-
Notifications
You must be signed in to change notification settings - Fork 118
123 lines (113 loc) · 3.78 KB
/
Copy pathsecurity.yml
File metadata and controls
123 lines (113 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Security
on:
push:
branches: [main, master]
pull_request:
branches: [main, master]
schedule:
- cron: '0 6 * * 1' # Weekly on Monday at 06:00 UTC
jobs:
# ─── Dependency audits ────────────────────────────────────────────────────────
audit-backend:
name: Cargo Audit (Backend)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
workspaces: backend
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Audit
working-directory: ./backend
run: cargo audit
audit-contracts:
name: Cargo Audit (Contracts)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- uses: Swatinem/rust-cache@v2
with:
workspaces: contracts
- name: Install cargo-audit
run: cargo install cargo-audit --locked
- name: Audit
working-directory: ./contracts
run: cargo audit
audit-frontend:
name: NPM Audit (Frontend)
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./mobileapp
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 18
cache: npm
cache-dependency-path: mobileapp/package-lock.json
- run: npm ci
- name: Audit
run: npm audit --audit-level=high
# ─── SAST – Semgrep ──────────────────────────────────────────────────────────
semgrep:
name: SAST (Semgrep)
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: returntocorp/semgrep-action@v1
with:
config: >-
p/rust
p/typescript
p/secrets
p/owasp-top-ten
env:
SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
# ─── Container scanning (runs after Docker build workflow) ───────────────────
trivy:
name: Trivy Container Scan
runs-on: ubuntu-latest
# Only scan on push to main so we have an image to scan
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build image for scanning
run: docker build -t zaps-backend:scan ./backend
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: zaps-backend:scan
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
exit-code: '1'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
# ─── Secret scanning ─────────────────────────────────────────────────────────
gitleaks:
name: Secret Scan (Gitleaks)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Gitleaks
run: |
docker run --rm \
-v "$PWD:/repo" \
zricethezav/gitleaks:latest detect \
--source=/repo \
--config=/repo/gitleaks.toml \
--redact \
--verbose