ivuorinen/actions
1
0
Fork 0
mirror of https://github.com/ivuorinen/actions.git synced 2026-01-26 11:34:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e02ca4d84365e63506a93ab2c15275790372a4e9
actions/security-scan/action.yml
Ismo Vuorinen 9aa16a8164 feat: use our own actions in our workflows (#377) 
* feat: use our own actions in our workflows

* fix: add missing inputs to validate-inputs, refactor node

* chore: cr comment fixes

* fix: update-validators formatting

* chore: update validators, add tests, conventions

* feat: validate severity with severity_enum

* feat: add 10 generic validators to improve input validation coverage

Add comprehensive validation system improvements across multiple phases:

Phase 2A - Quick Wins:
- Add multi_value_enum validator for 2-10 value enumerations
- Add exit_code_list validator for Unix/Linux exit codes (0-255)
- Refactor coverage_driver to use multi_value_enum

Phase 2B - High-Value Validators:
- Add key_value_list validator with shell injection prevention
- Add path_list validator with path traversal and glob support

Quick Wins - Additional Enums:
- Add network_mode validator for Docker network modes
- Add language_enum validator for language detection
- Add framework_mode validator for PHP framework modes
- Update boolean pattern to include 'push'

Phase 2C - Specialized Validators:
- Add json_format validator for JSON syntax validation
- Add cache_config validator for Docker BuildKit cache configs

Improvements:
- All validators include comprehensive security checks
- Pattern-based validation with clear error messages
- 23 new test methods with edge case coverage
- Update special case mappings for 20+ inputs
- Fix build-args mapping test expectation

Coverage impact: 22 actions now at 100% validation (88% → 92%)
Test suite: 762 → 785 tests (+23 tests, all passing)

* chore: regenerate rules.yml with improved validator coverage

Regenerate validation rules for all actions with new validators:

- compress-images: 86% → 100% (+1 input: ignore-paths)
- docker-build: 63% → 100% (+4 inputs: cache configs, platform-build-args)
- docker-publish: 73% → 100% (+1 input: build-args)
- language-version-detect: 67% → 100% (+1 input: language)
- php-tests: 89% (fixed framework→framework_mode mapping)
- prettier-lint: 86% → 100% (+2 inputs: file-pattern, plugins)
- security-scan: 86% (maintained coverage)

Overall: 23 of 25 actions now at 100% validation coverage (92%)

* fix: address PR #377 review comments

- Add | None type annotations to 6 optional parameters (PEP 604)
- Standardize injection pattern: remove @# from comma_separated_list validator
  (@ and # are not shell injection vectors, allows npm scoped packages)
- Remove dead code: unused value expression in key_value_list validator
- Update tests to reflect injection pattern changes
2025-11-25 23:51:03 +02:00

