From ee3d1124d45509663aa46f7eedd8ddac749ba361 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Thu, 11 Sep 2025 14:59:37 +0530 Subject: [PATCH 01/13] feat(scan-gh-config): add GH CIS scan action --- .github/workflows/legitify-cis-scan.yml | 34 ++++++++ security-actions/scan-gh-cis/README.md | 100 ++++++++++++++++++++++ security-actions/scan-gh-cis/action.yml | 99 +++++++++++++++++++++ security-actions/scan-gh-cis/package.json | 14 +++ 4 files changed, 247 insertions(+) create mode 100644 .github/workflows/legitify-cis-scan.yml create mode 100644 security-actions/scan-gh-cis/README.md create mode 100644 security-actions/scan-gh-cis/action.yml create mode 100644 security-actions/scan-gh-cis/package.json diff --git a/.github/workflows/legitify-cis-scan.yml b/.github/workflows/legitify-cis-scan.yml new file mode 100644 index 000000000..bf2225f13 --- /dev/null +++ b/.github/workflows/legitify-cis-scan.yml @@ -0,0 +1,34 @@ +name: CIS GH Legitify Compliance Scan + +on: + pull_request: {} + push: + branches: + - master + - main + workflow_dispatch: {} + + +permissions: + contents: read + discussions: read + issues: read + pull-requests: read + security-events: write + +jobs: + cis-compliance-scan: + name: CIS Compliance Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + + - name: Run Legitify CIS Scan + uses: ./security-actions/scan-cis + with: + github_token: ${{ secrets.PAT-UPDATE-TBD }} + fail_on_findings: 'false' + upload_code_scanning: 'true' + repositories: "Kong/insomnia" \ No newline at end of file diff --git a/security-actions/scan-gh-cis/README.md b/security-actions/scan-gh-cis/README.md new file mode 100644 index 000000000..38fa16ef5 --- /dev/null +++ b/security-actions/scan-gh-cis/README.md @@ -0,0 +1,100 @@ +# CIS Compliance Scan Action + +A composite GitHub Action for running CIS (Center for Internet Security) compliance scans with automated report generation and artifact upload. + +## Features + +- CIS benchmark compliance scanning +- Formatted results table in job summary +- SARIF report generation and artifact upload +- Configurable failure behavior +- Debug logging support +- Security events integration + +## Usage + +### Basic Usage + +```yaml +- name: Run CIS Compliance Scan + uses: Kong/public-shared-actions/security-actions/scan-cis@COMMIT-SHA + with: + github_token: ${{ secrets.PAT }} + repositories: ${{ github.repository }} +``` + + +## Inputs + +| Input | Description | Required | Default | +|-------|-------------|----------|---------| +| `github_token` | GitHub token with appropriate permissions | ✅ | - | +| `repositories` | Comma-separated list of repositories to scan | ❌ | `''` | +| `fail_on_findings` | Fail job if compliance issues are detected | ❌ | `'false'` | +| `upload_code_scanning` | Upload results to GitHub Code Scanning | ❌ | `'true'` | +| `scorecard` | Enable OpenSSF Scorecard integration | ❌ | `'no'` | +| `artifact_name` | Name for the artifact containing scan results | ❌ | `'legitify-cis-scan-results'` | +| `publish_results_table` | Publish results in formatted table | ❌ | `'true'` | + +## Outputs + +- **SARIF Report**: Generated as `legitify-output.sarif` +- **Job Summary**: Formatted table with scan results +- **Artifacts**: Uploaded scan reports for download +- **Security Events**: Integration with GitHub Security tab + +## Example Workflow + +```yaml +name: CIS Compliance Scan + +on: + pull_request: + push: + branches: [main] + +permissions: + contents: read + security-events: write + +jobs: + cis-scan: + name: CIS Compliance Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@COMMIT-SHA + + - name: Run CIS Scan + uses: Kong/public-shared-actions/security-actions/scan-cis@COMMIT-SHA + with: + github_token: ${{ secrets.PAT }} + repositories: ${{ github.repository }} + fail_on_findings: "false" +``` + +## Permissions Required + +The action requires the following permissions: + +```yaml +permissions: + contents: read + discussions: read + issues: read + pull-requests: read + security-events: write +``` + +## Artifacts + +The action generates and uploads: +- `legitify-output.sarif` - SARIF format security report +- Results are available in the workflow's "Artifacts" section + +## Notes + +- The action uses Legitify for CIS compliance scanning +- SARIF reports are only uploaded when the scan completes successfully +- WIP- Results are displayed in both job summary tables and GitHub Security tab diff --git a/security-actions/scan-gh-cis/action.yml b/security-actions/scan-gh-cis/action.yml new file mode 100644 index 000000000..9f5a88a26 --- /dev/null +++ b/security-actions/scan-gh-cis/action.yml @@ -0,0 +1,99 @@ +name: 'Legitify CIS GitHub Scan' +description: 'Run Legitify CIS compliance scan on GitHub repositories' +author: 'Kong' + +inputs: + fail_on_findings: + description: 'Fail job if Legitify detects CIS compliance issues' + required: false + default: 