11# Combined configuration from 12 templates
2- # Scanners: osv-scanner, opengrep, Trufflehog, Trivy, checkov, Trivy , CDXGen, Gitleaks, grype, tfsec, OWASP Depscan + cdxgen, Semgrep
2+ # Scanners: Semgrep, OWASP Depscan + cdxgen, tfsec, grype, Gitleaks , CDXGen, Trivy, checkov, Trivy, Trufflehog, osv-scanner, opengrep
33# Generated for GITHUB by ScanDog
44name : Combined Security Scanner Pipeline
55on :
6- push :
6+ pull_request :
77 branches :
88 - main
9+ workflow_dispatch :
910
1011jobs :
11- # Jobs from template: osv-scanner
12- scandog_osv_scanner_scan :
12+ # Jobs from template: Semgrep
13+ scandog_semgrep_scan :
14+ runs-on : ubuntu-latest
15+ container :
16+ image : semgrep/semgrep
17+ steps :
18+ - name : Checkout code
19+ uses : actions/checkout@v4
20+ - name : semgrep scan
21+ run : semgrep scan --config auto --json > semgrep.json
22+ - name : Import results to ScanDog
23+ uses : scandogio/scandog-import@v1.0
24+ with :
25+ ci_run_id : ${{ github.run_id }}
26+ report_file : semgrep.json
27+ workflow_id : " 77870259287eac45b40e65decf2207c3"
28+ scan_type : SAST
29+ scanner : Semgrep
30+ backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
31+ backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
32+ # Jobs from template: OWASP Depscan + cdxgen
33+ scandog_depscan_sca :
1334 runs-on : ubuntu-latest
1435 steps :
1536 - uses : actions/checkout@v4
16- - name : Install osv-scanner
37+ - name : Set up Python
38+ uses : actions/setup-python@v4
39+ with :
40+ python-version : ' 3.x'
41+ - name : Install OWASP-depscan
1742 run : |
18- sudo apt-get update
19- sudo apt-get install -y snapd
20- sudo snap install osv-scanner
21- name : Run osv-scanner
22- run : osv-scanner scan . --json osv-results.json
43+ pip install owasp-depscan
44+ name : Set up Node.js
45+ uses : actions/setup-node@v4
46+ with :
47+ node-version : 21
48+ - name : Install cdxgen
49+ run : npm install -g @cyclonedx/cdxgen
50+ - name : scan SBOM by OWASP depscan
51+ run : |
52+ cd $GITHUB_WORKSPACE
53+ export FETCH_LICENSE=true
54+ depscan -i . --reports-dir .
2355name : Import results to ScanDog
2456 uses : scandogio/scandog-import@v1.0
2557 with :
2658 ci_run_id : ${{ github.run_id }}
27- report_file : osv-results .json
59+ report_file : sbom-universal.vdr .json
2860 workflow_id : " 77870259287eac45b40e65decf2207c3"
2961 scan_type : SCA
30- scanner : osv-scanner
62+ scanner : depscan
3163 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
3264 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
33- # Jobs from template: opengrep
34- scandog_opengrep_scan :
65+ # Jobs from template: tfsec
66+ scandog_tfsec_scan :
3567 runs-on : ubuntu-latest
3668 steps :
37- - name : Checkout code
38- uses : actions/checkout@v4
39- - name : Install Opengrep
40- run : |
41- apt-get update && apt-get install -y curl jq
42- latest_version=$(curl --silent "https://api.github.com/repos/opengrep/opengrep/releases/latest" | jq -r .tag_name)
43- curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${latest_version}/opengrep_manylinux_x86"
44- chmod +x opengrep
45- mv opengrep /usr/local/bin/opengrep
46- name : Run Opengrep
47- run : opengrep scan --config auto --json-output=opengrep.json .
69+ - uses : actions/checkout@v4
70+ - name : Run tfsec
71+ uses : aquasecurity/tfsec-action@v1.0.0
72+ with :
73+ format : json
74+ out : tfsec-results.json
4875 - name : Import results to ScanDog
4976 uses : scandogio/scandog-import@v1.0
5077 with :
5178 ci_run_id : ${{ github.run_id }}
52- report_file : opengrep .json
79+ report_file : tfsec-results .json
5380 workflow_id : " 77870259287eac45b40e65decf2207c3"
54- scan_type : SAST
55- scanner : opengrep
81+ scan_type : IaC Scanner
82+ scanner : tfsec
5683 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
5784 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
58- # Jobs from template: Trufflehog
59- scandog_trufflehog_scan :
85+ # Jobs from template: grype
86+ scandog_grype_sca :
6087 runs-on : ubuntu-latest
6188 steps :
6289 - uses : actions/checkout@v4
63- - name : Install & Run Trufflehog
90+ - name : Run Grype
91+ uses : anchore/scan-action@v6
92+ with :
93+ path : .
