Security Checks #10

Workflow file for this run

.github/workflows/security-v2.yml at ee576f1

	name: Security Checks

	on:
	push:
	branches:
	- main
	- develop
	pull_request:
	branches:
	- main
	- develop
	schedule:
	# Run security checks daily at 2 AM UTC
	- cron: '0 2 * * *'

	jobs:
	dependency-check:
	name: Dependency Check
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Set up Python
	uses: actions/setup-python@v4
	with:
	python-version: '3.9'

	- name: Install dependencies
	run: \|
	python -m pip install --upgrade pip
	pip install safety bandit

	- name: Check for vulnerable dependencies
	run: \|
	pip install flask requests opentelemetry-api opentelemetry-sdk
	safety check \|\| true
	continue-on-error: true

	- name: Run Bandit security linter
	run: bandit -r app/ -f json -o bandit-report.json \|\| true
	continue-on-error: true

	- name: Upload Bandit report
	uses: actions/upload-artifact@v4
	with:
	name: bandit-report
	path: bandit-report.json
	continue-on-error: true

	container-scan:
	name: Container Image Scan
	runs-on: ubuntu-latest
	strategy:
	matrix:
	service: [backend, frontend]

	steps:
	- uses: actions/checkout@v4

	- name: Build container image for scanning
	run: docker build -t ${{ matrix.service }}:${{ github.sha }} app/${{ matrix.service }}/
	continue-on-error: true

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ matrix.service }}:${{ github.sha }}
	format: 'sarif'
	output: 'trivy-${{ matrix.service }}-results.sarif'
	severity: 'CRITICAL,HIGH'
	continue-on-error: true

	- name: Upload Trivy results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-${{ matrix.service }}-results.sarif'
	continue-on-error: true

	kubernetes-security:
	name: Kubernetes Manifest Security Check
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Set up Kubesec
	run: \|
	curl -L https://github.com/controlplaneio/kubesec/releases/download/v2.14.0/kubesec_linux_amd64.tar.gz \| tar xz
	chmod +x ./kubesec
	continue-on-error: true

	- name: Scan Kubernetes manifests
	run: \|
	for file in app/*/.yaml observability/*/.yaml gitops/*/.yaml; do
	if [ -f "$file" ]; then
	echo "Scanning $file..."
	./kubesec scan "$file" \|\| true
	fi
	done
	continue-on-error: true

	secret-scan:
	name: Secret Detection
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Run TruffleHog secret scan
	run: \|
	pip install truffleHog
	trufflehog filesystem . --json > trufflehogg-results.json \|\| true
	continue-on-error: true

	- name: Upload TruffleHog results
	uses: actions/upload-artifact@v4
	with:
	name: trufflehogg-results
	path: trufflehogg-results.json
	continue-on-error: true

	- name: GitGuardian scan (Optional - requires API key)
	uses: gitguardian/ggshield-action@master
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	with:
	args: --verbose
	continue-on-error: true
	if: ${{ env.GITGUARDIAN_API_KEY != '' }}

	summary:
	name: Security Summary
	runs-on: ubuntu-latest
	needs: [dependency-check, container-scan, kubernetes-security, secret-scan]
	if: always()

	steps:
	- name: Report results
	run: \|
	echo "## Security Checks Summary"
	echo ""
	echo "- Dependency Check: ${{ needs.dependency-check.result }}"
	echo "- Container Scan: ${{ needs.container-scan.result }}"
	echo "- Kubernetes Security: ${{ needs.kubernetes-security.result }}"
	echo "- Secret Scan: ${{ needs.secret-scan.result }}"
	echo ""
	echo "All security checks completed. Check artifacts for detailed reports."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Checks #10

Workflow file

Security Checks #10

Uh oh!

Workflow file for this run