Update security.yml #33
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security-pipeline | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| jobs: | |
| build-and-syft: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Build Docker image | |
| run: | | |
| docker build -t juice-shop:${{ github.sha }} . | |
| - name: Syft SBOM Scan | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "juice-shop:${{ github.sha }}" | |
| output-file: "sbom.spdx.json" | |
| format: "spdx-json" | |
| # 2) SAST (Semgrep) Job | |
| Sast-scan: | |
| name: SAST (Semgrep) | |
| needs: build-and-syft | |
| runs-on: ubuntu-20.04 | |
| container: returntocorp/semgrep | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Semgrep Scan | |
| run: semgrep ci --config=auto --sarif --output=semgrep.sarif || true | |
| - name: Upload SARIF File | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'semgrep.sarif' | |
| # 3) Gitleaks-scan Job | |
| Gitleaks-scan: | |
| name: Gitleaks | |
| needs: Sast-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: SecretScan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true | |
| GITLEAKS_ENABLE_SUMMARY: true | |
| continue-on-error: true | |
| - name: Upload | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'results.sarif' | |
| # 5) Deploy Job (Dummy) | |
| deploy: | |
| name: Deploy | |
| needs: Gitleaks-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Dummy Deploy Step | |
| run: echo "Deploying app... (This is a dummy step)" | |
| # 6) ZAP Scan Job | |
| zap_scan: | |
| name: ZAP Full Scan | |
| needs: deploy | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: ZAP Scan | |
| uses: zaproxy/[email protected] | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| docker_name: 'ghcr.io/zaproxy/zaproxy:stable' | |
| target: 'https://demo.owasp-juice.shop/#/' | |
| rules_file_name: '.zap/rules.tsv' | |
| cmd_options: '-a' | |
| import-defectdojo: | |
| name: Import Scans to DefectDojo | |
| needs: zap_scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Setup Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Download Semgrep Artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: semgrep-sarif | |
| path: . | |
| - name: Download Gitleaks Artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: gitleaks-sarif | |
| path: . | |
| - name: Import Semgrep SARIF to DefectDojo | |
| env: | |
| DEFECTDOJO_API_TOKEN: ${{ secrets.DEFECTDOJO_API_TOKEN }} | |
| run: python import_scan.py semgrep.sarif | |
| - name: Import GitLeaks SARIF to DefectDojo | |
| env: | |
| DEFECTDOJO_API_TOKEN: ${{ secrets.DEFECTDOJO_API_TOKEN }} | |
| run: python import_scan.py gitleaks-sarif |