terraform-provider-turingpi/.github/workflows/security.yml at main · freed-dev-llc/terraform-provider-turingpi · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: Security

on:
  push:
    branches: ["main"]
  pull_request:
    branches: ["main"]
  schedule:
    # Run weekly on Monday at 00:00 UTC
    - cron: '0 0 * * 1'

permissions:
  contents: read
  security-events: write

jobs:
  # Verify commit signatures on PRs
  verify-signatures:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4
        with:
          fetch-depth: 0

      - name: Verify commit signatures
        run: |
          echo "Checking commit signatures for PR commits..."
          # Get the merge base and check all commits since then
          BASE_SHA="${{ github.event.pull_request.base.sha }}"
          HEAD_SHA="${{ github.event.pull_request.head.sha }}"

          UNSIGNED_COMMITS=""
          while IFS= read -r commit; do
            if ! git verify-commit "$commit" 2>/dev/null; then
              UNSIGNED_COMMITS="$UNSIGNED_COMMITS $commit"
            fi
          done < <(git rev-list "$BASE_SHA".."$HEAD_SHA")

          if [ -n "$UNSIGNED_COMMITS" ]; then
            echo "::warning::The following commits are not signed:$UNSIGNED_COMMITS"
            echo "Consider signing your commits with GPG. See: https://docs.github.com/en/authentication/managing-commit-signature-verification"
          else
            echo "All commits are signed!"
          fi

  # Run gosec security scanner
  gosec:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4

      - name: Run Gosec Security Scanner
        uses: securego/gosec@398ad549bbf1a51dc978fd966169f660c59774de # v2.23.0
        with:
          args: '-no-fail -fmt sarif -out results.sarif ./...'

      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          sarif_file: results.sarif
        if: always()

  # Dependency review for PRs
  dependency-review:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    steps:
      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4

      - name: Dependency Review
        uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2

  # Trivy vulnerability scanning
  trivy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v4

      - name: Run Trivy vulnerability scanner (filesystem)
        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-fs-results.sarif'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy filesystem scan results
        uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
        with:
          sarif_file: 'trivy-fs-results.sarif'
          category: 'trivy-filesystem'
        if: always()

      - name: Run Trivy license scanner
        uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0
        with:
          scan-type: 'fs'
          scan-ref: '.'
          scanners: 'license'
          format: 'table'
          severity: 'CRITICAL,HIGH'
        continue-on-error: true