94+ output-format : json
95+ output-file : grype-results.json
96+ fail-build : false
97+ - name : Import results to ScanDog
98+ uses : scandogio/scandog-import@v1.0
99+ with :
100+ ci_run_id : ${{ github.run_id }}
101+ report_file : grype-results.json
102+ workflow_id : " 77870259287eac45b40e65decf2207c3"
103+ scan_type : SCA
104+ scanner : grype
105+ backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
106+ backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
107+ # Jobs from template: Gitleaks
108+ scandog_gitleaks_scan :
109+ runs-on : ubuntu-latest
110+ steps :
111+ - uses : actions/checkout@v4
112+ with :
113+ fetch-depth : 0
114+ - name : Install & Run Gitleaks
64115 run : |
65- curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
66- trufflehog filesystem --json . > trufflehog.json
116+ git clone https://github.com/gitleaks/gitleaks.git
117+ cd gitleaks
118+ make build
119+ cd $GITHUB_WORKSPACE
120+ gitleaks dir . -f json -r gitleaks.json
67121name : Import results to ScanDog
68122 uses : scandogio/scandog-import@v1.0
69123 with :
70124 ci_run_id : ${{ github.run_id }}
71- report_file : trufflehog .json
125+ report_file : gitleaks .json
72126 workflow_id : " 77870259287eac45b40e65decf2207c3"
73127 scan_type : Secret Scanning
74- scanner : trufflehog
128+ scanner : gitleaks
129+ backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
130+ backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
131+ # Jobs from template: CDXGen
132+ scandog_cdxgen_scan :
133+ runs-on : ubuntu-latest
134+ steps :
135+ - uses : actions/checkout@v4
136+ - name : Install cdxgen
137+ run : npm install -g @cyclonedx/cdxgen
138+ - name : Generate SBOM
139+ run : cdxgen --input . --output sbom.json
140+ - name : Import results to ScanDog
141+ uses : scandogio/scandog-import@v1.0
142+ with :
143+ ci_run_id : ${{ github.run_id }}
144+ report_file : sbom.json
145+ workflow_id : " 77870259287eac45b40e65decf2207c3"
146+ scan_type : SBOM
147+ scanner : cdxgen
75148 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
76149 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
77150# Jobs from template: Trivy
@@ -83,18 +156,16 @@ jobs:
83156 - name : Trivy vulnerability scanner
84157 uses : aquasecurity/trivy-action@master
85158 with :
86- scan-type : ' fs'
87- scan-ref : .
159+ image-ref : rabbitmq:management
88160 format : ' json'
89161 output : ' trivy-results.json'
90- scanners : ' misconfig'
91162 - name : Import results to ScanDog
92163 uses : scandogio/scandog-import@v1.0
93164 with :
94165 ci_run_id : ${{ github.run_id }}
95166 report_file : trivy-results.json
96167 workflow_id : " 77870259287eac45b40e65decf2207c3"
97- scan_type : IaC Scanner
168+ scan_type : Container Scanner
98169 scanner : Trivy
99170 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
100171 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
@@ -132,154 +203,84 @@ jobs:
132203 - name : Trivy vulnerability scanner
133204 uses : aquasecurity/trivy-action@master
134205 with :
135- image-ref : rabbitmq:management
206+ scan-type : ' fs'
207+ scan-ref : .
136208 format : ' json'
137209 output : ' trivy-results.json'
210+ scanners : ' misconfig'
138211 - name : Import results to ScanDog
139212 uses : scandogio/scandog-import@v1.0
140213 with :
141214 ci_run_id : ${{ github.run_id }}
142215 report_file : trivy-results.json
143216 workflow_id : " 77870259287eac45b40e65decf2207c3"
144- scan_type : Container Scanner
217+ scan_type : IaC Scanner
145218 scanner : Trivy
146219 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
147220 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
148- # Jobs from template: CDXGen
149- scandog_cdxgen_scan :
150- runs-on : ubuntu-latest
151- steps :
152- - uses : actions/checkout@v4
153- - name : Install cdxgen
154- run : npm install -g @cyclonedx/cdxgen
155- - name : Generate SBOM
156- run : cdxgen --input . --output sbom.json
157- - name : Import results to ScanDog
158- uses : scandogio/scandog-import@v1.0
159- with :
160- ci_run_id : ${{ github.run_id }}
161- report_file : sbom.json
162- workflow_id : " 77870259287eac45b40e65decf2207c3"
163- scan_type : SBOM
164- scanner : cdxgen
165- backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
166- backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
167- # Jobs from template: Gitleaks
168- scandog_gitleaks_scan :
221+ # Jobs from template: Trufflehog
222+ scandog_trufflehog_scan :
169223 runs-on : ubuntu-latest
170224 steps :
171225 - uses : actions/checkout@v4
172- with :
173- fetch-depth : 0
174- - name : Install & Run Gitleaks
226+ - name : Install & Run Trufflehog
175227 run : |
176- git clone https://github.com/gitleaks/gitleaks.git
177- cd gitleaks
178- make build
179- cd $GITHUB_WORKSPACE
180- gitleaks dir . -f json -r gitleaks.json
228+ curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
229+ trufflehog filesystem --json . > trufflehog.json
181230name : Import results to ScanDog
182231 uses : scandogio/scandog-import@v1.0
183232 with :
184233 ci_run_id : ${{ github.run_id }}
185- report_file : gitleaks .json
234+ report_file : trufflehog .json
186235 workflow_id : " 77870259287eac45b40e65decf2207c3"
187236 scan_type : Secret Scanning
188- scanner : gitleaks
189- backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
190- backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
191- # Jobs from template: grype
192- scandog_grype_sca :
193- runs-on : ubuntu-latest
194- steps :
195- - uses : actions/checkout@v4
196- - name : Run Grype
197- uses : anchore/scan-action@v6
198- with :
199- path : .
