ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
5e7b2fbc11af0bceb759fa41520788da5e4b6ef5
actions/security-scan/README.md
Ismo Vuorinen 9aa16a8164 feat: use our own actions in our workflows (#377) 
* feat: use our own actions in our workflows

* fix: add missing inputs to validate-inputs, refactor node

* chore: cr comment fixes

* fix: update-validators formatting

* chore: update validators, add tests, conventions

* feat: validate severity with severity_enum

* feat: add 10 generic validators to improve input validation coverage

Add comprehensive validation system improvements across multiple phases:

Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum

Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support

Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'

Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs

Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation

Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)

* chore: regenerate rules.yml with improved validator coverage

Regenerate validation rules for all actions with new validators:

- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)

Overall: 23 of 25 actions now at 100% validation coverage (92%)

* fix: address PR #377 review comments

- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
  (@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes
2025-11-25 23:51:03 +02:00

2.8 KiB
Raw Blame History

ivuorinen/actions/security-scan

Security Scan

Description

Comprehensive security scanning for GitHub Actions including actionlint, Gitleaks (optional), and Trivy vulnerability scanning. Requires 'security-events: write' and 'contents: read' permissions in the workflow.

Inputs

name description required default
gitleaks-license

Gitleaks license key (required for Gitleaks scanning)

 false ""
gitleaks-config

Path to Gitleaks config file

 false .gitleaks.toml
trivy-severity

Severity levels to scan for (comma-separated)

 false CRITICAL,HIGH
trivy-scanners

Types of scanners to run (comma-separated)

 false vuln,config,secret
trivy-timeout

Timeout for Trivy scan

 false 10m
actionlint-enabled

Enable actionlint scanning

 false true
token

GitHub token for authentication

 false ""

Outputs

name description
has_trivy_results

Whether Trivy scan produced valid results
has_gitleaks_results

Whether Gitleaks scan produced valid results
total_issues

Total number of security issues found
critical_issues

Number of critical security issues found

Runs

This action is a composite action.

Usage

- uses: ivuorinen/actions/security-scan@main
  with:
    gitleaks-license:
    # Gitleaks license key (required for Gitleaks scanning)
    #
    # Required: false
    # Default: ""

    gitleaks-config:
    # Path to Gitleaks config file
    #
    # Required: false
    # Default: .gitleaks.toml

    trivy-severity:
    # Severity levels to scan for (comma-separated)
    #
    # Required: false
    # Default: CRITICAL,HIGH

    trivy-scanners:
    # Types of scanners to run (comma-separated)
    #
    # Required: false
    # Default: vuln,config,secret

    trivy-timeout:
    # Timeout for Trivy scan
    #
    # Required: false
    # Default: 10m

    actionlint-enabled:
    # Enable actionlint scanning
    #
    # Required: false
    # Default: true

    token:
    # GitHub token for authentication
    #
    # Required: false
    # Default: ""