Skip to content
Security Scan

feat: add Azure DevOps sample pipelines #74

Sign in to view logs

feat: add Azure DevOps sample pipelines

feat: add Azure DevOps sample pipelines #74

Workflow file for this run

.github/workflows/security_scan.yml at 3bb3176
name: Security Scan
on:
push:
branches: [ "main" ]
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
continue-on-error: true
with:
scan-type: 'fs'
format: 'sarif'
output: 'trivy-results.sarif'
vuln-type: 'os,library,vuln,secret,config'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
- name: Run TruffleHog OSS Secret scanner
uses: trufflesecurity/trufflehog@main
continue-on-error: true
with:
path: ./
base: ${{ github.event.repository.default_branch }}
- name: Run tfsec for Terraform files
continue-on-error: true
uses: aquasecurity/tfsec-sarif-action@master
with:
sarif_file: tfsec.sarif
- name: Run Bandit for azure-goat Python function
continue-on-error: true
uses: jpetrucciani/bandit-check@master
with:
path: './azure-goat/modules/module-1/resources/azure_function/data/app'
bandit_flags: '--format sarif --output bandit.sarif'
- name: Upload report from Trivy as Build Artifact
uses: actions/upload-artifact@v3
with:
name: ScanReport
path: 'trivy-results.sarif'
- name: Upload report from tfsec as Build Artifact
uses: actions/upload-artifact@v3
with:
name: ScanReport
path: 'tfsec.sarif'
- name: Upload report from bandit as Build Artifact
uses: actions/upload-artifact@v3
with:
name: ScanReport
path: 'bandit.sarif'
- name: Upload alerts from trivy to Security tab
continue-on-error: true
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Upload alerts from tfsec to Security tab
continue-on-error: true
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'tfsec.sarif'
- name: Upload alerts from bandit to Security tab
continue-on-error: true
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'bandit.sarif'