-
Notifications
You must be signed in to change notification settings - Fork 0
217 lines (182 loc) · 5.76 KB
/
codeql.yml
File metadata and controls
217 lines (182 loc) · 5.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
name: "Advanced CodeQL + AI Security Analysis"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: '17 17 * * 5'
jobs:
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
packages: read
strategy:
fail-fast: false
matrix:
include:
- language: python
build-mode: none
- language: javascript-typescript
build-mode: none
- language: cpp
build-mode: manual
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 2
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
build-mode: ${{ matrix.build-mode }}
queries: security-extended,security-and-quality
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "language:${{ matrix.language }}"
ai-security-scan:
name: AI-Powered Security Scan
runs-on: ubuntu-latest
needs: codeql-analysis
permissions:
security-events: write
contents: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
env:
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
pip install httpx_ntlm beautifulsoup4
echo "GEMINI_API_KEY=$GEMINI_API_KEY" >> $GITHUB_ENV
if [ -n "${{ secrets.OPENAI_API_KEY }}" ]; then
echo "OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}" >> $GITHUB_ENV
else
echo "Warning: OPENAI_API_KEY secret is not set." >&2
fi
- name: Run AI-powered security scan
run: |
bughunter-cli ai scan-repo . \
--gemini \
--chatgpt \
--output ai-report.json
# Generate human-readable report
bughunter-cli ai generate-report ai-report.json --format markdown > ai-security-report.md
- name: Upload AI security report
uses: actions/upload-artifact@v4
with:
name: ai-security-report
path: ai-security-report.md
- name: Upload SARIF for GitHub Security
run: |
# Convert AI findings to SARIF format
bughunter-cli utils ai-to-sarif ai-report.json -o ai-scan.sarif
if: always()
- name: Upload SARIF results
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ai-scan.sarif
if: always()
ai-vulnerability-analysis:
name: AI Vulnerability Analysis
runs-on: ubuntu-latest
needs: [codeql-analysis, ai-security-scan]
steps:
- name: Download CodeQL results
uses: actions/download-artifact@v3
with:
name: codeql-sarif
path: codeql-results
- name: Download AI results
uses: actions/download-artifact@v3
with:
name: ai-security-report
path: ai-results
- name: Combine and analyze results
run: |
pip install jq
# Combine CodeQL and AI results
jq -s '.[0].runs + .[1].runs' \
codeql-results/codeql.sarif \
ai-results/ai-scan.sarif > combined.sarif
# AI-powered triage and prioritization
bughunter-cli ai triage combined.sarif \
--gemini \
--output prioritized-findings.json
# Generate executive report
bughunter-cli ai generate-report prioritized-findings.json \
--format markdown > executive-report.md
- name: Upload Executive Report
uses: actions/upload-artifact@v4
with:
name: security-executive-report
path: executive-report.md
- name: Create Security Summary
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('executive-report.md', 'utf8');
await github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## AI Security Analysis Summary\n\n${report}`
});
if: github.event_name == 'pull_request'
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
needs: codeql-analysis
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Build Docker image
run: docker build -t app-image .
- name: Scan container with AI
run: |
docker save app-image -o app.tar
bughunter-cli ai scan-container app.tar \
--gemini \
--output container-scan.json
bughunter-cli ai generate-report container-scan.json \
--format markdown > container-report.md
- name: Upload Container Report
uses: actions/upload-artifact@v4
with:
name: container-security-report
path: container-report.md
dependency-scan:
name: Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'
- name: Install dependencies
run: pip install safety
- name: Scan Python dependencies
run: safety check --json > dependency-scan.json
- name: Upload results
uses: actions/upload-artifact@v4
with:
name: dependency-scan-results
path: dependency-scan.json