11name : DigiCert Code Scan
2- on : workflow_dispatch
2+
3+ on :
4+ workflow_dispatch :
5+
36jobs :
4- noop :
7+ analyze :
8+ name : Analyze (${{ matrix.language }})
9+ runs-on : ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
10+
11+ permissions :
12+ # required for all workflows
13+ security-events : write
14+
15+ # required to fetch internal or private CodeQL packs
16+ packages : read
17+
18+ # only required for workflows in private repositories
19+ actions : read
20+ contents : read
21+
22+ strategy :
23+ fail-fast : false
24+ matrix :
25+ include :
26+ # - This will be replaced with the generated language and build mode content on runtime
27+ - language : Python
28+ build-mode : none
29+ steps :
30+ - name : Checkout repository
31+ uses : actions/checkout@v4
32+
33+ # Initializes the CodeQL tools for scanning.
34+ - name : Initialize CodeQL
35+ uses : github/codeql-action/init@v3
36+ with :
37+ languages : ${{ matrix.language }}
38+ build-mode : ${{ matrix.build-mode }}
39+
40+ - name : Perform CodeQL Analysis
41+ uses : github/codeql-action/analyze@v3
42+ with :
43+ category : ' /language:${{matrix.language}}'
44+ upload : false
45+ output : " codeql-${{ matrix.language }}.sarif"
46+
47+ - name : Upload SARIF result as artifact
48+ uses : actions/upload-artifact@v4
49+ with :
50+ name : codeql-sarif-${{ matrix.language }}
51+ path : codeql-${{ matrix.language }}.sarif
52+
53+ gitleaks-analyze :
54+ name : Gitleaks Scan (SARIF)
55+ runs-on : ubuntu-latest
56+ steps :
57+ - name : Checkout repository
58+ uses : actions/checkout@v4
59+ with :
60+ fetch-depth : 0
61+
62+ - name : Install jq
63+ run : |
64+ sudo apt-get update -y
65+ sudo apt-get install -y jq
66+
67+ name : Install gitleaks (OSS)
68+ env :
69+ GITLEAKS_VERSION : 8.18.4
70+ run : |
71+ set -e
72+ curl -fsSL -o gitleaks.tar.gz "https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz"
73+ tar -xzf gitleaks.tar.gz
74+ test -f gitleaks && chmod +x gitleaks && sudo mv gitleaks /usr/local/bin/gitleaks
75+ gitleaks version
76+
77+ name : Run Gitleaks (SARIF output)
78+ run : |
79+ gitleaks detect --source . --report-format sarif --report-path gitleaks.sarif --no-banner --redact --no-git || true
80+
81+ name : Upload Gitleaks SARIF as artifact
82+ uses : actions/upload-artifact@v4
83+ with :
84+ name : gitleaks-sarif
85+ path : gitleaks.sarif
86+
87+ zip-sarif :
88+ name : Zip All SARIF Results
89+ runs-on : ubuntu-latest
90+ needs : [analyze, gitleaks-analyze]
91+ steps :
92+ - name : Download all SARIF artifacts
93+ uses : actions/download-artifact@v4
94+ with :
95+ # Grab both codeql and gitleaks SARIF artifacts for zipping
96+ pattern : " *-sarif*"
97+ path : ./sarif-results
98+ merge-multiple : true
99+
100+ - name : Zip SARIF results
101+ run : |
102+ cd sarif-results
103+ find . -name "*.sarif" -print | zip ../digicert_scan_results.zip -@
104+
105+ - name : Delete all SARIF files after zipping
106+ run : |
107+ find ./sarif-results -name "*.sarif" -delete
108+
109+ name : Upload zipped SARIF results as artifact
110+ uses : actions/upload-artifact@v4
111+ with :
112+ name : digicert_scan_results
113+ path : digicert_scan_results.zip
114+
115+ sbom :
116+ name : Generate SBOM
5117 runs-on : ubuntu-latest
6118 steps :
7- - run : echo "This is just a placeholder"
119+ - name : Checkout code
120+ uses : actions/checkout@v4
121+
122+ - name : Run Trivy to generate SBOM
123+ uses : aquasecurity/trivy-action@0.33.1
124+ with :
125+ scan-type : ' fs'
126+ format : ' cyclonedx'
127+ output : ' sbom-cdxgen.cyclonedx.json'
128+
129+ - name : Upload SBOM as artifact
130+ uses : actions/upload-artifact@v4
131+ with :
132+ name : sbom-cdxgen
133+ path : |
134+ sbom-cdxgen.cyclonedx.json
0 commit comments