Skip to content

Commit df1a6a1

Browse files
Ubuntu ServerUbuntu Server
authored andcommitted
Add scan security
1 parent 6715269 commit df1a6a1

1 file changed

Lines changed: 172 additions & 0 deletions

File tree

.github/workflows/security.yml

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,172 @@
1+
# =============================================================================
2+
# Security Scanning with Rediver Agent
3+
# =============================================================================
4+
# Parallel security scanning for vAPI (Vulnerable PHP API)
5+
#
6+
# Jobs run in parallel:
7+
# - SAST: Semgrep (PHP code analysis)
8+
# - Secrets: Gitleaks (credential detection)
9+
# - SCA: Trivy (dependency vulnerabilities)
10+
# - Container: Trivy image scan (main branch only)
11+
# =============================================================================
12+
13+
name: Security
14+
15+
on:
16+
push:
17+
branches: [main, master]
18+
pull_request:
19+
branches: [main, master]
20+
schedule:
21+
# Run every Monday at 00:00 UTC
22+
- cron: "0 0 * * 1"
23+
24+
permissions:
25+
contents: read
26+
security-events: write
27+
actions: read
28+
pull-requests: write
29+
30+
jobs:
31+
# ============================================
32+
# SAST - Semgrep (PHP Code Analysis)
33+
# ============================================
34+
sast:
35+
name: SAST (Semgrep)
36+
runs-on: ubuntu-latest
37+
steps:
38+
- name: Checkout repository
39+
uses: actions/checkout@v4
40+
with:
41+
fetch-depth: 0
42+
43+
- name: Run Semgrep
44+
uses: docker://rediverio/agent:semgrep
45+
env:
46+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
47+
API_URL: ${{ secrets.REDIVER_API_URL }}
48+
API_KEY: ${{ secrets.REDIVER_API_KEY }}
49+
AGENT_ID: ${{ secrets.REDIVER_AGENT_ID }}
50+
with:
51+
args: >-
52+
-tool semgrep
53+
-target .
54+
-push
55+
-comments
56+
-sarif semgrep-results.sarif
57+
-verbose
58+
59+
- name: Upload SARIF to GitHub Security tab
60+
if: always() && hashFiles('semgrep-results.sarif') != ''
61+
uses: github/codeql-action/upload-sarif@v3
62+
with:
63+
sarif_file: semgrep-results.sarif
64+
category: sast
65+
66+
# ============================================
67+
# Secrets - Gitleaks (Credential Detection)
68+
# ============================================
69+
secrets:
70+
name: Secrets (Gitleaks)
71+
runs-on: ubuntu-latest
72+
steps:
73+
- name: Checkout repository
74+
uses: actions/checkout@v4
75+
with:
76+
fetch-depth: 0
77+
78+
- name: Run Gitleaks
79+
uses: docker://rediverio/agent:gitleaks
80+
env:
81+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
82+
API_URL: ${{ secrets.REDIVER_API_URL }}
83+
API_KEY: ${{ secrets.REDIVER_API_KEY }}
84+
AGENT_ID: ${{ secrets.REDIVER_AGENT_ID }}
85+
with:
86+
args: >-
87+
-tool gitleaks
88+
-target .
89+
-push
90+
-comments
91+
-sarif gitleaks-results.sarif
92+
-verbose
93+
94+
- name: Upload SARIF to GitHub Security tab
95+
if: always() && hashFiles('gitleaks-results.sarif') != ''
96+
uses: github/codeql-action/upload-sarif@v3
97+
with:
98+
sarif_file: gitleaks-results.sarif
99+
category: secrets
100+
101+
# ============================================
102+
# SCA - Trivy (Dependency Vulnerabilities)
103+
# ============================================
104+
sca:
105+
name: SCA (Trivy)
106+
runs-on: ubuntu-latest
107+
steps:
108+
- name: Checkout repository
109+
uses: actions/checkout@v4
110+
111+
- name: Run Trivy
112+
uses: docker://rediverio/agent:trivy
113+
env:
114+
API_URL: ${{ secrets.REDIVER_API_URL }}
115+
API_KEY: ${{ secrets.REDIVER_API_KEY }}
116+
AGENT_ID: ${{ secrets.REDIVER_AGENT_ID }}
117+
with:
118+
args: >-
119+
-tool trivy-fs
120+
-target .
121+
-push
122+
-sarif trivy-results.sarif
123+
124+
- name: Upload SARIF to GitHub Security tab
125+
if: always() && hashFiles('trivy-results.sarif') != ''
126+
uses: github/codeql-action/upload-sarif@v3
127+
with:
128+
sarif_file: trivy-results.sarif
129+
category: sca
130+
131+
# ============================================
132+
# Docker Image Scan (on main branch)
133+
# ============================================
134+
docker-scan:
135+
name: Container Scan
136+
runs-on: ubuntu-latest
137+
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
138+
steps:
139+
- name: Checkout repository
140+
uses: actions/checkout@v4
141+
142+
- name: Set up Docker Buildx
143+
uses: docker/setup-buildx-action@v3
144+
145+
- name: Build Docker image
146+
uses: docker/build-push-action@v6
147+
with:
148+
context: .
149+
push: false
150+
load: true
151+
tags: vapi:scan
152+
153+
- name: Run Trivy image scan
154+
uses: docker://rediverio/agent:trivy
155+
env:
156+
API_URL: ${{ secrets.REDIVER_API_URL }}
157+
API_KEY: ${{ secrets.REDIVER_API_KEY }}
158+
AGENT_ID: ${{ secrets.REDIVER_AGENT_ID }}
159+
with:
160+
args: >-
161+
-tool trivy-image
162+
-target vapi:scan
163+
-push
164+
-sarif trivy-docker-results.sarif
165+
-verbose
166+
167+
- name: Upload SARIF to GitHub Security tab
168+
if: always() && hashFiles('trivy-docker-results.sarif') != ''
169+
uses: github/codeql-action/upload-sarif@v3
170+
with:
171+
sarif_file: trivy-docker-results.sarif
172+
category: container

0 commit comments

Comments
 (0)