Skip to content
security-checks

ci(deps): bump the all group across 1 directory with 21 updates #5988

Sign in to view logs

ci(deps): bump the all group across 1 directory with 21 updates

ci(deps): bump the all group across 1 directory with 21 updates #5988

Workflow file for this run

.github/workflows/sec-checks.yaml at a71e16f
name: security-checks
on:
push:
branches:
- main
pull_request:
jobs:
trivy-file-system:
name: Trivy fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v 0.33.1
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
skip-dirs: '.github'
exit-code: '1'
# trivy-config: trivy.yaml
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: trivy-fs-scan-results
path: ./results.txt
trivy-docker-image:
name: Trivy docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build
id: docker_build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-trivy-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 #v 0.33.1
with:
image-ref: kics:sec-trivy-tests-${{ github.sha }}
ignore-unfixed: true
vuln-type: 'os,library'
format: 'table'
output: './results.txt'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
ignore-policy: './trivy-ignore.rego'
# trivy-config: trivy.image.yaml
exit-code: '1'
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: trivy-docker-image-scan-results
path: ./results.txt
grype-file-system:
name: Grype fs scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run Grype vulnerability scanner in repo mode
id: grype-fs-scan
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # 7.3.1
with:
path: "."
only-fixed: true
output-format: table
severity-cutoff: low
fail-build: true
grype-docker-image:
name: Grype docker image scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
kics-docker: [ "Dockerfile" ]
steps:
- name: Check out code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build
id: docker_build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
load: true
context: ./
file: ./${{ matrix.kics-docker }}
builder: ${{ steps.buildx.outputs.name }}
push: false
tags: kics:sec-tests-${{ github.sha }}
build-args: |
VERSION=development
COMMIT=${{ github.sha }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Scan image
id: grype-image-scan
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # 7.3.1
with:
image: kics:sec-tests-${{ github.sha }}
only-fixed: true
severity-cutoff: low
output-format: table
fail-build: true
govulncheck-file-system:
runs-on: ubuntu-latest
name: govulncheck fs scan
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@v6
with:
go-version: 'stable'
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in fs mode
run: |
govulncheck -show verbose -C . ./... > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: govulncheck-fs-scan-results
path: ./results.txt
govulncheck-binary:
runs-on: ubuntu-latest
name: govulncheck binary scan
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-go@v6
with:
go-version: 'stable'
- name: Build kics
run: go build -ldflags "-s -w" -a -installsuffix cgo -o ./bin/kics ./cmd/console/main.go
- name: Install govulncheck
run: go install golang.org/x/vuln/cmd/govulncheck@latest
- name: Run govulncheck scanner in binary mode
run: |
govulncheck -show verbose -mode=binary ./bin/kics > ./results.txt || true
bash ./.github/scripts/sec-checks/govulncheck-ignore-unfixed.sh
- name: Inspect action report
if: always()
run: cat ./results.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: govulncheck-binary-scan-results
path: ./results.txt
- name: Inspect final dependencies from binary
if: github.event_name == 'pull_request'
run: |
strings ./bin/kics | grep -P "dep\t" | sort -u > binary_dependencies.txt
cat binary_dependencies.txt
- name: Upload artifact
if: always()
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: binary-dependencies
path: ./binary_dependencies.txt