adding security tool stack, pre-commit steps, and gitignore additions
Build and Push Docker Image / build (push) Successful in 32s
Build and Push Docker Image / build (push) Successful in 32s
This commit is contained in:
@@ -0,0 +1,78 @@
|
||||
name: Security
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
- develop
|
||||
|
||||
jobs:
|
||||
security:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
###########################################################
|
||||
# GITLEAKS
|
||||
###########################################################
|
||||
|
||||
- name: Gitleaks
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v ${{ github.workspace }}:/repo \
|
||||
ghcr.io/gitleaks/gitleaks:latest \
|
||||
detect \
|
||||
--source /repo
|
||||
|
||||
###########################################################
|
||||
# SEMGREP
|
||||
###########################################################
|
||||
|
||||
- name: Semgrep
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v ${{ github.workspace }}:/src \
|
||||
semgrep/semgrep \
|
||||
semgrep scan \
|
||||
--config auto \
|
||||
/src
|
||||
|
||||
###########################################################
|
||||
# TRIVY FS
|
||||
###########################################################
|
||||
|
||||
- name: Trivy Filesystem
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v ${{ github.workspace }}:/workspace \
|
||||
aquasec/trivy:latest \
|
||||
fs \
|
||||
--scanners vuln,secret,misconfig \
|
||||
--severity HIGH,CRITICAL \
|
||||
--exit-code 1 \
|
||||
/workspace
|
||||
|
||||
###########################################################
|
||||
# DOCKER IMAGE BUILD
|
||||
###########################################################
|
||||
|
||||
- name: Build Image
|
||||
run: |
|
||||
docker build -t app:${{ github.sha }} .
|
||||
|
||||
###########################################################
|
||||
# TRIVY IMAGE
|
||||
###########################################################
|
||||
|
||||
- name: Trivy Image Scan
|
||||
run: |
|
||||
docker run --rm \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
aquasec/trivy:latest \
|
||||
image \
|
||||
--severity HIGH,CRITICAL \
|
||||
--exit-code 1 \
|
||||
app:${{ github.sha }}
|
||||
Reference in New Issue
Block a user