-
Notifications
You must be signed in to change notification settings - Fork 704
96 lines (91 loc) · 2.58 KB
/
security-checks.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Security Checks Workflow
#
# This workflow orchestrates comprehensive security scanning using multiple tools and
# configurable parameters. It supports both scheduled and manual execution modes.
#
# Key Features:
# - Multiple security tool integration
# - Scheduled daily scans
# - Manual trigger with customization
# - Configurable severity thresholds
# - Flexible scan scope options
#
# Process Stages:
# 1. Scheduled Execution (Daily at 2 AM UTC):
# - Full security toolset
# - Complete codebase scan
# - LOW severity threshold
#
# 2. Manual Execution:
# - Selectable security tools
# - Adjustable scan scope
# - Customizable severity level
#
# Security Tools:
# - Bandit: Python-specific security scanning
# - ClamAV: Malware detection
# - Semgrep: Static Application Security Testing (SAST)
# - Trivy: Vulnerability scanning
#
# Required Permissions:
# - contents: read
# - security-events: write
#
# Example Usage:
# 1. Scheduled Run:
# Automatically runs with full configuration
#
# 2. Manual Trigger:
# workflow_dispatch:
# inputs:
# tools: "bandit,semgrep,trivy"
# scan-scope: "changed"
# severity-level: "MEDIUM"
#
# Note: Results are available as workflow artifacts and in the
# Security tab when integrated with GitHub Advanced Security.
name: Security Checks
on:
schedule:
# Run security checks every day at 2 AM UTC
- cron: "0 2 * * *"
workflow_dispatch:
inputs:
tools:
description: "Security tools to run"
required: true
type: choice
options:
- "bandit,semgrep,trivy" # Default set
- "bandit,clamav,semgrep,trivy" # Full set
- "bandit,semgrep" # Minimal set
default: "bandit,semgrep,trivy"
scan-scope:
description: "Scan scope"
required: true
type: choice
options:
- all
- changed
default: "all"
severity-level:
description: "Minimum severity level"
required: true
type: choice
options:
- LOW
- MEDIUM
- HIGH
default: "LOW"
permissions:
contents: read
security-events: write
jobs:
security:
uses: ./.github/workflows/_reusable-security-scan.yaml
with:
# For scheduled runs, use full scan configuration
tools: ${{ github.event_name == 'schedule' && 'bandit,clamav,semgrep,trivy' || inputs.tools }}
scan-scope: ${{ github.event_name == 'schedule' && 'all' || inputs.scan-scope }}
severity-level: ${{ github.event_name == 'schedule' && 'LOW' || inputs.severity-level }}
fail-on-findings: true