Add automated security scanning workflows #10
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| schedule: | |
| # Run every day at 10:00 UTC (6:00 AM ET / 3:00 AM PT) | |
| - cron: "0 10 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| # Cancel in-progress runs for pull requests when developers push | |
| # additional changes | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.event_name == 'pull_request' }} | |
| jobs: | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Setup Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 | |
| with: | |
| languages: go | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 | |
| with: | |
| category: "/language:go" | |
| trivy: | |
| name: Trivy Docker Image Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0 | |
| - name: Setup Go | |
| uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0 | |
| with: | |
| go-version-file: "go.mod" | |
| - name: Build binary for linux/amd64 | |
| run: make build/linux/amd64 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | |
| - name: Build Docker image | |
| id: build | |
| run: | | |
| docker buildx bake \ | |
| -f ./docker-bake.hcl \ | |
| --set "*.platform=linux/amd64" \ | |
| --set "*.tags=code-marketplace:scan" \ | |
| --load | |
| echo "image=code-marketplace:scan" >> "$GITHUB_OUTPUT" | |
| - name: Run Trivy vulnerability scanner (table output for logs) | |
| uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 | |
| with: | |
| image-ref: ${{ steps.build.outputs.image }} | |
| format: "table" | |
| severity: "LOW,MEDIUM,HIGH,CRITICAL" | |
| - name: Run Trivy vulnerability scanner (SARIF output for GitHub) | |
| uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 | |
| with: | |
| image-ref: ${{ steps.build.outputs.image }} | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "LOW,MEDIUM,HIGH,CRITICAL" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@755f44910c12a3d7ca0d8c6e42c048b3362f7cec # v3.30.8 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: "Trivy" | |
| - name: Upload Trivy scan results as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: trivy-results | |
| path: trivy-results.sarif | |
| retention-days: 7 |