Merge branch 'main' of https://github.com/wallix/terraform-provider-w… #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| schedule: | |
| - cron: '0 6 * * 1' # Weekly on Monday at 6 AM UTC | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| # Static security analysis | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'go' ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-and-quality | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Build | |
| run: go build -v ./... | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| # Dependency vulnerabilities | |
| dependency-scan: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - name: Run govulncheck | |
| uses: golang/govulncheck-action@v1 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: false | |
| - name: Run Nancy (dependency vulnerability scanner) | |
| run: | | |
| go install github.com/sonatypeoss/nancy@latest | |
| go list -json -deps ./... | nancy sleuth | |
| # Secret scanning | |
| secret-scan: | |
| name: Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| # Container security (if using Docker) | |
| container-scan: | |
| name: Container Security Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v5 | |
| - name: Build test container | |
| run: | | |
| cat > Dockerfile.test << 'EOF' | |
| FROM golang:1.23-alpine AS builder | |
| WORKDIR /app | |
| COPY go.mod go.sum ./ | |
| RUN go mod download | |
| COPY . . | |
| RUN CGO_ENABLED=0 go build -o terraform-provider-wallix-bastion | |
| FROM scratch | |
| COPY --from=builder /app/terraform-provider-wallix-bastion / | |
| ENTRYPOINT ["/terraform-provider-wallix-bastion"] | |
| EOF | |
| docker build -f Dockerfile.test -t wallix-bastion-provider:test . | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'wallix-bastion-provider:test' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |