chore: create configurable security scan #308
Conversation
kevinkupski
left a comment
kevinkupski
left a comment
There was a problem hiding this comment.
Thanks for opening the PR. I did not review the template/Python scripts in detail but would test the workflow(s) when they are ready to check the result.
Btw. do you think we can run this whenever this code changes to have a test for the workflow(s)? Similar to the other workflow/action tests?
| @@ -0,0 +1,27 @@ | |||
| --- | |||
There was a problem hiding this comment.
I think we do not need this action since it seems that you are not using poetry or any Python project. I'd just use the official setup-python action (as you already do) and delete this file.
| @@ -0,0 +1,21 @@ | |||
| name: Setup Trivy | |||
There was a problem hiding this comment.
Should we use https://github.com/aquasecurity/setup-trivy ? Usually I'm not a fan of third party Github actions but in this case the official action from aquasecurity seems to be okay.
| workflow_call: | ||
| inputs: | ||
| scan-tool: | ||
| description: 'Tool das für den Scan verwendet werden soll, aktuell verfügbar: "checkov", "trivy"' |
There was a problem hiding this comment.
Please translate German to English for this repository.
| on: | ||
| workflow_call: | ||
| inputs: | ||
| scan-tool: |
There was a problem hiding this comment.
Do you think we could split this up in a security-scan-trivy and security-scan checkov workflow? Looks like a lot of this is guarded with an if statement for the specific tool.
| - name: convert Checkov report to CTRF format | ||
| if: always() && ${{ inputs.use-test-reporter }} | ||
| run: | | ||
| echo "erstelle datei" > ./security-scanning/checkov.ctrf.json |
There was a problem hiding this comment.
| echo "erstelle datei" > ./security-scanning/checkov.ctrf.json | |
| touch ./security-scanning/checkov.ctrf.json |
| @@ -0,0 +1,308 @@ | |||
| # .github/workflows/security-scan.yaml | |||
There was a problem hiding this comment.
Could you add documentation / Readme.md about the reasoning behind this (all tools could export SARIF which would be feasible for Code Security, but this is paywalled by Github, so we use a solution which handles it via issues).
| uses: ./.github/actions/setup-trivy | ||
|
|
||
| - name: download vulnerabilities database from aws | ||
| uses: nick-fields/retry@v3 |
There was a problem hiding this comment.
Is it possible to do this in a native Bash way to not include another 3rd party action?
|
It also looks like that there are some syntax errors: https://github.com/zweitag/github-actions/actions/runs/20659089108 |
No description provided.