-
Notifications
You must be signed in to change notification settings - Fork 0
112 lines (96 loc) · 3.53 KB
/
security.yml
File metadata and controls
112 lines (96 loc) · 3.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# yaml-language-server: $schema=https://www.schemastore.org/github-workflow.json
name: Security
on:
pull_request:
branches: [main]
# Cancel in-progress runs when new commits are pushed
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
pull-requests: write
jobs:
# Detect if security-relevant files changed
detect-changes:
name: Detect Changes
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
cargo: ${{ steps.filter.outputs.cargo }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Check for dependency changes
uses: step-security/paths-filter@6eee183b0d2fd101d3f8ee2935c127bca14c5625 # v3.0.5
id: filter
with:
filters: |
cargo:
- 'Cargo.toml'
- 'Cargo.lock'
- '.github/workflows/security.yml'
dependency-review:
name: Dependency Review
needs: [detect-changes]
runs-on: ubuntu-latest
# Only run if Cargo files changed AND not triggered by dependabot
if: needs.detect-changes.outputs.cargo == 'true' && github.actor != 'dependabot[bot]'
permissions:
contents: read
pull-requests: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Dependency Review
uses: actions/dependency-review-action@05fe4576374b728f0c523d6a13d64c25081e0803 # v4.8.3
with:
fail-on-severity: high
comment-summary-in-pr: always
# Security scan summary - aggregates all security job results
# This job ALWAYS runs to satisfy required status checks
security-summary:
name: Security Summary
needs: [detect-changes, dependency-review]
runs-on: ubuntu-latest
if: always()
permissions:
contents: read
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Check security scan results
env:
CARGO_CHANGES: ${{ needs.detect-changes.outputs.cargo }}
DEPENDENCY_REVIEW_RESULT: ${{ needs.dependency-review.result }}
run: |
echo "## Security Scan Results"
echo ""
# If no security-relevant files changed, report success immediately
if [[ "$CARGO_CHANGES" != "true" ]]; then
echo "No Cargo dependency changes detected - security scan not required."
echo ""
echo "✅ Security checks passed (no relevant changes)"
exit 0
fi
echo "| Scanner | Status |"
echo "|---------|--------|"
echo "| Dependency Review | $DEPENDENCY_REVIEW_RESULT |"
echo ""
# Fail if any security job failed
if [[ "$DEPENDENCY_REVIEW_RESULT" != "success" && "$DEPENDENCY_REVIEW_RESULT" != "skipped" ]]; then
echo "❌ Security checks failed"
exit 1
fi
echo "✅ All security checks passed!"