Update security.yml

emrecanvurallll · Feb 12, 2025 · 246ee84 · 246ee84
1 parent 7949033
commit 246ee84
Showing 1 changed file with 55 additions and 8 deletions.
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -24,7 +24,6 @@ jobs:
           output-file: "sbom.spdx.json"
           format: "spdx-json"
 
-  # 2) SAST (Semgrep) Job
   Sast-scan:
     name: SAST (Semgrep)
     needs: build-and-syft
@@ -37,13 +36,18 @@ jobs:
       - name: Semgrep Scan
         run: semgrep ci --config=auto --sarif --output=semgrep.sarif || true
 
-      - name: Upload SARIF File
+      - name: Upload SARIF File (Semgrep)
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'semgrep.sarif'
 
-  # 3) Gitleaks-scan Job
+      - name: Upload Semgrep Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: semgrep-sarif
+          path: semgrep.sarif
+
   Gitleaks-scan:
     name: Gitleaks
     needs: Sast-scan
@@ -52,23 +56,36 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: SecretScan
+      - name: SecretScan (Gitleaks)
         uses: gitleaks/gitleaks-action@v2
         env:
           GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true
           GITLEAKS_ENABLE_SUMMARY: true
         continue-on-error: true
 
-      - name: Upload
+      - name: Upload SARIF File (Gitleaks)
         uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
           sarif_file: 'results.sarif'
 
-  # 5) Deploy Job (Dummy)
+      - name: Rename SARIF File to gitleaks.sarif
+        run: |
+          if [ -f results.sarif ]; then
+            mv results.sarif gitleaks.sarif
+          else
+            echo "results.sarif bulunamadı."
+          fi
+
+      - name: Upload Gitleaks Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: gitleaks-sarif
+          path: gitleaks.sarif
+
   deploy:
     name: Deploy
-    needs:  Gitleaks-scan
+    needs: Gitleaks-scan
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -77,7 +94,6 @@ jobs:
       - name: Dummy Deploy Step
         run: echo "Deploying app... (This is a dummy step)"
 
-  # 6) ZAP Scan Job
   zap_scan:
     name: ZAP Full Scan
     needs: deploy
@@ -94,3 +110,34 @@ jobs:
           target: 'https://demo.owasp-juice.shop/#/'
           rules_file_name: '.zap/rules.tsv'
           cmd_options: '-a'
+
+  import-defectdojo:
+    name: Import Scans to DefectDojo
+    needs: [Sast-scan, Gitleaks-scan]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Download Semgrep Artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: semgrep-sarif
+          path: .
+
+      - name: Download Gitleaks Artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: gitleaks-sarif
+          path: .
+
+      - name: Import Semgrep SARIF to DefectDojo
+        run: python import_scan.py semgrep.sarif
+
+      - name: Import Gitleaks SARIF to DefectDojo
+        run: python import_scan.py gitleaks.sarif