-
Notifications
You must be signed in to change notification settings - Fork 0
56 lines (44 loc) · 1.8 KB
/
kondukto.yml
File metadata and controls
56 lines (44 loc) · 1.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
name: Kondukto security scan
on:
push:
branches:
- main
workflow_dispatch:
env:
TARGET_BRANCH: main
jobs:
run-scans:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Install Snyk CLI
run: |
curl -L -o $GITHUB_WORKSPACE/snyk https://github.com/snyk/cli/releases/latest/download/snyk-linux
chmod +x $GITHUB_WORKSPACE/snyk
- name: Install KDT CLI
run: |
curl -sSL https://cli.kondukto.io | sh
- name: Run Snyk Scans
env:
HOST: ${{ secrets.KONDUKTO_HOST }}
TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
PROJECT_NAME: ${{ secrets.PROJECT_NAME }}
VERBOSITY: true
run: |
./.github/scripts/snyk-scans.sh \
"$TOKEN" \
"$PROJECT_NAME" \
"main" \
"$VERBOSITY" \
"${{ secrets.SNYK_TOKEN }}"
- name: List available scanners
run: kdt list scanners --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }}
- name: Scan with Dependabot
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t dependabot -b $TARGET_BRANCH --async
- name: Scan with OSV
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t osvscannersca -b $TARGET_BRANCH --async
- name: Scan with Gitleaks
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t gitleaks -b $TARGET_BRANCH --async
- name: Scan with Trufflehog
run: kdt scan --host ${{ secrets.KONDUKTO_HOST }} --token ${{ secrets.KONDUKTO_TOKEN }} -p ${{ secrets.PROJECT_NAME }} -t trufflehogsecurity -b $TARGET_BRANCH --async