This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | ||
| workflow_call: | ||
| inputs: { } | ||
| secrets: | ||
| DEPENDENCY_TRACK_AUTOMATION_API_KEY: | ||
| required: true | ||
| DEFECTDOJO_API_TOKEN: | ||
| required: true | ||
| # GH_TOKEN: | ||
| # required: true | ||
| push: | ||
| branches: | ||
| - main | ||
| name: Security | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| sbom-trivy: | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: aquasec/trivy:0.67.2 | ||
| steps: | ||
| - run: trivy --version | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - run: trivy fs --format cyclonedx --output /tmp/trivy-cyclonedx.json . | ||
| - run: apk --no-cache add curl | ||
| - run: | | ||
| curl -X "POST" "https://dependency-track-sbom.corp.zoo.dev/api/v1/bom" \ | ||
| -H 'Content-Type: multipart/form-data' \ | ||
| -H "X-Api-Key: ${{ secrets.DEPENDENCY_TRACK_AUTOMATION_API_KEY }}" \ | ||
| -F "autoCreate=true" \ | ||
| -F "projectName=$PROJECT_NAME" \ | ||
| -F "projectVersion=$PROJECT_VERSION" \ | ||
| -F "isLatest=true" \ | ||
| -F "bom=@/tmp/trivy-cyclonedx.json" | ||
| env: | ||
| PROJECT_NAME: ${{ github.repository }} | ||
| PROJECT_VERSION: ${{ github.ref_name }} | ||
| semgrep: | ||
| runs-on: ubuntu-latest | ||
| container: | ||
| image: semgrep/semgrep | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - uses: KittyCAD/gha-workflows/.github/actions/semgrep-action@security | ||
| id: semgrep | ||
| with: | ||
| show_results_in_pr: false | ||
| results_format: json | ||
| - uses: KittyCAD/gha-workflows/.github/actions/upload-defectdojo@security | ||
| with: | ||
| dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} | ||
| report_path: ${{ steps.semgrep.outputs.results_file_path }} | ||
| scan_type: Semgrep JSON Report | ||
| engagement: Semgrep | ||
| zizmor: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
| - uses: KittyCAD/gha-workflows/.github/actions/zizmor-action@security | ||
| id: zizmor | ||
| with: | ||
| results_format: sarif | ||
| gh_token: ${{ secrets.GITHUB_TOKEN }} | ||
| - uses: KittyCAD/gha-workflows/.github/actions/upload-defectdojo@security | ||
| with: | ||
| dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} | ||
| report_path: ${{ steps.zizmor.outputs.results_file_path }} | ||
| scan_type: SARIF | ||
| engagement: Zizmor | ||
| scorecard: | ||
| #if: ${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| with: | ||
| #fetch-depth: 0 | ||
| #persist-credentials: false | ||
| - uses: KittyCAD/gha-workflows/.github/actions/scorecard-action@security | ||
| id: scorecard | ||
| with: | ||
| gh_token: ${{ secrets.GITHUB_TOKEN }} | ||
| - run: git checkout main && git pull origin main | ||
| - uses: KittyCAD/gha-workflows/.github/actions/upload-defectdojo@security | ||
| with: | ||
| dd_token: ${{ secrets.DEFECTDOJO_API_TOKEN }} | ||
| report_path: ${{ steps.scorecard.outputs.results_file_path }} | ||
| scan_type: SARIF | ||
| engagement: Scorecard | ||
