|
1 | | -### Required actions to scan GitHub action workflows for security issues. |
2 | | -name: 'Scan GitHub Action workflows files for security issues' |
| 1 | +name: 'GitHub Admin: Actions Workflow Security Scan' |
| 2 | + |
3 | 3 | on: |
4 | | - pull_request: {} |
5 | | -permissions: |
6 | | - contents: 'read' |
7 | | - security-events: 'write' |
8 | | - actions: 'read' |
| 4 | + pull_request: |
| 5 | + paths: |
| 6 | + - '.github/workflows/**/*.yml' |
| 7 | + - '.github/workflows/**/*.yaml' |
| 8 | + - '.github/actions/**/*.yml' |
| 9 | + - '.github/actions/**/*.yaml' |
| 10 | + |
9 | 11 | jobs: |
10 | | - semgrep: |
11 | | - name: 'semgrep-oss/scan' |
| 12 | + scan-pr: |
| 13 | + permissions: |
| 14 | + contents: 'read' |
| 15 | + if: "github.event_name == 'pull_request'" |
12 | 16 | runs-on: 'ubuntu-latest' |
13 | | - container: |
14 | | - image: 'index.docker.io/semgrep/semgrep@sha256:85782eaf09692e6dfb684cd3bad87ef315775814b01f76b4d15582e4ca7c1c89' # ratchet:semgrep/semgrep |
15 | | - # Skip any PR created by dependabot to avoid permission issues: |
16 | | - if: (github.actor != 'dependabot[bot]') |
17 | 17 | steps: |
18 | | - - name: 'Checkout Code' |
19 | | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 |
20 | | - - name: 'Checkout Workflow Config' |
21 | | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # ratchet:actions/checkout@v4 |
22 | | - env: |
23 | | - GH_REPO_OWNER: ${{ github.repository_owner }} |
24 | | - with: |
25 | | - repository: 'google/github-team' |
26 | | - path: action_scanning |
27 | | - - name: 'Run Actions semgrep scan' |
28 | | - run: 'semgrep scan --sarif --config action_scanning/semgrep-rules --config "p/github-actions" |
29 | | - --sarif-output semgrep-results-actions.sarif || true' |
30 | | - - name: 'Save Actions SARIF results as artifact' |
31 | | - uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4 |
32 | | - with: |
33 | | - name: 'semgrep-scan-results-actions' |
34 | | - path: 'semgrep-results-actions.sarif' |
35 | | - - name: 'Upload Actions SARIF result to the GitHub Security Dashboard' |
36 | | - uses: 'github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841' # ratchet:github/codeql-action/upload-sarif@v3 |
37 | | - with: |
38 | | - sarif_file: 'semgrep-results-actions.sarif' |
39 | | - if: always() |
| 18 | + - name: 'Checkout PR Code' |
| 19 | + uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 |
| 20 | + |
| 21 | + - name: 'Check for Workflow Files' |
| 22 | + id: 'check_files' |
| 23 | + run: | |
| 24 | + FOUND_FILES=$(find . -type f -regextype posix-extended -regex '\./\.github/(workflows|actions)/.*\.ya?ml' | head -n 1) |
| 25 | + if [ -n "$FOUND_FILES" ]; then |
| 26 | + echo "workflow_files_found=true" >> "$GITHUB_OUTPUT" |
| 27 | + else |
| 28 | + echo "workflow_files_found=false" >> "$GITHUB_OUTPUT" |
| 29 | + fi |
| 30 | + - name: 'Initialize CodeQL' |
| 31 | + if: "steps.check_files.outputs.workflow_files_found == 'true'" |
| 32 | + uses: 'google/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db' # ratchet:google/codeql-action/init@v4 |
| 33 | + with: |
| 34 | + languages: 'actions' |
| 35 | + queries: 'security-extended' |
| 36 | + - name: 'Perform CodeQL Analysis' |
| 37 | + if: "steps.check_files.outputs.workflow_files_found == 'true'" |
| 38 | + id: 'codeql_analysis' |
| 39 | + uses: 'google/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db' # ratchet:google/codeql-action/analyze@v4 |
| 40 | + with: |
| 41 | + upload: 'never' |
| 42 | + |
| 43 | + - name: 'Check for Vulnerabilities and Set Status' |
| 44 | + id: 'vuln_check' |
| 45 | + if: "steps.check_files.outputs.workflow_files_found == 'true'" |
| 46 | + run: | |
| 47 | + SARIF_FILE="${{ steps.codeql_analysis.outputs.sarif-output }}/actions.sarif" |
| 48 | + if [ ! -f "$SARIF_FILE" ]; then |
| 49 | + echo "SARIF file not found at $SARIF_FILE" |
| 50 | + exit 1 |
| 51 | + fi |
| 52 | + RESULT_COUNT=$(jq '.runs[0].results | length' "$SARIF_FILE") |
| 53 | + if [ "$RESULT_COUNT" -gt 0 ]; then |
| 54 | + echo "::error::CodeQL found $RESULT_COUNT potential vulnerabilities." |
| 55 | + echo "---" |
| 56 | + jq -r '.runs[0].results[] | ("Rule ID: " + .ruleId + "\nMessage: " + .message.text + "\nFile: " + .locations[0].physicalLocation.artifactLocation.uri + "\nLine: " + (.locations[0].physicalLocation.region.startLine | tostring) + "\n---")' "$SARIF_FILE" |
| 57 | + exit 1 |
| 58 | + else |
| 59 | + echo "No vulnerabilities found. Check passed." |
| 60 | + fi |
| 61 | +
|
| 62 | + - name: 'Upload SARIF file on failure' |
| 63 | + if: "failure() && steps.vuln_check.conclusion == 'failure'" |
| 64 | + uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4 |
| 65 | + with: |
| 66 | + name: 'sarif-report' |
| 67 | + path: '${{ steps.codeql_analysis.outputs.sarif-output }}/actions.sarif' |
| 68 | + retention-days: 1 |
| 69 | + overwrite: 'true' |
0 commit comments