Skip to content
Security Scanning

release: v0.13.1 — embedded Core backend, durability status, CI fixes #232

Sign in to view logs

release: v0.13.1 — embedded Core backend, durability status, CI fixes

release: v0.13.1 — embedded Core backend, durability status, CI fixes #232

Workflow file for this run

.github/workflows/security.yml at 7133d44
name: Security Scanning
on:
push:
branches: [main]
schedule:
# Run weekly on Monday at 00:00 UTC
- cron: "0 0 * * 1"
workflow_dispatch:
concurrency:
group: security-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
security-events: write
actions: read
jobs:
# ============================================================================
# Dependency Audit - Check for known vulnerabilities
# ============================================================================
dependency-audit:
name: Dependency Audit
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- name: rust
working-directory: apps/core
- name: go
working-directory: apps/control-plane
- name: elixir
working-directory: apps/query-service
steps:
- uses: actions/checkout@v6
# Rust dependencies
- name: Set up Rust
if: matrix.name == 'rust'
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
if: matrix.name == 'rust'
uses: taiki-e/install-action@v2
with:
tool: cargo-audit
- name: Rust dependency audit
if: matrix.name == 'rust'
working-directory: ${{ matrix.working-directory }}
run: cargo audit
# Go dependencies
- name: Set up Go
if: matrix.name == 'go'
uses: actions/setup-go@v6
with:
go-version: "1.26.0"
cache-dependency-path: apps/control-plane/go.sum
- name: Go vulnerability check
if: matrix.name == 'go'
working-directory: ${{ matrix.working-directory }}
run: |
go mod tidy
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
# Elixir dependencies
- name: Set up Elixir
if: matrix.name == 'elixir'
uses: erlef/setup-beam@v1
with:
elixir-version: "1.17"
otp-version: "27"
- name: Elixir dependency audit
if: matrix.name == 'elixir'
working-directory: ${{ matrix.working-directory }}
run: |
mix deps.get
mix deps.audit
# ============================================================================
# CodeQL Analysis - SAST for multiple languages
# ============================================================================
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: [go]
steps:
- name: Checkout
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: ${{ matrix.language }}
queries: security-and-quality
- name: Set up Go
if: matrix.language == 'go'
uses: actions/setup-go@v6
with:
go-version: "1.26.0"
cache-dependency-path: apps/control-plane/go.sum
- name: Build Go
if: matrix.language == 'go'
working-directory: apps/control-plane
run: go build -v ./...
- name: Autobuild
if: matrix.language != 'go'
uses: github/codeql-action/autobuild@v4
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:${{ matrix.language }}"
# ============================================================================
# Container Image Scanning with Trivy
# ============================================================================
container-scan:
name: Container Scan ${{ matrix.service.name }}
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
strategy:
fail-fast: false
matrix:
service:
- name: core
context: .
dockerfile: apps/core/Dockerfile
- name: control-plane
context: apps/control-plane
dockerfile: apps/control-plane/Dockerfile
- name: query-service
context: apps/query-service
dockerfile: apps/query-service/Dockerfile
steps:
- uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build image for scanning
uses: docker/build-push-action@v6
with:
context: ${{ matrix.service.context }}
file: ${{ matrix.service.dockerfile }}
push: false
load: true
tags: scan-${{ matrix.service.name }}:latest
cache-from: type=gha
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: scan-${{ matrix.service.name }}:latest
format: sarif
output: trivy-results-${{ matrix.service.name }}.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-results-${{ matrix.service.name }}.sarif
category: container-${{ matrix.service.name }}
# ============================================================================
# License Compliance
# ============================================================================
license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Set up Go
uses: actions/setup-go@v6
with:
go-version: "1.26.0"
cache-dependency-path: apps/control-plane/go.sum
- name: Install go-licenses
run: go install github.com/google/go-licenses@latest
- name: Check Go licenses
working-directory: apps/control-plane
run: |
go-licenses check ./... --disallowed_types=restricted,reciprocal || true
- name: Set up Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-deny
uses: taiki-e/install-action@v2
with:
tool: cargo-deny
- name: Check Rust licenses
working-directory: apps/core
run: cargo deny check licenses || true
# ============================================================================
# Summary
# ============================================================================
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs:
- dependency-audit
- codeql
- container-scan
- license-check
if: always()
steps:
- name: Generate summary
run: |
status() {
case "$1" in
success) echo "✅ Passed" ;;
failure) echo "❌ Failed" ;;
skipped) echo "⏭️ Skipped" ;;
*) echo "⚠️ Unknown" ;;
esac
}
{
echo "## 🔒 Security Scan Summary"
echo ""
echo "| Check | Status |"
echo "|-------|--------|"
echo "| Dependency Audit | $(status "${{ needs.dependency-audit.result }}") |"
echo "| CodeQL Analysis | $(status "${{ needs.codeql.result }}") |"
echo "| Container Scan | $(status "${{ needs.container-scan.result }}") |"
echo "| License Check | $(status "${{ needs.license-check.result }}") |"
} >> "$GITHUB_STEP_SUMMARY"