borg/.github/workflows/vibeship-security.yml at 963caa95ade4e9f306e70bb7f47f82100e6d1718 · robertpelloni/borg · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Vibeship Security Scan

on:
  push:
    branches: [main, develop]
  pull_request:
    branches: [main, develop]
  workflow_dispatch:
    inputs:
      full_scan:
        description: 'Run full deep scan'
        required: false
        default: 'false'
        type: boolean

concurrency:
  group: security-${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

jobs:
  vibeship-scan:
    name: Vibeship Security Scanner
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Setup Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.11'

      - name: Install Scanner Dependencies
        run: |
          pip install semgrep trivy-python gitleaks

      - name: Install Semgrep
        run: |
          pip install semgrep

      - name: Install Trivy
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'json'
          output: 'trivy-results.json'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Run Vibeship Scanner
        working-directory: tools/security/vibeship-scanner
        run: |
          python scanner/scan.py --repo "${{ github.workspace }}" --output ../../../scan-results.json
        continue-on-error: true

      - name: Run Semgrep with Vibeship Rules
        uses: returntocorp/semgrep-action@v1
        with:
          config: tools/security/vibeship-scanner/scanner/rules
        continue-on-error: true

      - name: Upload Scan Results
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-scan-results
          path: |
            scan-results.json
            trivy-results.json
          retention-days: 30

      - name: Parse and Comment Results
        if: github.event_name == 'pull_request'
        uses: actions/github-script@v7
        with:
          script: |
            const fs = require('fs');

            let scanResults = { findings: [] };
            try {
              scanResults = JSON.parse(fs.readFileSync('scan-results.json', 'utf8'));
            } catch (e) {
              console.log('No scan results found');
            }

            const critical = scanResults.findings?.filter(f => f.severity === 'critical') || [];
            const high = scanResults.findings?.filter(f => f.severity === 'high') || [];

            if (critical.length > 0 || high.length > 0) {
              const body = `## 🔒 Vibeship Security Scan Results

              | Severity | Count |
              |----------|-------|
              | 🔴 Critical | ${critical.length} |
              | 🟠 High | ${high.length} |

              ${critical.length > 0 ? `### Critical Issues\n${critical.slice(0, 5).map(f => `- **${f.rule_id}**: ${f.message} (${f.file}:${f.line})`).join('\n')}` : ''}

              ${high.length > 0 ? `### High Issues\n${high.slice(0, 5).map(f => `- **${f.rule_id}**: ${f.message} (${f.file}:${f.line})`).join('\n')}` : ''}

              📊 Full results available in workflow artifacts.
              `;

              github.rest.issues.createComment({
                issue_number: context.issue.number,
                owner: context.repo.owner,
                repo: context.repo.repo,
                body: body
              });
            }

  dependency-scan:
    name: Dependency Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: pnpm/action-setup@v4
        with:
          version: 9

      - uses: actions/setup-node@v4
        with:
          node-version: '20'
          cache: 'pnpm'

      - run: pnpm install --frozen-lockfile

      - name: PNPM Audit
        run: pnpm audit --json > pnpm-audit.json || true

      - name: Upload Audit Results
        uses: actions/upload-artifact@v4
        with:
          name: dependency-audit
          path: pnpm-audit.json
          retention-days: 30

  secret-scan:
    name: Secret Detection
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Gitleaks Scan
        uses: gitleaks/gitleaks-action@v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        continue-on-error: true

      - name: TruffleHog Scan
        uses: trufflesecurity/trufflehog@main
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
          head: HEAD
        continue-on-error: true