forked from bridgecrewio/checkov
-
Notifications
You must be signed in to change notification settings - Fork 1
45 lines (41 loc) · 1.57 KB
/
security-shared.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# !!! Important !!!
# This a reusable workflow and is used in the PR and push to main branch flow separately
# to be able to protect it behind a manual approval in the PR flow
name: security-shared
on:
workflow_call:
permissions:
contents: read
jobs:
bandit:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: security test
uses: jpetrucciani/bandit-check@74c5ecc4297e374c7e9283bc81f649287bb14f34 # v1
with:
path: 'checkov'
trufflehog-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: detect secrets
uses: edplato/trufflehog-actions-scan@0af17d9dd1410283f740eb76b0b8f6b696cadefc # v0.9
with:
scanArguments: "--regex --entropy=False --exclude_paths .github/exclude-patterns.txt --max_depth=1"
checkov-secrets:
runs-on: [self-hosted, public, linux, x64]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Scan for secrets
uses: bridgecrewio/checkov-action@master # use latest and greatest
with:
api-key: ${{ secrets.PRISMA_KEY_API2 }}
prisma-api-url: ${{ secrets.PRISMA_API_URL_2 }}
config_file: .github/checkov.yaml