Add Security Scanning Workflow #1
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scans | |
| on: | |
| pull_request: | |
| concurrency: | |
| group: security-scans-${{ github.head_ref }} # head branch name | |
| cancel-in-progress: true | |
| jobs: | |
| trivy: | |
| name: Detecting hardcoded secrets | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
| with: | |
| # Fetch all history for all tags and branches | |
| fetch-depth: '0' | |
| - name: Run Trivy vulnerability scanner | |
| id: trivy | |
| uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca | |
| continue-on-error: true | |
| with: | |
| format: 'table' | |
| scan-type: 'fs' | |
| exit-code: '1' | |
| scanners: 'secret' | |
| - name: Alert on secret finding | |
| if: steps.trivy.outcome == 'failure' | |
| uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
| with: | |
| payload: | | |
| { | |
| "text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
| - name: Fail build if a secret is found | |
| if: steps.trivy.outcome == 'failure' | |
| run: | | |
| echo "==========================================================" | |
| echo "| This build has failed because Trivy detected a secret. |" | |
| echo "==========================================================" | |
| echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret." | |
| echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding." | |
| echo "3. If the finding is valid, the security team can help advise your next steps." | |
| exit 1 | |