-
Notifications
You must be signed in to change notification settings - Fork 6
64 lines (61 loc) · 1.62 KB
/
secure.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Secure
on: push
jobs:
# Sample GitHub Actions:
# https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
#
# CLI Reference:
# https://semgrep.dev/docs/cli-reference
semgrep:
runs-on: ubuntu-latest
container:
image: semgrep/semgrep
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- run: semgrep scan --sarif --output=semgrep.sarif --error --severity=warning
env:
SEMGREP_RULES: >-
p/bandit
p/command-injection
p/comment
p/cwe-top-25
p/default
p/gitlab
p/gitlab-bandit
p/gitleaks
p/insecure-transport
p/owasp-top-ten
p/python
p/r2c-best-practices
p/r2c-bug-scan
p/r2c-security-audit
p/secrets
p/security-audit
p/xss
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: semgrep.sarif
if: always()
# Samples GitHub Actions:
# https://github.com/aquasecurity/trivy-action
trivy:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'sarif'
output: 'trivy.sarif'
exit-code: '1'
severity: 'MEDIUM,CRITICAL,HIGH'
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy.sarif
if: always()