-
Notifications
You must be signed in to change notification settings - Fork 2
135 lines (121 loc) · 3.81 KB
/
code-scanning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: "Centralized Code Scanning"
on:
workflow_call:
inputs:
# used by CodeQL to define which languages to scan
languages:
required: true
type: string
# Used by CodeQL for unique build commands
build-command:
required: false
type: string
default: ''
skip-codeql:
required: false
type: boolean
default: false
skip-tfsec:
required: false
type: boolean
default: false
skip-anchore:
required: false
type: boolean
default: false
skip-dependency-review:
required: false
type: boolean
default: false
permissions: read-all
jobs:
anchore:
if: ${{ inputs.skip-anchore == false }}
name: Anchore
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Check out the code
uses: actions/checkout@v3
- name: Build the Docker image
run: docker build . --file Dockerfile --tag localbuild/testimage:latest
- name: Run the Anchore Grype scan action
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
id: scan
with:
image: "localbuild/testimage:latest"
fail-build: false
severity-cutoff: critical
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
dependency-review:
if: ${{ (inputs.skip-dependency-review == false) && (github.event_name == 'pull_request')}}
name: Dependency Review
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: 'Dependency Review'
uses: actions/dependency-review-action@v2
with:
deny-licenses: GPL-3.0
# Automatically run TFSec
tfsec:
if: ${{ inputs.skip-tfsec == false }}
name: tfsec
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Clone repo
uses: actions/checkout@v3
- name: Run tfsec
uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
with:
sarif_file: tfsec.sarif
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: tfsec.sarif
# Run CodeQL Scan
codeql:
if: ${{ inputs.skip-codeql == false }}
name: CodeQL
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ${{ fromJSON(inputs.languages) }}
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# Autobuild attempts to build the application for CodeQL
- name: Autobuild
if: ${{ inputs.build-command == '' }}
uses: github/codeql-action/autobuild@v2
# If the Autobuild command fails, pass a build command to the workflow using 'build-command' input
- name: Custom Build Command
if: ${{ inputs.build-command != '' }}
run: |
echo "Run, Build Application using script"
${{ inputs.build-command }}
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"