Reorganize scripts #1

Workflow file for this run

.github/workflows/security-scan.yml at 5fae92c

	name: Security Scan

	on:
	push:
	branches: [ main ]
	pull_request:
	branches: [ main ]
	schedule:
	- cron: '0 0 * * 0' # Weekly on Sundays at midnight
	workflow_dispatch:

	jobs:
	flawfinder:
	name: Flawfinder
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3

	- name: Install flawfinder
	run: \|
	sudo apt-get update
	sudo apt-get install -y flawfinder

	- name: Run flawfinder
	run: \|
	mkdir -p security-reports
	flawfinder --html --context --minlevel=3 . > security-reports/flawfinder-report.html
	continue-on-error: true

	- name: Generate text report
	run: \|
	flawfinder --csv --minlevel=3 . > security-reports/flawfinder-report.csv
	continue-on-error: true

	- name: Upload flawfinder report
	uses: actions/upload-artifact@v4
	with:
	name: flawfinder-report
	path: security-reports
	if-no-files-found: warn

	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	actions: read
	contents: read
	steps:
	- uses: actions/checkout@v3

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: cpp
	queries: security-and-quality

	- name: Install dependencies
	run: \|
	sudo apt-get update
	sudo apt-get install -y build-essential cmake libboost-all-dev

	- name: Build
	run: \|
	mkdir -p build
	cd build
	cmake ..
	cmake --build . --config Release

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:cpp"

	trivy:
	name: Trivy Scan
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	continue-on-error: true

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'
	continue-on-error: true

	dependency-check:
	name: OWASP Dependency Check
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v3

	- name: Dependency Check
	uses: dependency-check/Dependency-Check_Action@main
	with:
	project: 'thales'
	path: '.'
	format: 'HTML'
	out: 'reports'
	args: >
	--enableExperimental
	--scan */.cpp
	--scan */.hpp
	--scan */.h
	--scan **/CMakeLists.txt
	continue-on-error: true

	- name: Upload Dependency Check results
	uses: actions/upload-artifact@v4
	with:
	name: dependency-check-report
	path: reports
	if-no-files-found: warn

	summary:
	name: Security Summary
	needs: [flawfinder, codeql, trivy, dependency-check]
	runs-on: ubuntu-latest
	if: always()
	steps:
	- name: Create security summary
	run: \|
	echo "# Security Scan Summary" > security-summary.md
	echo "" >> security-summary.md
	echo "Security scans completed. Check the workflow artifacts for detailed reports." >> security-summary.md
	echo "" >> security-summary.md
	echo "## Scans Performed" >> security-summary.md
	echo "- Flawfinder (C/C++ security scanner)" >> security-summary.md
	echo "- CodeQL Analysis" >> security-summary.md
	echo "- Trivy (Vulnerability Scanner)" >> security-summary.md
	echo "- OWASP Dependency Check" >> security-summary.md

	cat security-summary.md

	- name: Upload security summary
	uses: actions/upload-artifact@v4
	with:
	name: security-summary
	path: security-summary.md
	if-no-files-found: warn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Reorganize scripts #1

Workflow file

Reorganize scripts #1

Uh oh!

Jobs

Run details

Workflow file for this run