Security Analysis #2112
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Security Analysis | |
on: | |
push: | |
branches: [master] | |
pull_request: | |
branches: [master] | |
schedule: | |
- cron: "0 6 * * *" | |
jobs: | |
codeql: | |
name: CodeQL | |
# "Initialize CodeQL" fails on forks and the results would not submit either | |
if: github.repository_owner == 'controlplaneio' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
# provide a more modern go until resolved in codeql action | |
# https://github.com/github/codeql-action/issues/1842#issuecomment-1704398087 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version-file: go.mod | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@v3 | |
with: | |
languages: go | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@v3 | |
trivy: | |
name: Trivy | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Build an image from Dockerfile | |
run: | | |
docker build . -t kubesec:${{ github.sha }} | |
- name: Run Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: kubesec:${{ github.sha }} | |
format: template | |
template: "@/contrib/sarif.tpl" | |
output: trivy-results.sarif | |
- name: Upload Trivy results to the Security tab | |
# can't submit scan results on forks | |
if: github.repository_owner == 'controlplaneio' | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: trivy-results.sarif | |
trufflehog: | |
name: TruffleHog | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Run Trufflehog | |
uses: trufflesecurity/[email protected] | |
with: | |
path: ./ | |
base: ${{ github.event.repository.default_branch }} | |
head: HEAD | |
extra_args: --debug --only-verified |