Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Security Scanning Workflow #90

Merged
merged 2 commits into from
Oct 29, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/security-scans.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Security Scans

on:
pull_request:

concurrency:
group: security-scans-${{ github.head_ref }} # head branch name
cancel-in-progress: true

jobs:
trivy:
name: Detecting hardcoded secrets
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
with:
# Fetch all history for all tags and branches
fetch-depth: '0'
- name: Run Trivy vulnerability scanner
id: trivy
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
continue-on-error: true
with:
format: 'table'
scan-type: 'fs'
exit-code: '1'
scanners: 'secret'
- name: Alert on secret finding
if: steps.trivy.outcome == 'failure'
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*A secret was detected in a GitHub commit in the repo ${{ github.repository }}.*\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CODESECURITY_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
- name: Fail build if a secret is found
if: steps.trivy.outcome == 'failure'
run: |
echo "=========================================================="
echo "| This build has failed because Trivy detected a secret. |"
echo "=========================================================="
echo "1. Check the step 'Run Trivy vulnerability scanner' for output to help you find the secret."
echo "2. If the finding is a false positive, add it as an entry to trivy-secret.yaml in the root of the repo to suppress the finding."
echo "3. If the finding is valid, the security team can help advise your next steps."
exit 1