Merge pull request #491 from controlplaneio/dependabot/github_actions… #1757
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Security Analysis | |
on: | |
push: | |
branches: [master] | |
pull_request: | |
branches: [master] | |
schedule: | |
- cron: "0 6 * * *" | |
jobs: | |
codeql: | |
name: CodeQL | |
# "Initialize CodeQL" fails on forks and the results would not submit either | |
if: github.repository_owner == 'controlplaneio' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v2 | |
with: | |
languages: go | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v2 | |
trivy: | |
name: Trivy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Build an image from Dockerfile | |
run: | | |
docker build . -t kubesec:${{ github.sha }} | |
- name: Run Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: kubesec:${{ github.sha }} | |
format: template | |
template: "@/contrib/sarif.tpl" | |
output: trivy-results.sarif | |
- name: Upload Trivy results to the Security tab | |
# can't submit scan results on forks | |
if: github.repository_owner == 'controlplaneio' | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
trufflehog: | |
name: TruffleHog | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Run Trufflehog | |
uses: trufflesecurity/[email protected] | |
with: | |
path: ./ | |
base: ${{ github.event.repository.default_branch }} | |
head: HEAD | |
extra_args: --debug --only-verified |