200- output-format : json
201- output-file : grype-results.json
202- fail-build : false
203- - name : Import results to ScanDog
204- uses : scandogio/scandog-import@v1.0
205- with :
206- ci_run_id : ${{ github.run_id }}
207- report_file : grype-results.json
208- workflow_id : " 77870259287eac45b40e65decf2207c3"
209- scan_type : SCA
210- scanner : grype
211- backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
212- backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
213- # Jobs from template: tfsec
214- scandog_tfsec_scan :
215- runs-on : ubuntu-latest
216- steps :
217- - uses : actions/checkout@v4
218- - name : Run tfsec
219- uses : aquasecurity/tfsec-action@v1.0.0
220- with :
221- format : json
222- out : tfsec-results.json
223- - name : Import results to ScanDog
224- uses : scandogio/scandog-import@v1.0
225- with :
226- ci_run_id : ${{ github.run_id }}
227- report_file : tfsec-results.json
228- workflow_id : " 77870259287eac45b40e65decf2207c3"
229- scan_type : IaC Scanner
230- scanner : tfsec
237+ scanner : trufflehog
231238 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
232239 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
233- # Jobs from template: OWASP Depscan + cdxgen
234- scandog_depscan_sca :
240+ # Jobs from template: osv-scanner
241+ scandog_osv_scanner_scan :
235242 runs-on : ubuntu-latest
236243 steps :
237244 - uses : actions/checkout@v4
238- - name : Set up Python
239- uses : actions/setup-python@v4
240- with :
241- python-version : ' 3.x'
242- - name : Install OWASP-depscan
243- run : |
244- pip install owasp-depscan
245- name : Set up Node.js
246- uses : actions/setup-node@v4
247- with :
248- node-version : 21
249- - name : Install cdxgen
250- run : npm install -g @cyclonedx/cdxgen
251- - name : scan SBOM by OWASP depscan
245+ - name : Install osv-scanner
252246 run : |
253- cd $GITHUB_WORKSPACE
254- export FETCH_LICENSE=true
255- depscan -i . --reports-dir .
247+ sudo apt-get update
248+ sudo apt-get install -y snapd
249+ sudo snap install osv-scanner
250+ name : Run osv-scanner
251+ run : osv-scanner scan . --json osv-results.json
256252 - name : Import results to ScanDog
257253 uses : scandogio/scandog-import@v1.0
258254 with :
259255 ci_run_id : ${{ github.run_id }}
260- report_file : sbom-universal.vdr .json
256+ report_file : osv-results .json
261257 workflow_id : " 77870259287eac45b40e65decf2207c3"
262258 scan_type : SCA
263- scanner : depscan
259+ scanner : osv-scanner
264260 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
265261 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
266- # Jobs from template: Semgrep
267- scandog_semgrep_scan :
262+ # Jobs from template: opengrep
263+ scandog_opengrep_scan :
268264 runs-on : ubuntu-latest
269- container :
270- image : semgrep/semgrep
271265 steps :
272266 - name : Checkout code
273267 uses : actions/checkout@v4
274- - name : semgrep scan
275- run : semgrep scan --config auto --json > semgrep.json
268+ - name : Install Opengrep
269+ run : |
270+ apt-get update && apt-get install -y curl jq
271+ latest_version=$(curl --silent "https://api.github.com/repos/opengrep/opengrep/releases/latest" | jq -r .tag_name)
272+ curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${latest_version}/opengrep_manylinux_x86"
273+ chmod +x opengrep
274+ mv opengrep /usr/local/bin/opengrep
275+ name : Run Opengrep
276+ run : opengrep scan --config auto --json-output=opengrep.json .
276277 - name : Import results to ScanDog
277278 uses : scandogio/scandog-import@v1.0
278279 with :
279280 ci_run_id : ${{ github.run_id }}
280- report_file : semgrep .json
281+ report_file : opengrep .json
281282 workflow_id : " 77870259287eac45b40e65decf2207c3"
282283 scan_type : SAST
283- scanner : Semgrep
284+ scanner : opengrep
284285 backend_api_token : ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
285286 backend_url : ${{ secrets.SCANDOG_BACKEND_URL }}
![scandog-io[bot]](https://avatars.githubusercontent.com/in/1118008?v=4&size=40){kind=avatar}
0 commit comments