-
Notifications
You must be signed in to change notification settings - Fork 124
47 lines (43 loc) · 1.6 KB
/
security-shared.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# !!! Important !!!
# This a reusable workflow and is used in the PR and push to main branch flow separately
# to be able to protect it behind a manual approval in the PR flow
name: security-shared
on:
workflow_call:
permissions:
contents: read
jobs:
gosec:
runs-on: [self-hosted, public, linux, x64]
env:
GO111MODULE: on
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Run Gosec Security Scanner
uses: securego/gosec@55d79496019a560e16e73e1948dee20a1fad631a # v2
with:
args: './...'
trufflehog-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: detect secrets
uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9
with:
scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
checkov-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Scan for secrets
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.PRISMA_KEY_API2 }}
prisma-api-url: ${{ secrets.PRISMA_API_URL_2 }}
config_file: .github/checkov.yaml