Update security.yml #17
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| jobs: | |
| # 1) Build Job | |
| build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Build an image from Dockerfile | |
| run: | | |
| docker build -t juice-shop:${{ github.sha }} . | |
| # 2) SAST (Semgrep) Job | |
| # Bu job'ın çalışması için önce "build" job'ının tamamlanması gerekiyor. | |
| Sast-scan: | |
| name: SAST (Semgrep) | |
| needs: build | |
| runs-on: ubuntu-20.04 | |
| container: returntocorp/semgrep | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Semgrep Scan | |
| run: semgrep ci --config=auto --sarif --output=semgrep.sarif || true | |
| - name: Upload SARIF File | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'semgrep.sarif' | |
| # 3) ZAP Scan Job | |
| # Bu job'ın çalışması için önce "Sast-scan" job'ının tamamlanması gerekiyor. | |
| zap_scan: | |
| name: ZAP Full Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:stable' | |
| target: 'https://demo.owasp-juice.shop/#/' | |
| rules_file_name: '.zap/rules.tsv' | |
| cmd_options: '-a' | |
| sarif: 'true' # SARIF üretimini açıyoruz | |
| sarif_file_name: 'zap.sarif' # Üretilecek SARIF dosyasının adı | |
| - name: Upload Zap scan SARIF report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'zap.sarif' | |
| # 4) Gitleaks-scan Job | |
| # Bu job'ın çalışması için önce "zap_scan" job'ının tamamlanması gerekiyor. | |
| Gitleaks-scan: | |
| name: Gitleaks | |
| needs: zap_scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: SecretScan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true | |
| GITLEAKS_ENABLE_SUMMARY: true | |
| continue-on-error: true | |
| - name: Upload | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'results.sarif' | |
| # 5) Syft SBOM Scan | |
| # Bu job'ın çalışması için önce "Gitleaks-scan" job'ının tamamlanması gerekiyor. | |
| syft-scan: | |
| name: Syft SBOM Scan | |
| needs: Gitleaks-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "juice-shop:${{ github.sha }}" | |
| output-file: "sbom.spdx.json" | |
| format: "spdx-json" | |
| - name: Upload SBOM Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sbom-artifact | |
| path: sbom.spdx.json |