283 lines
9.7 KiB
YAML
Raw Blame History

# yaml-language-server: $schema=https://json.schemastore.org/github-action.json
#
# REQUIRED PERMISSIONS (set these in your workflow file):
# permissions:
# security-events: write # Required for SARIF uploads
# contents: read # Required for repository access
#
---
name: Security Scan
description: |
Comprehensive security scanning for GitHub Actions including actionlint,
Gitleaks (optional), and Trivy vulnerability scanning. Requires
'security-events: write' and 'contents: read' permissions in the workflow.
author: Ismo Vuorinen
branding:
icon: shield
color: red
inputs:
gitleaks-license:
description: 'Gitleaks license key (required for Gitleaks scanning)'
required: false
default: ''
gitleaks-config:
description: 'Path to Gitleaks config file'
required: false
default: '.gitleaks.toml'
trivy-severity:
description: 'Severity levels to scan for (comma-separated)'
required: false
default: 'CRITICAL,HIGH'
trivy-scanners:
description: 'Types of scanners to run (comma-separated)'
required: false
default: 'vuln,config,secret'
trivy-timeout:
description: 'Timeout for Trivy scan'
required: false
default: '10m'
actionlint-enabled:
description: 'Enable actionlint scanning'
required: false
default: 'true'
token:
description: 'GitHub token for authentication'
required: false
default: ''
outputs:
has_trivy_results:
description: 'Whether Trivy scan produced valid results'
value: ${{ steps.verify-sarif.outputs.has_trivy }}
has_gitleaks_results:
description: 'Whether Gitleaks scan produced valid results'
value: ${{ steps.verify-sarif.outputs.has_gitleaks }}
total_issues:
description: 'Total number of security issues found'
value: ${{ steps.analyze.outputs.total_issues }}
critical_issues:
description: 'Number of critical security issues found'
value: ${{ steps.analyze.outputs.critical_issues }}
runs:
using: composite
steps:
- name: Validate Inputs
id: validate
uses: ivuorinen/actions/validate-inputs@5cc7373a22402ee8985376bc713f00e09b5b2edb
with:
action-type: security-scan
gitleaks-license: ${{ inputs.gitleaks-license }}
gitleaks-config: ${{ inputs.gitleaks-config }}
trivy-severity: ${{ inputs.trivy-severity }}
trivy-scanners: ${{ inputs.trivy-scanners }}
trivy-timeout: ${{ inputs.trivy-timeout }}
actionlint-enabled: ${{ inputs.actionlint-enabled }}
token: ${{ inputs.token }}
- name: Check Required Configurations
id: check-configs
shell: sh
run: |
set -eu
# Initialize all flags as false
{
printf '%s\n' "run_gitleaks=false"
printf '%s\n' "run_trivy=true"
printf '%s\n' "run_actionlint=${{ inputs.actionlint-enabled }}"
} >> "$GITHUB_OUTPUT"
# Check Gitleaks configuration and license
if [ -f "${{ inputs.gitleaks-config }}" ] && [ -n "${{ inputs.gitleaks-license }}" ]; then
printf 'Gitleaks config and license found\n'
printf '%s\n' "run_gitleaks=true" >> "$GITHUB_OUTPUT"
else
printf '::warning::Gitleaks config or license missing - skipping Gitleaks scan\n'
fi
- name: Run actionlint
if: steps.check-configs.outputs.run_actionlint == 'true'
uses: raven-actions/actionlint@3a24062651993d40fed1019b58ac6fbdfbf276cc # v2.0.1
with:
cache: true
fail-on-error: true
shellcheck: false
- name: Run Gitleaks
if: steps.check-configs.outputs.run_gitleaks == 'true'
uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
env:
GITHUB_TOKEN: ${{ inputs.token || github.token }}
GITLEAKS_LICENSE: ${{ inputs.gitleaks-license }}
with:
config-path: ${{ inputs.gitleaks-config }}
report-format: sarif
report-path: gitleaks-report.sarif
- name: Run Trivy vulnerability scanner
if: steps.check-configs.outputs.run_trivy == 'true'
uses: aquasecurity/trivy-action@a11da62073708815958ea6d84f5650c78a3ef85b # master
with:
scan-type: 'fs'
scanners: ${{ inputs.trivy-scanners }}
format: 'sarif'
output: 'trivy-results.sarif'
severity: ${{ inputs.trivy-severity }}
timeout: ${{ inputs.trivy-timeout }}
- name: Verify SARIF files
id: verify-sarif
shell: sh
run: |
set -eu
