diff --git a/.github/workflows/codeql-scan.yml b/.github/workflows/codeql-scan.yml new file mode 100644 index 0000000..9e95c16 --- /dev/null +++ b/.github/workflows/codeql-scan.yml @@ -0,0 +1,50 @@ +# GitHub SAST (static application security testing) tool that scans code for security bugs and unsafe coding practices + +name: "CodeQL Scan" + +# Events that triggers CodeQL to run +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +# Option to configure as a scheduled action to monitor for drift in code +# schedule: +# - cron: '0 6 * * 1' + +jobs: + analyze: + name: CodeQL Analysis + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues (if used) + if: (github.actor != 'dependabot[bot]') + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + # Add more languages if relevnt to the project + language: [ 'javascript' ] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + # Initialises the CodeQL tools for scanning (sorry Americans) + - name: Initialise CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Run the analysis and upload results to the security tab + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml new file mode 100644 index 0000000..223a48f --- /dev/null +++ b/.github/workflows/trivy-scan.yml @@ -0,0 +1,51 @@ +# Trivy configured to scan for vulnerable dependencies in the project software composition + +name: Trivy Scan + +# Events that triggers Trivy to run +on: + push: + branches: [ master ] + pull_request: + branches: [ master ] + +jobs: + build: + name: Trivy Vulnerability Scanner + runs-on: ubuntu-latest + # Skip any PR created by dependabot to avoid permission issues (if used) + if: (github.actor != 'dependabot[bot]') + steps: + # Checking out the repo to scan + - name: Checkout code + uses: actions/checkout@v2 + + # Run Trivy to fail the job on critical vulnerabiliies with fix available + - name: Run Trivy for critical vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' # Filesystem mode + ignore-unfixed: true # Ignore vulnerabilities with no available fix + format: 'table' # Table output mode as next step will report in security tab + severity: 'CRITICAL' # Error only on critical vulnerabilities + exit-code: '1' # Fail the job if a critical vulnerability with fix available is found + + # Run Trivy reporting all vulnerabilities to the security tab + - name: Run Trivy for reporting all vulnerabilities + uses: aquasecurity/trivy-action@master + if: always() # Run this step even if job fails due to critical vuln + with: + scan-type: 'fs' # Filesystem mode + ignore-unfixed: true # Ignore vulnerabilities with no available fix + format: 'template' # Template output mode + template: '@/contrib/sarif.tpl' # SARIF template to be compatible with GitHub security tab + output: 'trivy-results.sarif' # Output file name + severity: 'CRITICAL,HIGH,MEDIUM' # Report on critical/high/medium vulnerabiliies + exit-code: '0' # No failing as for reporting purposes + + # Generate the output as SARIF and upload to the security tab + - name: Upload Trivy results + uses: github/codeql-action/upload-sarif@v1 + if: always() # Upload even if the job has failed due to a vulnerability + with: + sarif_file: 'trivy-results.sarif'