actions/security-scan

ivuorinen/actions/security-scan

Security Scan

Description

Comprehensive security scanning for GitHub Actions including actionlint, Gitleaks (optional), and Trivy vulnerability scanning. Requires 'security-events: write' and 'contents: read' permissions in the workflow.

Inputs

name	description	required	default
gitleaks-license	Gitleaks license key (required for Gitleaks scanning)	false	""
gitleaks-config	Path to Gitleaks config file	false	.gitleaks.toml
trivy-severity	Severity levels to scan for (comma-separated)	false	CRITICAL,HIGH
trivy-scanners	Types of scanners to run (comma-separated)	false	vuln,config,secret
trivy-timeout	Timeout for Trivy scan	false	10m
actionlint-enabled	Enable actionlint scanning	false	true
token	GitHub token for authentication	false	""

Outputs

name	description
has_trivy_results	Whether Trivy scan produced valid results
has_gitleaks_results	Whether Gitleaks scan produced valid results
total_issues	Total number of security issues found
critical_issues	Number of critical security issues found

Runs

This action is a composite action.

Usage

- uses: ivuorinen/actions/security-scan@main
  with:
    gitleaks-license:
    # Gitleaks license key (required for Gitleaks scanning)
    #
    # Required: false
    # Default: ""

    gitleaks-config:
    # Path to Gitleaks config file
    #
    # Required: false
    # Default: .gitleaks.toml

    trivy-severity:
    # Severity levels to scan for (comma-separated)
    #
    # Required: false
    # Default: CRITICAL,HIGH

    trivy-scanners:
    # Types of scanners to run (comma-separated)
    #
    # Required: false
    # Default: vuln,config,secret

    trivy-timeout:
    # Timeout for Trivy scan
    #
    # Required: false
    # Default: 10m

    actionlint-enabled:
    # Enable actionlint scanning
    #
    # Required: false
    # Default: true

    token:
    # GitHub token for authentication
    #
    # Required: false
    # Default: ""