diff --git a/.github/workflows/gitleaks.yml b/.github/workflows/gitleaks.yml new file mode 100644 index 0000000..32eb3fc --- /dev/null +++ b/.github/workflows/gitleaks.yml @@ -0,0 +1,39 @@ +name: Gitleaks Scan + +on: + pull_request: + branches: + - main + +jobs: + gitleaks: + name: Gitleaks OSS Scan + runs-on: ubuntu-24.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Download Gitleaks 8.27.0 + run: | + curl -sSL -o gitleaks.tar.gz https://github.com/gitleaks/gitleaks/releases/download/v8.27.0/gitleaks_8.27.0_linux_x64.tar.gz + echo "ba75459d765ebc9e940c0123a2d41a29e87be674b5ecaaacd5f82f26009255d5 gitleaks.tar.gz" | sha256sum -c - + + - name: Extract and install Gitleaks + run: | + tar -xzf gitleaks.tar.gz + sudo mv gitleaks /usr/local/bin/ + gitleaks version + + - name: Run Gitleaks + run: | + gitleaks detect --source . \ + --report-path=gitleaks-report.sarif \ + --redact \ + --exit-code 1 + + - name: Upload SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: gitleaks-report.sarif \ No newline at end of file diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..07a846b --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,33 @@ +name: Trivy Scan + +on: + pull_request: + branches: + - main + +jobs: + trivy-scan: + name: Trivy - Docker Image & Code Scan + runs-on: ubuntu-24.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Set up Docker (optional, ensures clean setup) + run: docker system prune -af + + - name: Build Docker image locally + run: docker build -t gistsapp/api:${{ github.sha }} . + + - name: Run Trivy image scan + id: trivy_image + continue-on-error: true + uses: aquasecurity/trivy-action@0.31.0 + with: + image-ref: 'gistsapp/api:${{ github.sha }}' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH'