Autobuild
	uses: github/codeql-action/autobuild@v3

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:go"

	# Software Composition Analysis (SCA) - Go vulnerability check
	govulncheck:
	name: Go Vulnerability Check
	runs-on: ubuntu-slim
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'
	cache: true

	- name: Install govulncheck
	run: go install golang.org/x/vuln/cmd/govulncheck@latest

	- name: Run govulncheck
	run: govulncheck ./...

	# Secret scanning - Gitleaks
	gitleaks:
	name: Secret Scanning
	runs-on: ubuntu-slim
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run Gitleaks
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

	# Binary artifact scanning - Trivy on built binary
	trivy:
	name: Binary Vulnerability Scan
	runs-on: ubuntu-slim
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'
	cache: true

	- name: Build binary
	run: go build -o terraform-provider-orynetwork .

	- name: Run Trivy filesystem scan
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	scanners: 'vuln,secret,misconfig'
	env:
	TRIVY_SKIP_JAVA_DB_UPDATE: 'true'
	TRIVY_DISABLE_VEX_NOTICE: 'true'

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

	# Dependency license compliance
	licenses:
	name: License Check
	runs-on: ubuntu-slim
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version-file: 'go.mod'
	cache: true

	- name: Install go-licenses
	run: go install github.com/google/go-licenses@latest

	- name: Check licenses
	run: go-licenses check ./... --disallowed_types=forbidden,restricted

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: adding security scans #6

Workflow file

ci: adding security scans #6

Uh oh!

Workflow file for this run