Security Scan #171

Workflow file for this run

.github/workflows/security.yml at e306be3

	name: Security Scan

	on:
	push:
	branches: [main]
	pull_request:
	schedule:
	- cron: '0 0 * * *' # Daily

	permissions: {}

	jobs:
	trivy:
	runs-on: ubuntu-latest
	strategy:
	matrix:
	variant: [ci, ci-full]
	include:
	- variant: ci
	name: minimal
	- variant: ci-full
	name: full
	name: trivy (${{ matrix.name }})
	permissions:
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

	- name: Build image for scanning
	uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6
	with:
	targets: ${{ matrix.variant }}
	load: true

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
	with:
	image-ref: phpbu:${{ matrix.variant }}
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	exit-code: '1'

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'
	category: 'trivy-${{ matrix.name }}'

	gitleaks:
	runs-on: ubuntu-latest
	# Skip for dependabot PRs - org secrets not available to external PRs
	if: github.actor != 'dependabot[bot]'
	permissions:
	contents: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	fetch-depth: 0

	- name: Run Gitleaks
	uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Scan #171

Workflow file

Security Scan #171

Uh oh!

Workflow file for this run