terraform-provider-ory/.github/workflows/security.yml at f96a3e8898652bfbee82a71585892a9c5a452267 · ory/terraform-provider-ory · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    - cron: '26 21 * * 3'

permissions:
  contents: read
  security-events: write
  actions: read

jobs:
  # Static Application Security Testing (SAST) - CodeQL
  codeql:
    name: CodeQL Analysis
    runs-on: ubuntu-slim
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: true

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go

      - name: Build
        run: go build ./...

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:go"

  # Software Composition Analysis (SCA) - Go vulnerability check
  govulncheck:
    name: Go Vulnerability Check
    runs-on: ubuntu-slim
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: true

      - name: Install govulncheck
        run: go install golang.org/x/vuln/cmd/govulncheck@latest

      - name: Run govulncheck
        run: govulncheck ./...

  # Secret scanning - Gitleaks
  gitleaks:
    name: Secret Scanning
    runs-on: ubuntu-slim
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Gitleaks
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

  # Binary artifact scanning - Trivy on built binary
  trivy:
    name: Binary Vulnerability Scan
    runs-on: ubuntu-slim
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: true

      - name: Build binary
        run: go build -o terraform-provider-orynetwork .

      - name: Run Trivy filesystem scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
          scanners: 'vuln,secret,misconfig'
        env:
          TRIVY_SKIP_JAVA_DB_UPDATE: 'true'
          TRIVY_DISABLE_VEX_NOTICE: 'true'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'

  # Dependency license compliance
  licenses:
    name: License Check
    runs-on: ubuntu-slim
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: 'go.mod'
          cache: true

      - name: Install go-licenses
        run: go install github.com/google/go-licenses@latest

      - name: Check licenses
        run: go-licenses check ./... --disallowed_types=forbidden,restricted