Skip to content

Add security workflow new #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jmessiass merged 4 commits into from
Sep 18, 2025
Merged

Add security workflow new #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
008d361
Add security workflow new
jmessiass Sep 18, 2025
84a95de
Remove old security
jmessiass Sep 18, 2025
599068f
update workflows
jmessiass Sep 18, 2025
6be5f63
Update workflow
jmessiass Sep 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
305 changes: 243 additions & 62 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,101 +1,282 @@
name: Security Scan

on:
push
pull_request:
types: [opened, synchronize, reopened]
push:
branches: [main]

env:
# Configurações globais
FAIL_ON_SEVERITY: "CRITICAL,HIGH"
SARIF_RESULTS_DIR: "security-results"

jobs:
run_sast:
# Job de preparação - cria diretório para resultados
setup:
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep

outputs:
sarif-dir: ${{ env.SARIF_RESULTS_DIR }}
steps:
- name: clone application source code
uses: actions/checkout@v3
- name: Create results directory
run: mkdir -p ${{ env.SARIF_RESULTS_DIR }}

- name: run semgrep
run: |
semgrep \
--sarif --output semgrep.sarif \
--metrics=off \
--config="p/default"
# SAST - Static Application Security Testing
sast:
runs-on: ubuntu-latest
needs: setup
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: save report as pipeline artifact
uses: actions/upload-artifact@v3
- name: Run Semgrep
uses: returntocorp/semgrep-action@v1
with:
name: semgrep.sarif
path: semgrep.sarif
config: >-
p/security-audit
p/secrets
p/owasp-top-ten
generateSarif: "1"

- name: Download report
uses: actions/download-artifact@v2
with:
name: semgrep.sarif
- name: Upload SAST results
uses: actions/upload-artifact@v4
if: always()
with:
name: sast-results
path: semgrep.sarif
retention-days: 30

- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep.sarif
category: sast

run_sca:
# SCA - Software Composition Analysis (Multi-language)
sca:
runs-on: ubuntu-latest
needs: setup
strategy:
matrix:
scanner: [trivy, dependency-check]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Build project with Maven
run: mvn clean install
- name: Depcheck
- name: Checkout code
uses: actions/checkout@v4

# Scanner Trivy - Melhor para Python, Node.js, Go, etc.
- name: Run Trivy SCA scan
if: matrix.scanner == 'trivy'
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-sca.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
ignore-unfixed: false

# Scanner Dependency Check - Melhor para Java, .NET
- name: Run Dependency Check
if: matrix.scanner == 'dependency-check'
uses: dependency-check/Dependency-Check_Action@main
id: Depcheck
with:
project: 'case-devsecops'
project: 'devsecops-project'
path: '.'
format: 'JSON'
out: 'depcheck'
format: 'SARIF'
out: 'dependency-check.sarif'
args: >
--failOnCVSS 7
--enableRetired
- name: Upload Test results
uses: actions/upload-artifact@master
with:
name: Depcheck report
path: ${{github.workspace}}/depcheck
--enableExperimental

run_dast:
runs-on: ubuntu-latest

steps:
- name: Config docker
uses: docker/setup-buildx-action@v1
- name: Upload SCA results
uses: actions/upload-artifact@v4
if: always()
with:
name: sca-results-${{ matrix.scanner }}
path: "*.sarif"
retention-days: 30

- name: Run api server
run: docker run -d --publish 5000:5000 frolvlad/flask-restplus-server-example

- name: Run owasp zap (dast)
uses: zaproxy/action-full-scan@v0.8.0
- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
target: 'http://127.0.0.1:5000'
sarif_file: "*.sarif"
category: sca-${{ matrix.scanner }}

run_secrets_scan:
# Secrets Scanning
secrets:
runs-on: ubuntu-latest
needs: setup
steps:
- uses: actions/checkout@v3
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2

- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_ENABLE_COMMENTS: false

- name: Run TruffleHog
uses: trufflesecurity/trufflehog@main
with:
path: ./
base: main
head: HEAD
extra_args: --debug --only-verified

run_iac_scan:
runs-on: ubuntu-20.04
# IaC - Infrastructure as Code Security
iac:
runs-on: ubuntu-latest
needs: setup
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4

- name: Run Trivy vulnerability scanner in IaC mode
- name: Run Trivy IaC scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
scan-type: 'config'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
output: 'trivy-iac.sarif'
severity: 'CRITICAL,HIGH'

