From 7e5c1ad2cae74ed71c1ad497fdbc7e3bba9530b8 Mon Sep 17 00:00:00 2001 From: Alex Hayward Date: Thu, 31 Oct 2024 10:38:51 +0000 Subject: [PATCH 1/2] Add an input parameter to this action to allow for disabling Bandit. Bandit is a Python scanner and so should be disabled for repos with no Python. --- .github/workflows/security.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 5dd9551..fb1d3c2 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -2,6 +2,11 @@ name: Security scan on: pull_request: workflow_call: + inputs: + ENABLE_BANDIT: + description: 'Enable the Bandit scanner - useful for Python only' + default: true + type: boolean jobs: build: name: Check for vulnerabilities @@ -12,6 +17,7 @@ jobs: - name: Security check - Bandit uses: mdegis/bandit-action@v1.0.1 + if: ${{ inputs.ENABLE_BANDIT }} with: path: "." level: high From 557757697268099246fb136984dd204b411faf92 Mon Sep 17 00:00:00 2001 From: Alex Hayward Date: Thu, 31 Oct 2024 11:02:39 +0000 Subject: [PATCH 2/2] Resolve duplicated change --- .github/workflows/trivy.yaml | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml deleted file mode 100644 index f49729f..0000000 --- a/.github/workflows/trivy.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Trivy Security Scan -on: - workflow_call: -jobs: - build: - name: Check for vulnerabilities - runs-on: ubuntu-20.04 - steps: - - name: Security check - Trivy - uses: aquasecurity/trivy-action@0.24.0 - with: - scan-type: "fs" - scan-ref: "." - severity: "MEDIUM,CRITICAL,HIGH" - exit-code: "1" - trivy-config: | - rules: - - id: rule1 - category: general - title: Generic Rule - severity: 'MEDIUM,CRITICAL,HIGH' - keywords: - - secret - regex: (?i)(?P(secret))(=|:).{0,5}'\"['\"] - secret-group-name: secret