-
Notifications
You must be signed in to change notification settings - Fork 24
158 lines (133 loc) · 4.15 KB
/
security-scan.yml
File metadata and controls
158 lines (133 loc) · 4.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: Security Scan
on:
pull_request:
branches: [main, develop]
schedule:
# Weekly Monday 6am UTC
- cron: '0 6 * * 1'
workflow_dispatch:
permissions:
contents: read
security-events: write
packages: read
jobs:
govulncheck:
name: Go Vulnerability Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck
run: govulncheck ./...
gosec:
name: Go Security Analysis
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-go@v6
with:
go-version-file: go.mod
- name: Install gosec
run: go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run gosec
run: gosec -exclude-generated -fmt sarif -out gosec-results.sarif ./... || true
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: gosec-results.sarif
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- uses: actions/checkout@v6
- uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
deny-licenses: GPL-3.0, AGPL-3.0
trivy-image-chatcli:
name: Trivy — ChatCLI Image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build ChatCLI image for scanning
uses: docker/build-push-action@v7
with:
context: .
push: false
load: true
no-cache: true
tags: chatcli:scan
# SARIF upload — informational, all severities, never blocks
- name: Trivy scan (SARIF report)
uses: aquasecurity/trivy-action@master
with:
image-ref: chatcli:scan
format: sarif
output: trivy-chatcli.sarif
exit-code: '0'
- name: Upload Trivy SARIF results
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-chatcli.sarif
category: trivy-chatcli
# Gate — only fails on fixable HIGH/CRITICAL OS vulns (Go vulns covered by govulncheck)
- name: Trivy gate (fixable HIGH/CRITICAL)
uses: aquasecurity/trivy-action@master
with:
image-ref: chatcli:scan
format: table
severity: CRITICAL,HIGH
ignore-unfixed: true
trivyignores: .trivyignore.yaml
scanners: vuln
exit-code: '1'
trivy-image-operator:
name: Trivy — Operator Image
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build Operator image for scanning
uses: docker/build-push-action@v7
with:
context: .
file: ./operator/Dockerfile
push: false
load: true
no-cache: true
tags: chatcli-operator:scan
# SARIF upload — informational, all severities, never blocks
- name: Trivy scan (SARIF report)
uses: aquasecurity/trivy-action@master
with:
image-ref: chatcli-operator:scan
format: sarif
output: trivy-operator.sarif
exit-code: '0'
- name: Upload Trivy SARIF results
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-operator.sarif
category: trivy-operator
# Gate — only fails on fixable HIGH/CRITICAL OS vulns (Go vulns covered by govulncheck)
- name: Trivy gate (fixable HIGH/CRITICAL)
uses: aquasecurity/trivy-action@master
with:
image-ref: chatcli-operator:scan
format: table
severity: CRITICAL,HIGH
ignore-unfixed: true
trivyignores: .trivyignore.yaml
scanners: vuln
exit-code: '1'