Add note about advanced security #51

Workflow file for this run

	name: Security Scan

	on:
	pull_request:
	push:
	branches:
	- main
	# disabled to avoid noise, uncomment to run a weekly check on your repository
	#schedule:
	# - cron: '11 11 * * 1'

	defaults:
	# would be nice if we could set this here:
	#runs-on: ubuntu-latest
	run:
	shell: bash

	# Restrict permissions to a conservative set
	permissions:
	# Check out repos
	contents: read
	# Post SARIF reports
	security-events: write
	# Required for running codeql-action/upload-sarif on private repos
	actions: read

	jobs:
	gosec:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: go/
	- name: run gosec
	uses: securego/gosec@master
	with:
	args: -fmt sarif -out gosec.sarif -stdout -verbose=text ./...
	- name: upload results
	uses: github/codeql-action/upload-sarif@v2
	# run this even when the gosec task fails (otherwise we wouldn't get a result)
	if: success() \|\| failure()
	# but ignore errors in case GH security upload isn't available
	continue-on-error: true
	with:
	sarif_file: gosec.sarif
	govulncheck:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: go/
	- name: run govulncheck
	uses: golang/govulncheck-action@v1
	with:
	go-version-input: 1.19.0
	go-package: ./...
	# this action doesn't produce a SARIF report yet, so there's nothing to upload.
	# See: https://github.com/golang/go/issues/61347
	tfsec:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: terraform/
	- name: run tfsec
	uses: aquasecurity/[email protected]
	with:
	working_directory: terraform/
	format: lovely,sarif
	additional_args: --out results
	- name: upload results
	uses: github/codeql-action/upload-sarif@v2
	if: success() \|\| failure()
	continue-on-error: true
	with:
	sarif_file: results.sarif.json
	bandit:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: python/
	- uses: actions/setup-python@v4
	with:
	python-version: '3.11'
	# We're not using the official action because Bandit doesn't include the SARIF formatter by default.
	- name: install bandit
	# we could bind a specific Bandit and SARIF formatter version here
	run: \|
	pip install bandit bandit_sarif_formatter
	# Need to run Bandit twice because of https://github.com/PyCQA/bandit/issues/1047
	- name: generate sarif report
	# ignore errors here (--exit-zero) so we can keep going (and fail with a full report)
	run: \|
	bandit --recursive --format sarif --output results.sarif --exit-zero python/
	- name: run bandit
	run: \|
	bandit --recursive --format screen python/
	- name: upload results
	uses: github/codeql-action/upload-sarif@v2
	if: success() \|\| failure()
	continue-on-error: true
	with:
	sarif_file: results.sarif
	chekov-terraform:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: terraform/
	- name: run chekov
	uses: bridgecrewio/checkov-action@v12
	with:
	directory: terraform/
	output_format: cli,sarif
	output_file_path: console,results.sarif
	- name: upload results
	uses: github/codeql-action/upload-sarif@v2
	if: success() \|\| failure()
	continue-on-error: true
	with:
	sarif_file: results.sarif
	chekov-bicep:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: bicep/
	- name: run chekov
	uses: bridgecrewio/checkov-action@v12
	with:
	directory: bicep/
	output_format: cli,sarif
	output_file_path: console,results.sarif
	- name: upload results
	uses: github/codeql-action/upload-sarif@v2
	if: success() \|\| failure()
	continue-on-error: true
	with:
	sarif_file: results.sarif
	# We could also use a matrix action to run the same job multiple times for different languages
	# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy
	codeql-go:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: go/
	- name: codeql init
	uses: github/codeql-action/init@v2
	with:
	languages: go
	- name: codeql autobuild
	uses: github/codeql-action/autobuild@v2
	- name: codeql analysis
	id: analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:go"
	- name: print results
	run: \|
	cat "${{ steps.analysis.outputs.sarif-output }}/go.sarif"
	echo "${{ steps.analysis.outputs.sarif-id }}"
	codeql-python:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: python/
	- name: codeql init
	uses: github/codeql-action/init@v2
	with:
	languages: python
	- name: codeql autobuild
	uses: github/codeql-action/autobuild@v2
	- name: codeql analysis
	id: analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:python"
	- name: print results
	run: \|
	cat "${{ steps.analysis.outputs.sarif-output }}/python.sarif"
	echo "${{ steps.analysis.outputs.sarif-id }}"
	pip-audit:
	runs-on: ubuntu-latest
	steps:
	- name: checkout repo
	uses: actions/checkout@v3
	with:
	sparse-checkout: python/
	- uses: pypa/[email protected]
	with:
	inputs: requirements.txt
	# SARIF reports aren't supported by pip-audit yet:
	# https://github.com/pypa/pip-audit/issues/206

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add note about advanced security #51

Workflow file

Add note about advanced security #51

Jobs

Run details

Workflow file for this run