Security Scan #4

Workflow file for this run

.github/workflows/30-security-scan.yaml at bb919e8

	name: Security Scan

	on:
	push:
	branches: main
	pull_request:
	branches: main
	schedule:
	- cron: "0 0 * * 0" # Weekly on Sundays at midnight
	workflow_dispatch:

	jobs:
	flawfinder:
	name: Flawfinder
	runs-on: ubuntu-${{ vars.UBUNTU_VERSION }}
	steps:
	- uses: actions/checkout@v3

	- name: Install flawfinder
	run: \|
	sudo apt update
	sudo apt install -y flawfinder

	- name: Run flawfinder
	run: \|
	mkdir -p security-reports
	flawfinder --html --context --minlevel=3 . > security-reports/flawfinder-report.html
	continue-on-error: true

	- name: Generate text report
	run: \|
	flawfinder --csv --minlevel=3 . > security-reports/flawfinder-report.csv
	continue-on-error: true

	- name: Upload flawfinder report
	uses: actions/upload-artifact@v4
	with:
	name: flawfinder-report
	path: security-reports
	if-no-files-found: warn

	codeql:
	name: CodeQL Analysis
	runs-on: ubuntu-${{ vars.UBUNTU_VERSION }}
	permissions:
	security-events: write
	actions: read
	contents: read
	steps:
	- uses: actions/checkout@v3

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: cpp
	queries: security-and-quality

	- name: Install dependencies
	run: \|
	sudo apt update
	sudo apt install -y build-essential cmake libboost-all-dev

	- name: Build
	run: \|
	mkdir -p build
	cd build
	cmake ..
	cmake --build . --config Release

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2
	with:
	category: "/language:cpp"

	trivy:
	name: Trivy Scan
	runs-on: ubuntu-${{ vars.UBUNTU_VERSION }}
	steps:
	- uses: actions/checkout@v3

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: "fs"
	ignore-unfixed: true
	format: "sarif"
	output: "trivy-results.sarif"
	severity: "CRITICAL,HIGH"
	continue-on-error: true

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: "trivy-results.sarif"
	continue-on-error: true

	dependency-check:
	name: OWASP Dependency Check
	runs-on: ubuntu-${{ vars.UBUNTU_VERSION }}
	steps:
	- uses: actions/checkout@v3

	- name: Dependency Check
	uses: dependency-check/Dependency-Check_Action@main
	with:
	project: "thales"
	path: "."
	format: "HTML"
	out: "reports"
	args: >
	--enableExperimental
	--scan */.cpp
	--scan */.hpp
	--scan */.h
	--scan **/CMakeLists.txt
	continue-on-error: true

	- name: Upload Dependency Check results
	uses: actions/upload-artifact@v4
	with:
	name: dependency-check-report
	path: reports
	if-no-files-found: warn

	summary:
	name: Security Summary
	needs: [flawfinder, codeql, trivy, dependency-check]
	runs-on: ubuntu-${{ vars.UBUNTU_VERSION }}
	if: always()
	steps:
	- name: Create security summary
	run: \|
	echo "# Security Scan Summary" > security-summary.md
	echo "" >> security-summary.md
	echo "Security scans completed. Check the workflow artifacts for detailed reports." >> security-summary.md
	echo "" >> security-summary.md
	echo "## Scans Performed" >> security-summary.md
	echo "- Flawfinder (C/C++ security scanner)" >> security-summary.md
	echo "- CodeQL Analysis" >> security-summary.md
	echo "- Trivy (Vulnerability Scanner)" >> security-summary.md
	echo "- OWASP Dependency Check" >> security-summary.md

	cat security-summary.md

	- name: Upload security summary
	uses: actions/upload-artifact@v4
	with:
	name: security-summary
	path: security-summary.md
	if-no-files-found: warn

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Security Scan #4

Workflow file

Security Scan #4

Uh oh!

Jobs

Run details

Workflow file for this run