-
Notifications
You must be signed in to change notification settings - Fork 0
103 lines (84 loc) · 2.87 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Run security scans
on:
workflow_dispatch:
pull_request:
push:
branches:
- main
jobs:
sast-scanner:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
security-events: write
steps:
- name: checkout
uses: actions/checkout@v4
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_SCAN_ROLE }}
role-session-name: github-actions
aws-region: eu-west-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
registries: ${{ secrets.TOOLS_REGISTRY }}
- name: setup docker buildx
uses: docker/setup-buildx-action@v3
- name: Build sast scanner
uses: docker/build-push-action@v6
with:
context: ./docker/sast-scanner-meta
file: ./docker/sast-scanner-meta/Dockerfile
push: false
cache-from: type=gha
cache-to: type=gha,mode=max
tags: ${{ env.REPOSITORY }}/sast-scanner-meta:latest
load: true
env:
DOCKER_BUILD_RECORD_UPLOAD: false
REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }}
- name: Run sast scanner
run: |
docker run --rm -v "${{ github.workspace }}:/src" -e LEVEL=HIGH -e TARGET=APP -e FORMAT=sarif $REPOSITORY/sast-scanner-meta:latest
env:
REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }}
- name: upload results to advanced security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep-app-report.sarif
category: semgrep
dependency-check:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
security-events: write
steps:
- name: checkout
uses: actions/checkout@v4
- name: configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_SCAN_ROLE }}
role-session-name: github-actions
aws-region: eu-west-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
with:
registries: ${{ secrets.TOOLS_REGISTRY }}
- name: Run dependency check
run: |
docker run --rm -v "${{ github.workspace }}:${{ github.workspace }}" -e SCAN_DIR=${{ github.workspace }} -e FORMAT=SARIF -e OUTDIR=${{ github.workspace }} $REGISTRY/$REPOSITORY/dependency-check:v1.0.0
env:
REGISTRY: ${{ steps.login-ecr.outputs.registry }}
REPOSITORY: ${{ secrets.TOOLS_REPOSITORY }}
- name: upload results to advanced security
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: dependency-check-report.sarif
category: dependency-check