ci: add-scans (#208)

yxtay · web-flow · commit 6b19b7579e32 · 2025-04-21T11:01:16.000+08:00
diff --git a/.github/workflows/scans.yml b/.github/workflows/scans.yml
@@ -31,6 +31,58 @@ jobs:
         with:
           sarif_file: devskim-results.sarif
 
+  dustilock:
+    permissions:
+      contents: read
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - uses: checkmarx/dustilock@9a0cc4fe3da93f7efb38679896c074dc94d60ac6 # v1
+
+  gitleaks:
+    permissions:
+      contents: write
+      pull-requests: write
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: (${{ github.event.pull_request.commits || 2 }} + 1)
+
+      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
+        with:
+          sarif_file: results.sarif
+
+  grype:
+    permissions:
+      contents: read
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - id: grype
+        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6
+        with:
+          path: .
+          severity-cutoff: high
+          only-fixed: true
+
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+
   megalinter:
     permissions:
       contents: write
@@ -104,7 +156,7 @@ jobs:
       security-events: write
 
     if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
-    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v1
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v2
 
   osv-scan-push:
     permissions:
@@ -113,29 +165,72 @@ jobs:
       security-events: write
 
     if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
-    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v1
+    uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6fc714450122bda9d00e4ad5d639ad6a39eedb1f # v2
+
+  syft:
+    permissions:
+      actions: read
+      contents: write
+      security-events: write
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0
+        with:
+          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
+          dependency-snapshot: true
+
+      - id: grype
+        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6
+        with:
+          sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
+          severity-cutoff: high
+          only-fixed: true
+
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
 
   trivy:
     permissions:
-      contents: read
+      contents: write
       security-events: write
 
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
-      - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30.0
+      - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
+        with:
+          scan-type: fs
+          format: github
+          output: dependency-results.sbom.json
+          github-pat: ${{ github.token }}
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: trivy-sbom-report
+          path: "${{ github.workspace }}/dependency-results.sbom.json"
+
+      - uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # 0.30
         with:
           scan-type: fs
           exit-code: 1
           ignore-unfixed: true
           severity: HIGH,CRITICAL
           format: sarif
           output: trivy-results.sarif
+          skip-setup-trivy: true
 
-      - uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
+      - if: ${{ success() || failure() }}
+        uses: github/codeql-action/upload-sarif@45775bd8235c68ba998cffa5171334d58593da47 # v3
         with:
-          sarif_file: "trivy-results.sarif"
+          sarif_file: trivy-results.sarif
 
   trufflehog:
     permissions:
@@ -145,7 +240,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
-          fetch-depth: 3
+          fetch-depth: (${{ github.event.pull_request.commits || 2 }} + 1)
 
       - uses: trufflesecurity/trufflehog@ad258d848807ac956c978b391895800cb4237c1a # v3
         with:
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -60,6 +60,11 @@ repos:
     hooks:
       - id: gitleaks
 
+  - repo: https://github.com/trufflesecurity/trufflehog
+    rev: v3.88.24
+    hooks:
+      - id: trufflehog
+
   - repo: https://github.com/rhysd/actionlint
     rev: v1.7.7
     hooks:
@@ -121,4 +126,4 @@ repos:
 
 ci:
   autoupdate_commit_msg: "ci: pre-commit autoupdate"
-  skip: [hadolint-docker, shellcheck]
+  skip: [trufflehog, hadolint-docker, shellcheck]
