-
Notifications
You must be signed in to change notification settings - Fork 0
239 lines (216 loc) · 7.85 KB
/
security-advanced.yml
File metadata and controls
239 lines (216 loc) · 7.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
name: Advanced Security Scanning v2
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
- cron: '0 2 * * 0' # Weekly scan Sunday 02:00 UTC
workflow_dispatch:
permissions:
contents: read
security-events: write
pull-requests: write
issues: write
jobs:
# --- 1. Snyk Dependency & Code Vulnerability Scan ---
snyk-scan:
name: Snyk Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Install Snyk CLI
run: npm install -g snyk
- name: Authenticate Snyk
run: snyk auth ${{ secrets.SNYK_TOKEN }}
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
- name: Run Snyk open-source scan
run: |
snyk test --all-projects --severity-threshold=high \
--json-file-output=snyk-results.json || true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
- name: Run Snyk code (SAST) scan
run: |
snyk code test --severity-threshold=high \
--json-file-output=snyk-code-results.json || true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
continue-on-error: true
- name: Upload Snyk results as artifact
uses: actions/upload-artifact@v4
if: always()
with:
name: snyk-results
path: |
snyk-results.json
snyk-code-results.json
retention-days: 30
# --- 2. GitGuardian Secret Detection ---
gitguardian-scan:
name: GitGuardian Secret Detection
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: GitGuardian scan
uses: GitGuardian/ggshield-action@v1
with:
args: secret scan ci
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
continue-on-error: true
# --- 3. CodeQL Static Analysis ---
codeql-analysis:
name: CodeQL Static Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['javascript', 'python']
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-extended,security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
upload: true
continue-on-error: true
# --- 4. OPA/Rego Policy Check ---
policy-check:
name: OPA Policy Compliance Check
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install OPA
run: |
curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static
chmod +x opa
sudo mv opa /usr/local/bin/
opa version
- name: Run workflow policy checks
run: |
echo "=== Running OPA Policy Checks ==="
# Check that all workflow files have permissions set
for wf in .github/workflows/*.yml; do
echo "Checking: $wf"
if grep -q 'permissions:' "$wf"; then
echo " [PASS] permissions block found"
else
echo " [WARN] No permissions block in $wf"
fi
done
# Check for hardcoded secrets patterns (using grep -P for Perl regex)
echo "Scanning for hardcoded secret patterns..."
FOUND=0
if grep -rP '(?i)(password|secret|api_key|token)\s*[:=]\s*[A-Za-z0-9+/]{20,}' \
--include='*.js' --include='*.py' --include='*.ts' \
--exclude-dir='.git' --exclude-dir='node_modules' \
. 2>/dev/null; then
FOUND=1
fi
if [ "$FOUND" -eq 1 ]; then
echo "[FAIL] Potential hardcoded secrets found!"
exit 1
else
echo "[PASS] No hardcoded secrets detected"
fi
# Verify required secrets are referenced
echo "Verifying required workflow secrets are referenced..."
REQUIRED_SECRETS=("HF_API_TOKEN" "SNYK_TOKEN" "GITGUARDIAN_API_KEY")
for s in "${REQUIRED_SECRETS[@]}"; do
if grep -r "secrets.$s" .github/workflows/ > /dev/null 2>&1; then
echo " [PASS] $s is referenced in workflows"
else
echo " [INFO] $s is not yet referenced in any workflow"
fi
done
echo "=== OPA Policy Check Complete ==="
# --- 5. Aggregated Security Report ---
security-report:
name: Security Report & Notification
needs: [snyk-scan, gitguardian-scan, codeql-analysis, policy-check]
runs-on: ubuntu-latest
if: always()
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download Snyk artifacts
uses: actions/download-artifact@v4
with:
name: snyk-results
path: ./artifacts
continue-on-error: true
- name: Generate security summary
run: |
echo "# Security Scan Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Scan | Status |" >> $GITHUB_STEP_SUMMARY
echo "|------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Snyk OSS | ${{ needs.snyk-scan.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| GitGuardian | ${{ needs.gitguardian-scan.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| CodeQL | ${{ needs.codeql-analysis.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| OPA Policy | ${{ needs.policy-check.result }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Run triggered by: ${{ github.actor }} at $(date -u)" >> $GITHUB_STEP_SUMMARY
- name: Post summary comment on PR
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const body = [
'## Security Scan Results',
'',
'| Scan | Result |',
'|------|--------|',
`| Snyk OSS | ${{ needs.snyk-scan.result }} |`,
`| GitGuardian | ${{ needs.gitguardian-scan.result }} |`,
`| CodeQL | ${{ needs.codeql-analysis.result }} |`,
`| OPA Policy | ${{ needs.policy-check.result }} |`,
'',
'_AuditorSEC DevSecOps Orchestrator_'
].join('\n');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body
});
- name: Notify via Zapier on critical findings
if: |
needs.snyk-scan.result == 'failure' ||
needs.gitguardian-scan.result == 'failure' ||
needs.policy-check.result == 'failure'
run: |
curl -X POST "${{ secrets.ZAPIER_WEBHOOK_URL }}" \
-H "Content-Type: application/json" \
-d '{
"event": "security_scan_critical",
"repo": "${{ github.repository }}",
"branch": "${{ github.ref_name }}",
"actor": "${{ github.actor }}",
"snyk": "${{ needs.snyk-scan.result }}",
"gitguardian": "${{ needs.gitguardian-scan.result }}",
"policy": "${{ needs.policy-check.result }}",
"run_url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}' || true
continue-on-error: true