Update code-scans.yaml #17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SDLE Scans | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| PR_number: | |
| description: 'Pull request number' | |
| required: true | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review] | |
| concurrency: | |
| group: sdle-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| # ----------------------------- | |
| # 1) Trivy Scan | |
| # ----------------------------- | |
| trivy_scan: | |
| name: Trivy Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| TRIVY_REPORT_FORMAT: table | |
| TRIVY_SCAN_TYPE: fs | |
| TRIVY_SCAN_PATH: . | |
| TRIVY_EXIT_CODE: '1' | |
| TRIVY_VULN_TYPE: os,library | |
| TRIVY_SEVERITY: CRITICAL,HIGH | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Create report directory | |
| run: mkdir -p trivy-reports | |
| - name: Run Trivy FS Scan | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scanners: 'vuln,misconfig,secret,license' | |
| ignore-unfixed: true | |
| format: 'table' | |
| exit-code: '1' | |
| output: 'trivy-reports/trivy_scan_report.txt' | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-report | |
| path: trivy-reports/trivy_scan_report.txt | |
| - name: Show Trivy Report in Logs | |
| if: failure() | |
| run: | | |
| echo "========= TRIVY FINDINGS =========" | |
| cat trivy-reports/trivy_scan_report.txt | |
| echo "=================================" | |
| # ----------------------------- | |
| # 2) Bandit Scan | |
| # ----------------------------- | |
| bandit_scan: | |
| name: Bandit security scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: 'recursive' | |
| fetch-depth: 0 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.x" | |
| - name: Install Bandit | |
| run: pip install bandit | |
| - name: Create Bandit configuration | |
| shell: bash | |
| run: | | |
| cat > .bandit << 'EOF' | |
| [bandit] | |
| exclude_dirs = tests,test,venv,.venv,node_modules | |
| skips = B101 | |
| EOF | |
| - name: Run Bandit scan | |
| run: | | |
| bandit -r . -ll -iii -f screen | |
| bandit -r . -ll -iii -f html -o bandit-report.html | |
| - name: Upload Bandit Report | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: bandit-report | |
| path: bandit-report.html | |
| retention-days: 30 | |
| # ----------------------------- | |
| # 3) CodeQL Analysis | |
| # ----------------------------- | |
| codeql_scan: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| actions: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'python', 'javascript' ] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" |