Enhanced developer experience #4

Workflow file for this run

.github/workflows/security-scan.yml at 99a54cf

	name: Security Scan

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	schedule:
	# Run security scan weekly
	- cron: '0 2 * * 1'

	jobs:
	basic-checks:
	runs-on: ubuntu-latest
	name: Basic Checks (dev.sh)
	steps:
	- uses: actions/checkout@v4

	- name: Install dependencies
	run: \|
	# Install shellcheck
	sudo apt-get update
	sudo apt-get install -y shellcheck

	# Install yamllint
	pip install yamllint

	- name: Run all checks
	run: ./dev.sh check-all

	advanced-security:
	runs-on: ubuntu-latest
	name: Advanced Security Scans
	permissions:
	actions: read
	contents: read
	security-events: write
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run TruffleHog OSS
	uses: trufflesecurity/trufflehog@main
	with:
	path: ./
	base: main
	head: HEAD
	extra_args: --debug --only-verified

	- name: Run Hadolint
	uses: hadolint/hadolint-action@v3.1.0
	with:
	dockerfile: "*/Dockerfile"
	failure-threshold: warning
	format: sarif
	output-file: hadolint-results.sarif

	- name: Upload Hadolint results
	uses: github/codeql-action/upload-sarif@v2
	if: always()
	with:
	sarif_file: hadolint-results.sarif

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: javascript, python, go
	queries: security-and-quality

	- name: Autobuild
	uses: github/codeql-action/autobuild@v2

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:javascript,python,go"

	security-summary:
	runs-on: ubuntu-latest
	needs: [basic-checks, advanced-security]
	if: always()
	name: Security Summary

	steps:
	- name: Security Scan Summary
	run: \|
	echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY

	# Check job results
	basic_result="${{ needs.basic-checks.result }}"
	advanced_result="${{ needs.advanced-security.result }}"

	echo "\| Security Check \| Status \|" >> $GITHUB_STEP_SUMMARY
	echo "\|----------------\|--------\|" >> $GITHUB_STEP_SUMMARY
	echo "\| Basic Checks (dev.sh) \| $basic_result \|" >> $GITHUB_STEP_SUMMARY
	echo "\| Advanced Security \| $advanced_result \|" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY

	# Overall status
	if [[ "$basic_result $advanced_result" == "failure" ]]; then
	echo "🔴 Security issues detected! Please review the scan results." >> $GITHUB_STEP_SUMMARY
	else
	echo "🟢 All security scans passed successfully." >> $GITHUB_STEP_SUMMARY
	fi

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Enhanced developer experience #4

Workflow file

Enhanced developer experience #4

Uh oh!

Workflow file for this run