essentials_examples/.github/workflows/dev.yml at main · fluidattacks/essentials_examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Security Scans
on:
  pull_request:
    types: [opened, synchronize, reopened]

jobs:
  sast:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0 # required for differential scanning

      - uses: fluidattacks/sast-action@main
        id: scan
        with:
          scan_config_path: .github/.fluidattacks.yaml
          scanner_mode: diff

      - name: Upload SAST results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: sast-results
          path: fluidattacks-results.sarif
          if-no-files-found: warn

  sca-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - uses: fluidattacks/sca-action@main
        id: scan
        with:
          scan_config_path: .github/.fluidattacks.yaml
          scanner_mode: full

      - name: Upload SCA results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: sca-results
          path: fluidattacks-results.sarif
          if-no-files-found: warn

  dast-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: fluidattacks/dast-action@main
        id: scan
        with:
          scan_config_path: .github/.fluidattacks.yaml

      - name: Fail if vulnerabilities found
        if: steps.scan.outputs.vulnerabilities_found == 'true'
        run: exit 1

  secret-scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4

      - uses: fluidattacks/secret-scan-action@main
        id: scan
        with:
          scan_config_path: .github/.fluidattacks.yaml

  ci-gate:
    runs-on: ubuntu-latest
    steps:
      - uses: fluidattacks/ci-gate-action@main
        with:
          api_token: ${{ secrets.FA_API_TOKEN }}
          strict: false
          report_output_path: ci-gate-report.json

      - name: Upload CI gate report
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: ci-gate-report
          path: ci-gate-report.json
          if-no-files-found: warn

  compare:
    needs: [sast, sca-scan, ci-gate]
    if: '!cancelled()'
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
          name: sast-results
          path: artifacts/sast

      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
          name: sca-results
          path: artifacts/sca

      - uses: actions/download-artifact@v4
        continue-on-error: true
        with:
          name: ci-gate-report
          path: artifacts/ci-gate

      - name: Compare findings against platform
        run: |
          sast_result=0
          sca_result=0

          echo "--- SAST ---"
          python3 .github/scripts/compare-findings.py \
            --technique SAST \
            artifacts/sast/fluidattacks-results.sarif \
            artifacts/ci-gate/ci-gate-report.json || sast_result=$?

          echo "--- SCA ---"
          python3 .github/scripts/compare-findings.py \
            --technique SCA \
            artifacts/sca/fluidattacks-results.sarif \
            artifacts/ci-gate/ci-gate-report.json || sca_result=$?

          exit $((sast_result | sca_result))