-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (107 loc) · 4.71 KB
/
modules-security-scan.yml
File metadata and controls
114 lines (107 loc) · 4.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: 📦 Module | Security Scanning
on:
workflow_call:
inputs:
scan-engine:
description: 'Security scan engine (gitleaks, gitguardian, both)'
required: false
type: string
default: 'both'
scan-type:
description: 'Type of security scan (secrets, vulnerabilities, all)'
required: false
type: string
default: 'all'
fail-on-findings:
description: 'Fail the workflow if security issues are found'
required: false
type: boolean
default: true
minimum-severity:
description: 'Minimum severity level for GitGuardian (low, medium, high, critical)'
required: false
type: string
default: 'medium'
exclude-paths:
description: 'Paths to exclude from scanning (comma-separated)'
required: false
type: string
default: '.git,node_modules,vendor'
runs-on:
description: 'Runner to use. Use string for GitHub-hosted (e.g., "ubuntu-latest") or JSON array for self-hosted (e.g., ["self-hosted", "linux"])'
required: false
type: string
default: 'ubuntu-latest'
secrets:
GITGUARDIAN_API_KEY:
description: 'GitGuardian API key (required for GitGuardian scanning)'
required: false
GITLEAKS_LICENSE:
description: 'Gitleaks Pro license key'
required: false
outputs:
secrets-found:
description: 'Whether secrets were found'
value: ${{ jobs.security-scan.outputs.secrets-found }}
vulnerabilities-found:
description: 'Whether vulnerabilities were found'
value: ${{ jobs.security-scan.outputs.vulnerabilities-found }}
security-score:
description: 'Overall security score (0-100)'
value: ${{ jobs.security-scan.outputs.security-score }}
scan-results:
description: 'Summary of scan results'
value: ${{ jobs.security-scan.outputs.scan-results }}
permissions:
contents: read
security-events: write
actions: read
jobs:
security-scan:
name: 🔐 Security Analysis
runs-on: ${{ startsWith(inputs.runs-on, '[') && fromJSON(inputs.runs-on) || inputs.runs-on }}
outputs:
secrets-found: ${{ steps.security.outputs.gitleaks-secrets-found == 'true' || steps.security.outputs.gitguardian-secrets-found != '0' }}
vulnerabilities-found: ${{ steps.security.outputs.vulnerabilities-found }}
security-score: ${{ steps.security.outputs.security-score }}
scan-results: ${{ steps.security.outputs.scan-results }}
steps:
- name: 🚀 Checkout Repository
uses: actions/checkout@v6
with:
token: ${{ secrets.GITHUB_TOKEN }}
fetch-depth: 0
- name: 🛡️ Run Security Scan
id: security
uses: bauer-group/automation-templates/.github/actions/security-scan@main
with:
scan-engine: ${{ inputs.scan-engine }}
scan-type: ${{ inputs.scan-type }}
fail-on-findings: ${{ inputs.fail-on-findings }}
minimum-severity: ${{ inputs.minimum-severity }}
exclude-paths: ${{ inputs.exclude-paths }}
gitguardian-api-key: ${{ secrets.GITGUARDIAN_API_KEY }}
gitleaks-license: ${{ secrets.GITLEAKS_LICENSE }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: 📊 Security Report Summary
if: always()
run: |
echo "### 🛡️ Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Metric | Value |" >> $GITHUB_STEP_SUMMARY
echo "|--------|-------|" >> $GITHUB_STEP_SUMMARY
echo "| **Engine Used** | ${{ inputs.scan-engine }} |" >> $GITHUB_STEP_SUMMARY
echo "| **Scan Type** | ${{ inputs.scan-type }} |" >> $GITHUB_STEP_SUMMARY
echo "| **Security Score** | ${{ steps.security.outputs.security-score || '100' }}/100 |" >> $GITHUB_STEP_SUMMARY
echo "| **Secrets Found** | ${{ steps.security.outputs.secrets-found || 'false' }} |" >> $GITHUB_STEP_SUMMARY
echo "| **Vulnerabilities (Trivy)** | ${{ steps.security.outputs.vulnerabilities-found || 'false' }} |" >> $GITHUB_STEP_SUMMARY
echo "| **Status** | ${{ steps.security.outputs.scan-results || 'Complete' }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
SCORE="${{ steps.security.outputs.security-score }}"
if [ "$SCORE" -ge 95 ]; then
echo "✅ **Excellent security posture!**" >> $GITHUB_STEP_SUMMARY
elif [ "$SCORE" -ge 80 ]; then
echo "⚠️ **Good security with room for improvement.**" >> $GITHUB_STEP_SUMMARY
else
echo "❌ **Security issues require attention.**" >> $GITHUB_STEP_SUMMARY
fi