Enhanced developer experience #1

Workflow file for this run

.github/workflows/security-scan.yml at 2ab626d

	name: Security Scan

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	# Run security scan weekly
	- cron: '0 2 * * 1'

	jobs:
	secret-scan:
	runs-on: ubuntu-latest
	name: Secret Detection
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run TruffleHog OSS
	uses: trufflesecurity/trufflehog@main
	with:
	path: ./
	base: main
	head: HEAD
	extra_args: --debug --only-verified

	dependency-scan:
	runs-on: ubuntu-latest
	name: Dependency Vulnerability Scan
	steps:
	- uses: actions/checkout@v4

	- name: Scan for vulnerable dependencies
	run: \|
	echo "Scanning for vulnerable dependencies..."

	# Find all package.json files
	find . -name "package.json" -not -path "./node_modules/*" \| while read -r package_file; do
	echo "Scanning: $package_file"
	dir=$(dirname "$package_file")

	if command -v npm >/dev/null 2>&1; then
	cd "$dir"
	npm audit --audit-level=high \|\| echo "❌ Vulnerabilities found in $package_file"
	cd - > /dev/null
	fi
	done

	# Find all requirements.txt files
	find . -name "requirements.txt" -not -path "./venv/*" \| while read -r req_file; do
	echo "Found Python requirements: $req_file"
	echo "⚠️ Consider using 'pip-audit' for Python dependency scanning"
	done

	# Find all go.mod files
	find . -name "go.mod" \| while read -r go_file; do
	echo "Found Go module: $go_file"
	echo "⚠️ Consider using 'nancy' or 'govulncheck' for Go dependency scanning"
	done

	dockerfile-scan:
	runs-on: ubuntu-latest
	name: Dockerfile Security Scan
	steps:
	- uses: actions/checkout@v4

	- name: Run Hadolint
	uses: hadolint/hadolint-action@v3.1.0
	with:
	dockerfile: "*/Dockerfile"
	failure-threshold: warning
	format: sarif
	output-file: hadolint-results.sarif

	- name: Upload Hadolint results
	uses: github/codeql-action/upload-sarif@v2
	if: always()
	with:
	sarif_file: hadolint-results.sarif

	compose-security:
	runs-on: ubuntu-latest
	name: Docker Compose Security Check
	steps:
	- uses: actions/checkout@v4

	- name: Security check for Docker Compose files
	run: \|
	echo "Checking Docker Compose files for security issues..."

	# Find all docker-compose files
	find . -name "docker-compose.y*ml" \| while read -r compose_file; do
	echo "Checking: $compose_file"

	# Check for privileged containers
	if grep -q "privileged.*true" "$compose_file"; then
	echo "❌ Privileged container found in: $compose_file"
	fi

	# Check for host network mode
	if grep -q "network_mode.*host" "$compose_file"; then
	echo "⚠️ Host network mode found in: $compose_file"
	fi

	# Check for dangerous volume mounts
	if grep -q "/var/run/docker.sock" "$compose_file"; then
	echo "❌ Docker socket mount found in: $compose_file"
	fi

	if grep -q ":/proc" "$compose_file"; then
	echo "⚠️ /proc mount found in: $compose_file"
	fi

	# Check for exposed sensitive ports
	if grep -E "ports:.*:(22\|3306\|5432\|6379\|27017\|9200)" "$compose_file"; then
	echo "⚠️ Sensitive ports exposed in: $compose_file"
	fi

	# Check for missing restart policies
	if ! grep -q "restart:" "$compose_file"; then
	echo "ℹ️ No restart policy specified in: $compose_file"
	fi
	done

	code-security:
	runs-on: ubuntu-latest
	name: Code Security Analysis
	steps:
	- uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: javascript, python, go
	queries: security-and-quality

	- name: Autobuild
	uses: github/codeql-action/autobuild@v2

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:javascript,python,go"

	security-summary:
	runs-on: ubuntu-latest
	needs: [secret-scan, dependency-scan, dockerfile-scan, compose-security, code-security]
	if: always()
	name: Security Summary

	steps:
	- name: Security Scan Summary
	run: \|
	echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY

	# Check job results
	secret_result="${{ needs.secret-scan.result }}"
	dependency_result="${{ needs.dependency-scan.result }}"
	dockerfile_result="${{ needs.dockerfile-scan.result }}"
	compose_result="${{ needs.compose-security.result }}"
	code_result="${{ needs.code-security.result }}"

	echo "\| Security Check \| Status \|" >> $GITHUB_STEP_SUMMARY
	echo "\|----------------\|--------\|" >> $GITHUB_STEP_SUMMARY
	echo "\| Secret Detection \| $secret_result \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Dependency Scan \| $dependency_result \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Dockerfile Scan \| $dockerfile_result \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Compose Security \| $compose_result \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Code Analysis \| $code_result \|" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY

	# Overall status
	if [[ "$secret_result $dependency_result $dockerfile_result $compose_result $code_result" == "failure" ]]; then
	echo "🔴 Security issues detected! Please review the scan results." >> $GITHUB_STEP_SUMMARY
	else
	echo "🟢 All security scans passed successfully." >> $GITHUB_STEP_SUMMARY
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhanced developer experience #1

Workflow file

Enhanced developer experience #1

Uh oh!

Workflow file for this run