Update security.yml #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-pipeline | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| jobs: | |
| build-and-syft: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Build Docker image | |
| run: | | |
| docker build -t juice-shop:${{ github.sha }} . | |
| - name: Syft SBOM Scan | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "juice-shop:${{ github.sha }}" | |
| output-file: "sbom.spdx.json" | |
| format: "spdx-json" | |
| Sast-scan: | |
| name: SAST (Semgrep) | |
| needs: build-and-syft | |
| runs-on: ubuntu-20.04 | |
| container: returntocorp/semgrep | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Semgrep Scan | |
| run: semgrep ci --config=auto --sarif --output=semgrep.sarif || true | |
| - name: Upload SARIF File (Semgrep) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'semgrep.sarif' | |
| - name: Upload Semgrep Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: semgrep-sarif | |
| path: semgrep.sarif | |
| Gitleaks-scan: | |
| name: Gitleaks | |
| needs: Sast-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: SecretScan (Gitleaks) | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true | |
| GITLEAKS_ENABLE_SUMMARY: true | |
| continue-on-error: true | |
| - name: Upload SARIF File (Gitleaks) | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'results.sarif' | |
| - name: Rename SARIF File to gitleaks.sarif | |
| run: | | |
| if [ -f results.sarif ]; then | |
| mv results.sarif gitleaks.sarif | |
| else | |
| echo "results.sarif bulunamadı." | |
| fi | |
| - name: Upload Gitleaks Artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: gitleaks-sarif | |
| path: gitleaks.sarif | |
| deploy: | |
| name: Deploy | |
| needs: Gitleaks-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Dummy Deploy Step | |
| run: echo "Deploying app... (This is a dummy step)" | |
| zap_scan: | |
| name: ZAP Full Scan | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:stable' | |
| target: 'https://demo.owasp-juice.shop/#/' | |
| rules_file_name: '.zap/rules.tsv' | |
| cmd_options: '-a' | |
| import-defectdojo: | |
| name: Import Scans to DefectDojo | |
| needs: [Sast-scan, Gitleaks-scan] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Download Semgrep Artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-sarif | |
| path: . | |
| - name: Download Gitleaks Artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: gitleaks-sarif | |
| path: . | |
| - name: Import Semgrep SARIF to DefectDojo | |
| run: python import_scan.py semgrep.sarif | |
| - name: Import Gitleaks SARIF to DefectDojo | |
| run: python import_scan.py gitleaks.sarif |