Security Analysis #2099

Workflow file for this run

.github/workflows/security_analysis.yml at c71250f

	---
	name: Security Analysis

	on:
	push:
	branches: [master]
	pull_request:
	branches: [master]
	schedule:
	- cron: "0 6 * * *"

	jobs:
	codeql:
	name: CodeQL
	# "Initialize CodeQL" fails on forks and the results would not submit either
	if: github.repository_owner == 'controlplaneio'
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	# provide a more modern go until resolved in codeql action
	# https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: go

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3

	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- name: Build an image from Dockerfile
	run: \|
	docker build . -t kubesec:${{ github.sha }}

	- name: Run Trivy
	uses: aquasecurity/[email protected]
	with:
	image-ref: kubesec:${{ github.sha }}
	format: template
	template: "@/contrib/sarif.tpl"
	output: trivy-results.sarif

	- name: Upload Trivy results to the Security tab
	# can't submit scan results on forks
	if: github.repository_owner == 'controlplaneio'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: trivy-results.sarif

	trufflehog:
	name: TruffleHog
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Run Trufflehog
	uses: trufflesecurity/[email protected]
	with:
	path: ./
	base: ${{ github.event.repository.default_branch }}
	head: HEAD
	extra_args: --debug --only-verified

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Analysis #2099

Workflow file

Security Analysis #2099

Jobs

Run details

Workflow file for this run