.github/workflows/security_scan.yml

name: Security Scan

on:
  push:
    branches: [ "main" ]
  workflow_dispatch:

jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      actions: read
      contents: read
      security-events: write
    steps:
    - uses: actions/checkout@v3

    - name: Run Trivy vulnerability scanner
      uses: aquasecurity/trivy-action@master
      continue-on-error: true
      with:
        scan-type: 'fs'
        format: 'sarif'
        output: 'trivy-results.sarif'
        vuln-type: 'os,library,vuln,secret,config'
        severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'

    - name: Run TruffleHog OSS Secret scanner
      uses: trufflesecurity/trufflehog@main
      continue-on-error: true
      with:
        path: ./
        base: ${{ github.event.repository.default_branch }}

    - name: Run tfsec for Terraform files
      continue-on-error: true
      uses: aquasecurity/tfsec-sarif-action@master
      with:
        sarif_file: tfsec.sarif

    - name: Run Bandit for azure-goat Python function
      continue-on-error: true
      uses: jpetrucciani/bandit-check@master
      with:
        path: './azure-goat/modules/module-1/resources/azure_function/data/app'
        bandit_flags: '--format sarif --output bandit.sarif'

    - name: Upload report from Trivy as Build Artifact
      uses: actions/upload-artifact@v3
      with:
        name: ScanReport
        path: 'trivy-results.sarif'

    - name: Upload report from tfsec as Build Artifact
      uses: actions/upload-artifact@v3
      with:
        name: ScanReport
        path: 'tfsec.sarif'

    - name: Upload report from bandit as Build Artifact
      uses: actions/upload-artifact@v3
      with:
        name: ScanReport
        path: 'bandit.sarif'

    - name: Upload alerts from trivy to Security tab
      continue-on-error: true
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: 'trivy-results.sarif'

    - name: Upload alerts from tfsec to Security tab
      continue-on-error: true
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: 'tfsec.sarif'

    - name: Upload alerts from bandit to Security tab
      continue-on-error: true
      uses: github/codeql-action/upload-sarif@v2
      with:
        sarif_file: 'bandit.sarif'