Add pip-audit support #43
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Security Scan | |
on: | |
pull_request: | |
push: | |
branches: | |
- main | |
schedule: | |
- cron: '11 11 * * 1' | |
defaults: | |
# would be nice if we could set this here: | |
#runs-on: ubuntu-latest | |
run: | |
shell: bash | |
# Restrict permissions to a conservative set | |
permissions: | |
# Check out repos | |
contents: read | |
# Post SARIF reports | |
security-events: write | |
# Required for running codeql-action/upload-sarif on private repos | |
actions: read | |
jobs: | |
gosec: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: go/ | |
- name: run gosec | |
uses: securego/gosec@master | |
with: | |
args: -fmt sarif -out gosec.sarif -stdout -verbose=text ./... | |
- name: upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
# run this even when the gosec task fails (otherwise we wouldn't get a result) | |
if: success() || failure() | |
# but ignore errors in case GH security upload isn't available | |
continue-on-error: true | |
with: | |
sarif_file: gosec.sarif | |
govulncheck: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: go/ | |
- name: run govulncheck | |
uses: golang/govulncheck-action@v1 | |
with: | |
go-version-input: 1.19.0 | |
go-package: ./... | |
# this action doesn't produce a SARIF report yet, so there's nothing to upload. | |
# See: https://github.com/golang/go/issues/61347 | |
tfsec: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: terraform/ | |
- name: run tfsec | |
uses: aquasecurity/tfsec-action@v1.0.0 | |
with: | |
working_directory: terraform/ | |
format: lovely,sarif | |
additional_args: --out results | |
- name: upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
if: success() || failure() | |
continue-on-error: true | |
with: | |
sarif_file: results.sarif.json | |
bandit: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: python/ | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
# We're not using the official action because Bandit doesn't include the SARIF formatter by default. | |
- name: install bandit | |
# we could bind a specific Bandit and SARIF formatter version here | |
run: | | |
pip install bandit bandit_sarif_formatter | |
# Need to run Bandit twice because of https://github.com/PyCQA/bandit/issues/1047 | |
- name: generate sarif report | |
# ignore errors here (--exit-zero) so we can keep going (and fail with a full report) | |
run: | | |
bandit --recursive --format sarif --output results.sarif --exit-zero python/ | |
- name: run bandit | |
run: | | |
bandit --recursive --format screen python/ | |
- name: upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
if: success() || failure() | |
continue-on-error: true | |
with: | |
sarif_file: results.sarif | |
chekov-terraform: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: terraform/ | |
- name: run chekov | |
uses: bridgecrewio/checkov-action@v12 | |
with: | |
directory: terraform/ | |
output_format: cli,sarif | |
output_file_path: console,results.sarif | |
- name: upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
if: success() || failure() | |
continue-on-error: true | |
with: | |
sarif_file: results.sarif | |
chekov-bicep: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: bicep/ | |
- name: run chekov | |
uses: bridgecrewio/checkov-action@v12 | |
with: | |
directory: bicep/ | |
output_format: cli,sarif | |
output_file_path: console,results.sarif | |
- name: upload results | |
uses: github/codeql-action/upload-sarif@v2 | |
if: success() || failure() | |
continue-on-error: true | |
with: | |
sarif_file: results.sarif | |
# We could also use a matrix action to run the same job multiple times for different languages | |
# See: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstrategy | |
codeql-go: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: go/ | |
- name: codeql init | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: go | |
- name: codeql autobuild | |
uses: github/codeql-action/autobuild@v2 | |
- name: codeql analysis | |
id: analysis | |
uses: github/codeql-action/analyze@v2 | |
with: | |
category: "/language:go" | |
- name: print results | |
run: | | |
cat "${{ steps.analysis.outputs.sarif-output }}/go.sarif" | |
echo "${{ steps.analysis.outputs.sarif-id }}" | |
codeql-python: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: python/ | |
- name: codeql init | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: python | |
- name: codeql autobuild | |
uses: github/codeql-action/autobuild@v2 | |
- name: codeql analysis | |
id: analysis | |
uses: github/codeql-action/analyze@v2 | |
with: | |
category: "/language:python" | |
- name: print results | |
run: | | |
cat "${{ steps.analysis.outputs.sarif-output }}/python.sarif" | |
echo "${{ steps.analysis.outputs.sarif-id }}" | |
pip-audit: | |
runs-on: ubuntu-latest | |
steps: | |
- name: checkout repo | |
uses: actions/checkout@v3 | |
with: | |
sparse-checkout: python/ | |
- uses: pypa/gh-action-pip-audit@v1.0.0 | |
with: | |
inputs: requirements.txt | |
# SARIF reports aren't supported by pip-audit yet: | |
# https://github.com/pypa/pip-audit/issues/206 |