name: Security Scanning on: push: branches: [main, develop] pull_request: branches: [main, develop] schedule: # Run security scans weekly on Sundays at midnight - cron: '0 0 * * 0' jobs: # ========================================== # Secret Scanning # ========================================== secret-scan: name: Secret Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 - name: TruffleHog Secret Scan uses: trufflesecurity/trufflehog@main with: extra_args: --only-verified - name: GitLeaks Secret Scan uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} continue-on-error: true # ========================================== # Dependency Vulnerability Scanning # ========================================== dependency-scan: name: Dependency Vulnerability Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner (filesystem) uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' severity: 'CRITICAL,HIGH' format: 'sarif' output: 'trivy-fs-results.sarif' continue-on-error: true - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-fs-results.sarif' continue-on-error: true # ========================================== # Go Security Scan # ========================================== go-security: name: Go Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.21' - name: Run Gosec Security Scanner uses: securego/gosec@master with: args: '-no-fail -fmt sarif -out gosec-results.sarif ./consent-service/...' continue-on-error: true - name: Upload Gosec results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'gosec-results.sarif' continue-on-error: true - name: Run govulncheck working-directory: ./consent-service run: | go install golang.org/x/vuln/cmd/govulncheck@latest govulncheck ./... || true # ========================================== # Python Security Scan # ========================================== python-security: name: Python Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: '3.11' - name: Install safety run: pip install safety bandit - name: Run Safety (dependency check) working-directory: ./backend run: safety check -r requirements.txt --full-report || true - name: Run Bandit (code security scan) working-directory: ./backend run: bandit -r . -f sarif -o bandit-results.sarif --exit-zero - name: Upload Bandit results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: './backend/bandit-results.sarif' continue-on-error: true # ========================================== # Node.js Security Scan # ========================================== node-security: name: Node.js Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Node.js uses: actions/setup-node@v4 with: node-version: '20' - name: Install dependencies working-directory: ./website run: npm ci - name: Run npm audit working-directory: ./website run: npm audit --audit-level=high || true # ========================================== # Docker Image Scanning # ========================================== docker-security: name: Docker Image Security runs-on: ubuntu-latest needs: [go-security, python-security, node-security] steps: - name: Checkout code uses: actions/checkout@v4 - name: Build consent-service image run: docker build -t breakpilot/consent-service:scan ./consent-service - name: Run Trivy on consent-service uses: aquasecurity/trivy-action@master with: image-ref: 'breakpilot/consent-service:scan' severity: 'CRITICAL,HIGH' format: 'sarif' output: 'trivy-consent-results.sarif' continue-on-error: true - name: Build backend image run: docker build -t breakpilot/backend:scan ./backend - name: Run Trivy on backend uses: aquasecurity/trivy-action@master with: image-ref: 'breakpilot/backend:scan' severity: 'CRITICAL,HIGH' format: 'sarif' output: 'trivy-backend-results.sarif' continue-on-error: true - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-consent-results.sarif' continue-on-error: true # ========================================== # Security Summary # ========================================== security-summary: name: Security Summary runs-on: ubuntu-latest needs: [secret-scan, dependency-scan, go-security, python-security, node-security, docker-security] if: always() steps: - name: Create security summary run: | echo "## Security Scan Results" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "| Scan Type | Status |" >> $GITHUB_STEP_SUMMARY echo "|-----------|--------|" >> $GITHUB_STEP_SUMMARY echo "| Secret Scanning | ${{ needs.secret-scan.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Dependency Scanning | ${{ needs.dependency-scan.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Go Security | ${{ needs.go-security.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Python Security | ${{ needs.python-security.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Node.js Security | ${{ needs.node-security.result }} |" >> $GITHUB_STEP_SUMMARY echo "| Docker Security | ${{ needs.docker-security.result }} |" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY echo "### Notes" >> $GITHUB_STEP_SUMMARY echo "- Results are uploaded to the GitHub Security tab" >> $GITHUB_STEP_SUMMARY echo "- Weekly scheduled scans run on Sundays" >> $GITHUB_STEP_SUMMARY