Skip to content
.github/workflows/security.yml

chore(deps)(deps): bump the observability group across 1 directory wi… #59

Sign in to view logs

chore(deps)(deps): bump the observability group across 1 directory wi…

chore(deps)(deps): bump the observability group across 1 directory wi… #59

Workflow file for this run

.github/workflows/security.yml at 82c1d36
name: Security Audit

Check failure on line 1 in .github/workflows/security.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/security.yml

Invalid workflow file 

reusable workflows should be referenced at the top-level `jobs.*.uses' key, not within steps
on:
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
workflow_dispatch:
env:
CARGO_TERM_COLOR: always
jobs:
# Cargo audit for security vulnerabilities
cargo-audit:
name: Cargo Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Cache cargo-audit
uses: actions/cache@v4
with:
path: ~/.cargo/bin/cargo-audit
key: ${{ runner.os }}-cargo-audit
restore-keys: |
${{ runner.os }}-cargo-audit
- name: Install cargo-audit
run: cargo install cargo-audit --locked || true
- name: Run cargo audit
run: cargo audit --deny warnings
# Dependency review for pull requests
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
uses: actions/dependency-review-action@v3
with:
fail-on-severity: moderate
deny-licenses: GPL-2.0, GPL-3.0, AGPL-3.0
# SAST scanning with Semgrep
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
if: github.event_name != 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Semgrep
run: semgrep scan --config=auto --error
# CodeQL analysis
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'rust' ]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: security-extended,security-and-quality
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Build project
run: cargo build --release --all-features
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
# Secret scanning with Gitleaks
gitleaks:
name: Gitleaks Secret Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
# Trivy vulnerability scanner
trivy:
name: Trivy Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'
# Docker image scanning
docker-scan:
name: Docker Image Security Scan
runs-on: ubuntu-latest
if: github.event_name != 'schedule'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
push: false
tags: llm-latency-lens:test
load: true
- name: Run Trivy vulnerability scanner on Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'llm-latency-lens:test'
format: 'sarif'
output: 'trivy-docker-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy Docker results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-docker-results.sarif'
- name: Run Snyk to check Docker image for vulnerabilities
continue-on-error: true
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: llm-latency-lens:test
args: --severity-threshold=high
# Supply chain security with SLSA
slsa-provenance:
name: SLSA Provenance
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
permissions:
id-token: write
contents: read
actions: read
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate SLSA provenance
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
with:
base64-subjects: ""
upload-assets: true
# SBOM generation
sbom:
name: Generate SBOM
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Rust toolchain
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-sbom
run: cargo install cargo-sbom --locked || true
- name: Generate SBOM
run: cargo sbom --output-format json > sbom.json
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom
path: sbom.json
- name: Scan SBOM with Grype
uses: anchore/scan-action@v3
with:
sbom: sbom.json
fail-build: true
severity-cutoff: high
# Security summary
security-summary:
name: Security Summary
needs: [cargo-audit, semgrep, codeql, gitleaks, trivy, docker-scan, sbom]
runs-on: ubuntu-latest
if: always()
steps:
- name: Check security status
if: contains(needs.*.result, 'failure')
run: |
echo "::error::One or more security checks failed"
exit 1
- name: Security checks passed
run: echo "All security checks passed successfully!"