- name: Upload artifact
uses: actions/upload-artifact@v2
- name: Run Checkov
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: dockerfile,kubernetes,terraform
output_format: sarif
output_file_path: checkov.sarif

- name: Upload IaC results
uses: actions/upload-artifact@v4
if: always()
with:
name: iac-results
path: "*.sarif"
retention-days: 30

- name: Upload to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "*.sarif"
category: iac

# DAST - Dynamic Application Security Testing
dast:
runs-on: ubuntu-latest
needs: setup
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build and start application
run: |
docker build -t app-under-test .
docker run -d --name test-app -p 5000:5000 app-under-test
sleep 30 # Wait for app to start

- name: Run OWASP ZAP Full Scan
uses: zaproxy/action-full-scan@v0.10.0
with:
target: 'http://localhost:5000'
rules_file_name: '.zap/rules.tsv'
cmd_options: '-a -j -m 5 -T 60'

- name: Upload DAST results
uses: actions/upload-artifact@v4
if: always()
with:
name: dast-results
path: report_html.html
retention-days: 30

# Consolidação de resultados para IA
consolidate-results:
runs-on: ubuntu-latest
needs: [sast, sca, secrets, iac]
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v4
with:
path: all-results/

- name: Consolidate SARIF files
run: |
mkdir -p consolidated-sarif
find all-results/ -name "*.sarif" -exec cp {} consolidated-sarif/ \;
ls -la consolidated-sarif/

- name: Upload consolidated results
uses: actions/upload-artifact@v4
with:
name: consolidated-security-results
path: consolidated-sarif/
retention-days: 30

- name: Create summary comment (prepare for AI integration)
if: github.event_name == 'pull_request'
run: |
echo "# 🔒 Security Scan Results" > security-summary.md
echo "" >> security-summary.md
echo "| Scanner | Status | Files Scanned |" >> security-summary.md
echo "|---------|---------|---------------|" >> security-summary.md

# Count SARIF files to show scan status
SAST_FILES=$(find consolidated-sarif/ -name "*semgrep*" | wc -l)
SCA_FILES=$(find consolidated-sarif/ -name "*trivy*" -o -name "*dependency*" | wc -l)
IAC_FILES=$(find consolidated-sarif/ -name "*iac*" -o -name "*checkov*" | wc -l)

echo "| SAST (Semgrep) | ✅ | $SAST_FILES |" >> security-summary.md
echo "| SCA (Trivy/DepCheck) | ✅ | $SCA_FILES |" >> security-summary.md
echo "| IaC (Trivy/Checkov) | ✅ | $IAC_FILES |" >> security-summary.md
echo "| Secrets (Gitleaks) | ✅ | N/A |" >> security-summary.md
echo "" >> security-summary.md
echo "**Next Step**: AI agent will analyze findings and suggest fixes 🤖" >> security-summary.md

- name: Upload summary
uses: actions/upload-artifact@v4
if: github.event_name == 'pull_request'
with:
name: security-summary
path: security-summary.md
retention-days: 7

# Preparação para trigger de IA (placeholder)
trigger-ai-analysis:
runs-on: ubuntu-latest
needs: consolidate-results
if: always() && github.event_name == 'pull_request'
steps:
- name: Trigger AI analysis workflow
run: |
echo "🤖 Triggering AI analysis for PR ${{ github.event.number }}"
echo "This step will trigger the AI agent workflow in the future"
echo "AI will analyze consolidated SARIF files and create fix suggestions"

# Placeholder para repository dispatch que vai trigger a IA
- name: Repository Dispatch to AI Workflow
uses: peter-evans/repository-dispatch@v3
with:
name: trivy-report
path: 'trivy-results.sarif'
token: ${{ secrets.GITHUB_TOKEN }}
event-type: security-scan-completed
client-payload: |
{
"pr_number": "${{ github.event.number }}",
"sha": "${{ github.sha }}",
"artifacts": ["consolidated-security-results", "security-summary"]
}
8 changes: 8 additions & 0 deletions dependency-check-suppressions.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
<!--
Arquivo de supressão para OWASP Dependency Check
Use este arquivo para suprimir falsos positivos conhecidos
Adicione entradas <suppress> conforme necessário
-->
</suppressions>
Loading