Add security workflow

Lenard Gutierrez · Lenard Gutierrez · commit db768d1dfac7 · 2025-05-06T20:36:24.000-04:00
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -0,0 +1,62 @@
+name: Security Compliance
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  check-quality:
+    runs-on: ubuntu-latest
+    name: Datadog Static Analyzer
+    env:
+      DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
+      DD_SERVICE: go-corellium-api-client
+      DD_ENV: ci
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Check code meets quality standards
+        id: datadog-static-analysis
+        run: |
+          sudo apt update
+          sudo apt install nodejs
+          # Download Datadog static analyzer v0.6.4:
+          # https://github.com/DataDog/datadog-static-analyzer/releases
+          DATADOG_STATIC_ANALYZER_URL=https://github.com/DataDog/datadog-static-analyzer/releases/download/0.6.4/datadog-static-analyzer-x86_64-unknown-linux-gnu.zip
+          curl -L $DATADOG_STATIC_ANALYZER_URL > /tmp/ddog-static-analyzer.zip
+          unzip /tmp/ddog-static-analyzer.zip -d /tmp
+          sudo mv /tmp/datadog-static-analyzer /usr/local/datadog-static-analyzer
+          # Run Static Analysis
+          /usr/local/datadog-static-analyzer -i . -o report.sarif -f sarif
+          # Upload results
+          npx @datadog/datadog-ci sarif upload report.sarif
+  software-composition-analysis:
+    runs-on: ubuntu-latest
+    name: Datadog SBOM Generation and Upload
+    env:
+      DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      DD_APP_KEY: ${{ secrets.DD_APP_KEY }}
+      DD_SERVICE: go-corellium-api-client
+      DD_ENV: ci
+    steps:
+    - name: Checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - name: Check imported libraries are secure and compliant
+      id: datadog-software-composition-analysis
+      run: |
+        sudo apt update
+        sudo apt install nodejs
+        # Download the Datadog OSV Scanner v0.14.0:
+        # https://github.com/DataDog/osv-scanner/releases
+        DATADOG_OSV_SCANNER_URL=https://github.com/DataDog/osv-scanner/releases/download/v0.14.0/osv-scanner_linux_amd64.zip
+        # Install OSV Scanner
+        sudo mkdir /osv-scanner
+        sudo curl -L -o /osv-scanner/osv-scanner.zip $DATADOG_OSV_SCANNER_URL
+        sudo unzip /osv-scanner/osv-scanner.zip -d /osv-scanner
+        sudo chmod 755 /osv-scanner/osv-scanner
+        # Run OSV Scanner and scan your dependencies
+        /osv-scanner/osv-scanner --skip-git -r --experimental-only-packages --format=cyclonedx-1-5 --paths-relative-to-scan-dir  --output=sbom.json .
+        # Upload results to Datadog
+        npx @datadog/datadog-ci sbom upload sbom.json
