Security Scan #52
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| # Run security scan daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| jobs: | |
| grype-scan: | |
| name: Grype Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Grype vulnerability scanner | |
| uses: anchore/scan-action@v3 | |
| id: grype | |
| with: | |
| path: "." | |
| fail-build-on-finding: true | |
| severity-cutoff: "medium" | |
| output-format: "sarif" | |
| - name: Upload Grype scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: ${{ steps.grype.outputs.sarif }} | |
| - name: Generate detailed security report | |
| if: always() | |
| run: | | |
| echo "# 🔒 Security Scan Report" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "**Scan completed at:** $(date -u)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| if [ "${{ steps.grype.outcome }}" == "success" ]; then | |
| echo "✅ **Status:** No medium, high, or critical vulnerabilities found" >> $GITHUB_STEP_SUMMARY | |
| else | |
| echo "⚠️ **Status:** Vulnerabilities detected - check Security tab for details" >> $GITHUB_STEP_SUMMARY | |
| fi | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "📋 **Scan Details:**" >> $GITHUB_STEP_SUMMARY | |
| echo "- Scanner: Grype (Anchore)" >> $GITHUB_STEP_SUMMARY | |
| echo "- Severity Cutoff: Medium and above" >> $GITHUB_STEP_SUMMARY | |
| echo "- Target: Repository root" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "For detailed results, visit the [Security tab](https://github.com/${{ github.repository }}/security)" >> $GITHUB_STEP_SUMMARY | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: moderate | |
| allow-ghsas: "" | |
| allow-dependencies-licenses: "MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC" | |
| secret-scan: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified |