From 121df559650afb1412d0e193ad4a973572fa57fb Mon Sep 17 00:00:00 2001
From: Vitaliy Saveliev <savelev.v@selectel.com>
Date: Mon, 24 Jun 2024 22:42:00 +0300
Subject: [PATCH] Add security scanners to Github Actions

---
 .github/workflows/secure.yml                 | 61 ++++++++++++++++++++
 .github/workflows/{checks.yml => verify.yml} | 13 +++--
 2 files changed, 69 insertions(+), 5 deletions(-)
 create mode 100644 .github/workflows/secure.yml
 rename .github/workflows/{checks.yml => verify.yml} (71%)

diff --git a/.github/workflows/secure.yml b/.github/workflows/secure.yml
new file mode 100644
index 0000000..92fd4f7
--- /dev/null
+++ b/.github/workflows/secure.yml
@@ -0,0 +1,61 @@
+name: Secure
+
+on: push
+
+jobs:
+  # Sample GitHub Actions:
+  # https://semgrep.dev/docs/semgrep-ci/sample-ci-configs#sample-github-actions-configuration-file
+  semgrep:
+    runs-on: ubuntu-latest
+    container:
+      image: semgrep/semgrep
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: semgrep scan --sarif --output=semgrep.sarif --error
+        env:
+          SEMGREP_RULES: >-
+            p/bandit
+            p/command-injection
+            p/comment
+            p/cwe-top-25
+            p/default
+            p/gitlab
+            p/gitlab-bandit
+            p/gitleaks
+            p/insecure-transport
+            p/owasp-top-ten
+            p/python
+            p/r2c-best-practices
+            p/r2c-bug-scan
+            p/r2c-security-audit
+            p/secrets
+            p/security-audit
+            p/xss
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: semgrep.sarif
+        if: always()
+
+  # Samples GitHub Actions:
+  # https://github.com/aquasecurity/trivy-action
+  trivy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aquasecurity/trivy-action
+        with:
+          scan-type: 'fs'
+          format: 'sarif'
+          output: 'trivy.sarif'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+      - uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy.sarif
+        if: always()
diff --git a/.github/workflows/checks.yml b/.github/workflows/verify.yml
similarity index 71%
rename from .github/workflows/checks.yml
rename to .github/workflows/verify.yml
index 2aadcef..0911dcc 100644
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/verify.yml
@@ -1,20 +1,23 @@
-name: Checks
+name: Verify
+
 on: push
+
 jobs:
   flake8:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.8'
       - run: pip install -r requirements.txt -r test-requirements.txt
       - run: flake8 .
+
   pytest:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v5
         with:
           python-version: '3.8'
       - run: pip install -r requirements.txt -r test-requirements.txt