localization/.github/workflows/security.yml at ee9c97fa2c222dd5b4496330c174417424f0dc6e · necordjs/localization · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: Security Scans
on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
  schedule:
    - cron: '39 15 * * 3'

permissions:
  contents: read

jobs:
  check-ghas:
    name: Check GitHub Advanced Security
    runs-on: ubuntu-latest
    outputs:
      ghas_enabled: ${{ steps.detect.outputs.ghas_enabled }}
    steps:
      - name: Check Advanced Security status
        id: detect
        run: |
          echo "Fetching repository security settings..."
          echo "Repository: ${{ github.repository }}"
          echo "Repository visibility: ${{ github.repository_visibility }}"
          if [[ "${{ github.repository_visibility }}" == "public" ]]; then
            echo "Repository is public. Setting ghas_enabled=true"
            echo "ghas_enabled=true" >> $GITHUB_OUTPUT
          else
            ENABLED=$(gh api repos/${{ github.repository }} | jq -r '.security_and_analysis.advanced_security.status // empty')
            echo "Advanced Security status: $ENABLED"
            if [[ "$ENABLED" == "enabled" ]]; then
              echo "ghas_enabled=true" >> $GITHUB_OUTPUT
              echo "Advanced Security is enabled. Setting ghas_enabled=true"
            else
              echo "ghas_enabled=false" >> $GITHUB_OUTPUT
              echo "Advanced Security is disabled. Setting ghas_enabled=false"
            fi
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  codeql:
    needs: check-ghas
    if: needs.check-ghas.outputs.ghas_enabled == 'true'
    name: CodeQL Analyze
    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
    permissions:
      # required for all workflows
      security-events: write

      # required to fetch internal or private CodeQL packs
      packages: read

      # only required for workflows in private repositories
      actions: read
      contents: read
    strategy:
      fail-fast: false
      matrix:
        include:
          - language: actions
          - language: javascript-typescript
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          build-mode: ${{ matrix.build-mode }}

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{matrix.language}}"

  dependency-review:
    needs: check-ghas
    if: needs.check-ghas.outputs.ghas_enabled == 'true' && github.event_name == 'pull_request'
    name: Dependency Review
    permissions:
      contents: read
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Dependency Review
        uses: actions/dependency-review-action@v4
        with:
          comment-summary-in-pr: on-failure
          fail-on-severity: moderate

  trufflehog:
    needs: check-ghas
    if: needs.check-ghas.outputs.ghas_enabled == 'true' || github.actor != 'dependabot[bot]'
    name: TruffleHog Secrets Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Run TruffleHog
        uses: trufflesecurity/trufflehog@main
        with:
          head: ${{ github.event.pull_request.head.sha || github.sha }}
          extra_args: --log-level=2 --results=verified,unknown

  trivy:
    needs: check-ghas
    if: needs.check-ghas.outputs.ghas_enabled == 'true' || github.actor != 'dependabot[bot]'
    name: Trivy Vulnerability Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: ${{ needs.check-ghas.outputs.ghas_enabled == 'true' && 'sarif' || 'table' }}
          output: ${{ needs.check-ghas.outputs.ghas_enabled == 'true' && 'trivy-results.sarif' || '' }}
          ignore-unfixed: true

      - name: Upload Trivy scan results to GitHub Security tab
        if: needs.check-ghas.outputs.ghas_enabled == 'true'
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'
          category: 'trivy'

      - name: Run Trivy vulnerability scanner in IaC mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'config'
          hide-progress: false
          format: table
          skip-setup-trivy: true