MediScriptAI/.github/workflows/code-scans.yaml at main · cld2labs/MediScriptAI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
name: SDLE Scans

on:
  workflow_dispatch:
    inputs:
      PR_number:
        description: 'Pull request number'
        required: true
  push:
    branches: [ main ]
  pull_request:
    types: [opened, synchronize, reopened, ready_for_review]

concurrency:
  group: sdle-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:

# -----------------------------
# 1) Trivy Scan (fixed)
# -----------------------------
  trivy_scan:
    name: Trivy Vulnerability Scan
    runs-on: ubuntu-latest
    env:
      TRIVY_REPORT_FORMAT: table
      TRIVY_SCAN_TYPE: fs
      TRIVY_SCAN_PATH: .
      TRIVY_EXIT_CODE: '1'
      TRIVY_VULN_TYPE: os,library
      TRIVY_SEVERITY: CRITICAL,HIGH
    steps:
      - uses: actions/checkout@v4

      - name: Create report directory
        run: mkdir -p trivy-reports

      - name: Run Trivy FS Scan
        uses: aquasecurity/trivy-action@0.35.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          scanners: 'vuln,misconfig,secret,license'
          ignore-unfixed: true
          format: 'table'
          exit-code: '1'
          output: 'trivy-reports/trivy_scan_report.txt'
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy Report
        uses: actions/upload-artifact@v4
        with:
          name: trivy-report
          path: trivy-reports/trivy_scan_report.txt
      - name: Show Trivy Report in Logs
        if: failure()
        run: |
          echo "========= TRIVY FINDINGS ========="
          cat trivy-reports/trivy_scan_report.txt
          echo "================================="

# -----------------------------
# 2) Bandit Scan
# -----------------------------
  bandit_scan:
    name: Bandit security scan
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v4
      with:
        submodules: 'recursive'
        fetch-depth: 0
    - uses: actions/setup-python@v5
      with:
        python-version: "3.x"
    - name: Install Bandit
      run: pip install bandit
    - name: Create Bandit configuration
      run: |
        cat > .bandit << 'EOF'
        [bandit]
        exclude_dirs = tests,test,venv,.venv,node_modules
        skips = B101
        EOF
      shell: bash
    - name: Run Bandit scan
      run: |
        bandit -r . -ll -iii -f screen
        bandit -r . -ll -iii -f html -o bandit-report.html
    - name: Upload Bandit Report
      uses: actions/upload-artifact@v4
      with:
        name: bandit-report
        path: bandit-report.html
        retention-days: 30

# -----------------------------
# 3) CodeQL Analysis
# -----------------------------
  codeql_scan:
    name: CodeQL Analysis
    runs-on: ubuntu-latest
    permissions:
      security-events: write
      contents: read
      actions: read
    strategy:
      fail-fast: false
      matrix:
        language: [ 'python', 'javascript' ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}

      - name: Autobuild
        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v3
        with:
          category: "/language:${{matrix.language}}"