# Initialize outputs
{
printf '%s\n' "has_trivy=false"
printf '%s\n' "has_gitleaks=false"
} >> "$GITHUB_OUTPUT"
# Check Trivy results
if [ -f "trivy-results.sarif" ]; then
if jq -e . <"trivy-results.sarif" >/dev/null 2>&1; then
printf '%s\n' "has_trivy=true" >> "$GITHUB_OUTPUT"
else
printf '::warning::Trivy SARIF file exists but is not valid JSON\n'
fi
fi
# Check Gitleaks results if it ran
if [ "${{ steps.check-configs.outputs.run_gitleaks }}" = "true" ]; then
if [ -f "gitleaks-report.sarif" ]; then
if jq -e . <"gitleaks-report.sarif" >/dev/null 2>&1; then
printf '%s\n' "has_gitleaks=true" >> "$GITHUB_OUTPUT"
else
printf '::warning::Gitleaks SARIF file exists but is not valid JSON\n'
fi
fi
fi
- name: Upload Trivy results
if: steps.verify-sarif.outputs.has_trivy == 'true'
uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'
- name: Upload Gitleaks results
if: steps.verify-sarif.outputs.has_gitleaks == 'true'
uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
with:
sarif_file: 'gitleaks-report.sarif'
category: 'gitleaks'
- name: Archive security reports
if: always()
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
with:
name: security-reports-${{ github.run_id }}
path: |
${{ steps.verify-sarif.outputs.has_trivy == 'true' && 'trivy-results.sarif' || '' }}
${{ steps.verify-sarif.outputs.has_gitleaks == 'true' && 'gitleaks-report.sarif' || '' }}
retention-days: 30
- name: Analyze Results
id: analyze
if: always()
shell: node {0}
run: |
const fs = require('fs');
try {
let totalIssues = 0;
let criticalIssues = 0;
const analyzeSarif = (file, tool) => {
if (!fs.existsSync(file)) {
console.log(`No results file found for ${tool}`);
return null;
}
try {
const sarif = JSON.parse(fs.readFileSync(file, 'utf8'));
return sarif.runs.reduce((acc, run) => {
if (!run.results) return acc;
const critical = run.results.filter(r =>
r.level === 'error' ||
r.level === 'critical' ||
(r.ruleId || '').toLowerCase().includes('critical')
).length;
return {
total: acc.total + run.results.length,
critical: acc.critical + critical
};
}, { total: 0, critical: 0 });
} catch (error) {
console.log(`Error analyzing ${tool} results: ${error.message}`);
return null;
}
};
// Only analyze results from tools that ran successfully
const results = {
trivy: '${{ steps.verify-sarif.outputs.has_trivy }}' === 'true' ?
analyzeSarif('trivy-results.sarif', 'trivy') : null,
gitleaks: '${{ steps.verify-sarif.outputs.has_gitleaks }}' === 'true' ?
analyzeSarif('gitleaks-report.sarif', 'gitleaks') : null
};
// Aggregate results
Object.entries(results).forEach(([tool, result]) => {
if (result) {
totalIssues += result.total;
criticalIssues += result.critical;
console.log(`${tool}: ${result.total} total, ${result.critical} critical issues`);
}
});
// Create summary
const summary = `## Security Scan Summary
- Total Issues Found: ${totalIssues}
- Critical Issues: ${criticalIssues}
### Tool Breakdown
${Object.entries(results)
.filter(([_, r]) => r)
.map(([tool, r]) =>
`- ${tool}: ${r.total} total, ${r.critical} critical`
).join('\n')}
### Tools Run Status
- Actionlint: ${{ steps.check-configs.outputs.run_actionlint }}
- Trivy: ${{ steps.verify-sarif.outputs.has_trivy }}
- Gitleaks: ${{ steps.check-configs.outputs.run_gitleaks }}
`;
// Set outputs using GITHUB_OUTPUT
const outputFile = process.env.GITHUB_OUTPUT;
if (outputFile) {
fs.appendFileSync(outputFile, `total_issues=${totalIssues}\n`);
fs.appendFileSync(outputFile, `critical_issues=${criticalIssues}\n`);
}
// Add job summary using GITHUB_STEP_SUMMARY
const summaryFile = process.env.GITHUB_STEP_SUMMARY;
if (summaryFile) {
fs.appendFileSync(summaryFile, summary + '\n');
}
// Fail if critical issues found
if (criticalIssues > 0) {
console.error(`Found ${criticalIssues} critical security issues`);
process.exit(1);
}
} catch (error) {
console.error(`Analysis failed: ${error.message}`);
process.exit(1);
}
Reference in New Issue View Git Blame Copy Permalink