Created
November 10, 2025 04:22
-
-
Save fabriziosalmi/a7facac229d1aa0308d9042af19199e6 to your computer and use it in GitHub Desktop.
GitHub repo security scan
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Name of the GitHub Actions workflow. | |
| name: Enhanced Security and Stability Scan | |
| # Controls when the workflow will run. | |
| on: | |
| # Triggers the workflow on push events but only for the main branch. | |
| push: | |
| branches: [ main ] | |
| # Triggers the workflow on pull request events targeted at the main branch. | |
| pull_request: | |
| branches: [ main ] | |
| # Allows you to run this workflow manually from the Actions tab. | |
| workflow_dispatch: | |
| # Sets default permissions for the GITHUB_TOKEN for the entire workflow. | |
| # This is a security best practice to ensure the token has only the necessary access. | |
| permissions: | |
| contents: read | |
| # Groups concurrent runs. This ensures that for a given branch, only the latest | |
| # commit's workflow will run, canceling any previously triggered runs. | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # Defines the jobs that will be executed as part of the workflow. | |
| jobs: | |
| # This job performs security scanning on the codebase. | |
| security_scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| # Sets a timeout for the job to prevent it from running indefinitely. | |
| timeout-minutes: 15 | |
| # Grants specific permissions required for this job. | |
| permissions: | |
| contents: write # To commit the markdown report. | |
| security-events: write # To upload SARIF files to GitHub's Security tab. | |
| steps: | |
| # Step 1: Checks out your repository's code. | |
| - name: Checkout repository | |
| uses: actions/checkout@v3 | |
| # Step 2: Runs Semgrep for Static Application Security Testing (SAST). | |
| - name: Run Semgrep SAST Scan | |
| # Pinning the action to a specific commit SHA for security. | |
| uses: returntocorp/semgrep-action@v1 | |
| id: semgrep | |
| # This step will continue even if Semgrep finds issues, allowing other scanners to run. | |
| continue-on-error: true | |
| with: | |
| # Generates a SARIF file for integration with GitHub's Security tab. | |
| generateSarif: "true" | |
| # Step 3: Runs Trivy for Infrastructure as Code (IaC) and dependency vulnerability scanning. | |
| - name: Run Trivy IaC and Dependency Scan | |
| # Pinning the action to a specific commit SHA. | |
| uses: aquasecurity/[email protected] | |
| id: trivy | |
| # Continues on error to ensure all reports are processed. | |
| continue-on-error: true | |
| with: | |
| scan-type: 'fs' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| ignore-unfixed: true | |
| severity: 'HIGH,CRITICAL' | |
| # Step 4: Uploads the Semgrep SARIF file to the GitHub Security tab. | |
| - name: Upload Semgrep SARIF | |
| # This step only runs if the Semgrep scan succeeded or had findings. | |
| if: steps.semgrep.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: semgrep.sarif | |
| # Step 5: Uploads the Trivy SARIF file to the GitHub Security tab. | |
| - name: Upload Trivy SARIF | |
| if: steps.trivy.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| # Step 6: Converts the Semgrep SARIF report to a Markdown file. | |
| - name: Convert SARIF to Markdown | |
| uses: Antvirf/[email protected] | |
| with: | |
| sarif-file: semgrep.sarif | |
| output-file: security-summary.md | |
| # Step 7: Commits the Markdown security report to the repository. | |
| - name: Commit Markdown Report | |
| run: | | |
| git config --global user.name 'github-actions[bot]' | |
| git config --global user.email 'github-actions[bot]@users.noreply.github.com' | |
| git add security-summary.md | |
| # Commits only if there are changes. | |
| git commit -m "docs: add security scan summary" || echo "No changes to commit" | |
| git push | |
| # Step 8: Uploads all generated SARIF files as a build artifact for archival. | |
| - name: Upload SARIF Reports as Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sarif-reports | |
| path: | | |
| semgrep.sarif | |
| trivy-results.sarif | |
| retention-days: 7 | |
| # This job provides a final status check for the security scan. | |
| check_status: | |
| name: Check Scan Status | |
| runs-on: ubuntu-latest | |
| # This job runs after the security_scan job, regardless of its outcome. | |
| needs: security_scan | |
| if: always() | |
| steps: | |
| - name: Report final status | |
| run: | | |
| if [ "${{ needs.security_scan.result }}" == "success" ]; then | |
| echo "✅ Security scan completed successfully." | |
| exit 0 | |
| else | |
| echo "❌ Security scan failed or found critical issues. Please check the logs and artifacts." | |
| exit 1 | |
| fi | |
| # This job performs stability testing using chaos engineering. | |
| stability-test: | |
| name: Stability Test (Chaos) | |
| runs-on: ubuntu-latest | |
| # This job needs to be triggered manually via the "workflow_dispatch" event. | |
| if: github.event_name == 'workflow_dispatch' | |
| timeout-minutes: 20 | |
| steps: | |
| - name: Run LitmusChaos Pod Delete Experiment | |
| uses: litmuschaos/[email protected] | |
| env: | |
| KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_DATA }} | |
| APP_NS: ${{ secrets.APP_NS }} | |
| APP_LABEL: ${{ secrets.APP_LABEL }} | |
| EXPERIMENT_NAME: pod-delete | |
| TOTAL_CHAOS_DURATION: 30 # in seconds |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment