Update README.md #24
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-pipeline | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| jobs: | |
| # 1) Build Job | |
| build: | |
| name: Build | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Build an image from Dockerfile | |
| run: | | |
| docker build -t juice-shop:${{ github.sha }} . | |
| # 2) SAST (Semgrep) Job | |
| Sast-scan: | |
| name: SAST (Semgrep) | |
| needs: build | |
| runs-on: ubuntu-20.04 | |
| container: returntocorp/semgrep | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Semgrep Scan | |
| run: semgrep ci --config=auto --sarif --output=semgrep.sarif || true | |
| - name: Upload SARIF File | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'semgrep.sarif' | |
| # 3) Gitleaks-scan Job | |
| Gitleaks-scan: | |
| name: Gitleaks | |
| needs: Sast-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: SecretScan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true | |
| GITLEAKS_ENABLE_SUMMARY: true | |
| continue-on-error: true | |
| - name: Upload | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'results.sarif' | |
| # 4) Syft SBOM Scan | |
| syft-scan: | |
| name: Syft SBOM Scan | |
| needs: Gitleaks-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "juice-shop:${{ github.sha }}" | |
| output-file: "sbom.spdx.json" | |
| format: "spdx-json" | |
| - name: Upload SBOM Artifact | |
| uses: anchore/sbom-action/publish-sbom@v0 | |
| with: | |
| sbom-artifact-match: "sbom.spdx.json" | |
| # 5) Deploy Job (Dummy) | |
| deploy: | |
| name: Deploy | |
| needs: syft-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Dummy Deploy Step | |
| run: echo "Deploying app... (This is a dummy step)" | |
| # 6) ZAP Scan Job | |
| zap_scan: | |
| name: ZAP Full Scan | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:stable' | |
| target: 'https://demo.owasp-juice.shop/#/' | |
| rules_file_name: '.zap/rules.tsv' | |
| cmd_options: '-a' |