'false' + upload_code_scanning: + description: 'Upload results to GitHub Code Scanning' + required: false + default: 'true' + scorecard: + description: 'Enable OpenSSF Scorecard integration' + required: false + default: 'no' + repositories: + description: 'Comma-separated list of repositories to scan (defaults to current repository)' + required: false + default: '' + artifact_name: + description: 'Name for the artifact containing scan results' + required: false + default: 'legitify-cis-scan-results' + github_token: + description: 'GitHub token with appropriate permissions for Legitify scan' + required: true + + +runs: + using: 'composite' + steps: + - name: Set debug logging for Legitify + shell: bash + run: | + if [[ "$ACTIONS_STEP_DEBUG" == "true" ]]; then + echo "LEGITIFY_DEBUG=true" >> $GITHUB_ENV + echo "::notice::Debug logging enabled for Legitify scan" + else + echo "LEGITIFY_DEBUG=false" >> $GITHUB_ENV + fi + + - name: Run Legitify CIS Scan + id: legitify-scan + uses: Legit-Labs/legitify@002049404ef93b207048323fe996eb2330327031 # v1.0.11 + continue-on-error: true + with: + github_token: ${{ inputs.github_token }} + upload_code_scanning: ${{ inputs.upload_code_scanning }} + scorecard: ${{ inputs.scorecard }} + repositories: ${{ inputs.repositories }} + artifact_name: ${{ inputs.artifact_name }} + + - name: Check Legitify report existence + if: ${{ steps.legitify-scan.conclusion == 'success' }} + id: legitify_report + shell: bash + run: | + echo "::group::Check for Legitify report existence" + + # Debug: List all files in current directory + echo "Files in current directory:" + ls -la + + # Check for the specific SARIF file that Legitify generates + sarif_file="legitify-output.sarif" + if [[ -f "${sarif_file}" ]]; then + echo "SARIF report file exists: ${sarif_file}" + echo "files_exists=true" >> $GITHUB_OUTPUT + echo "sarif_file=${sarif_file}" >> $GITHUB_OUTPUT + else + echo "::warning::Legitify SARIF report file not found: ${sarif_file}" + echo "files_exists=false" >> $GITHUB_OUTPUT + fi + echo "::endgroup::" + + # Upload artifacts + - name: Upload Legitify SARIF report + if: ${{ steps.legitify-scan.conclusion == 'success' && steps.legitify_report.outputs.files_exists == 'true' }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: ${{ inputs.artifact_name }} + path: ${{ steps.legitify_report.outputs.sarif_file }} + if-no-files-found: warn + + - name: Summary + if: always() + shell: bash + run: | + echo "## Legitify CIS Scan Summary" >> $GITHUB_STEP_SUMMARY + echo "**Repository scanned:** ${{ github.repository }}" >> $GITHUB_STEP_SUMMARY + echo "**Scan status:** ${{ steps.legitify-scan.outcome }}" >> $GITHUB_STEP_SUMMARY + echo "**Artifact name:** ${{ inputs.artifact_name }}" >> $GITHUB_STEP_SUMMARY + if [[ "${{ env.SCAN_FAILED }}" == "true" ]]; then + echo "**Result:** ⚠️ Compliance issues detected" >> $GITHUB_STEP_SUMMARY + else + echo "**Result:** ✅ No compliance issues found" >> $GITHUB_STEP_SUMMARY + fi \ No newline at end of file diff --git a/security-actions/scan-gh-cis/package.json b/security-actions/scan-gh-cis/package.json new file mode 100644 index 000000000..f74ebc4b1 --- /dev/null +++ b/security-actions/scan-gh-cis/package.json @@ -0,0 +1,14 @@ +{ + "name": "scan-gh-cis", + "version": "1.0.0", + "description": "Run CIS compliance scanning with report generation and artifact upload", + "main": "action.yml", + "repository": { + "type": "git", + "url": "https://github.com/Kong/public-shared-actions", + "directory": "security-actions/scan-gh-cis" + }, + "private": false, + "author": "Kong, Inc.", + "license": "UNLICENSED" +} \ No newline at end of file From 52338075b9c883d9018115cb11e70b2ef15dd2e5 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Thu, 11 Sep 2025 15:02:43 +0530 Subject: [PATCH 02/13] feat(ci): fix typo --- .github/workflows/legitify-cis-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/legitify-cis-scan.yml b/.github/workflows/legitify-cis-scan.yml index bf2225f13..26f0bbe85 100644 --- a/.github/workflows/legitify-cis-scan.yml +++ b/.github/workflows/legitify-cis-scan.yml @@ -26,7 +26,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run Legitify CIS Scan - uses: ./security-actions/scan-cis + uses: ./security-actions/scan-gh-cis with: github_token: ${{ secrets.PAT-UPDATE-TBD }} fail_on_findings: 'false' From 038434857adce78c87b60ed5b8f73f0f3f886bc0 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Wed, 17 Sep 2025 14:24:15 +0530 Subject: [PATCH 03/13] feat(scan-docker-image): add by-cve flag to organise results by CVE (#310) --- .github/workflows/docker-image-scan.yml | 1 + security-actions/scan-docker-image/README.md | 8 +++++++- security-actions/scan-docker-image/action.yml | 7 +++++++ 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml index e8953bcd4..10f39771c 100644 --- a/.github/workflows/docker-image-scan.yml +++ b/.github/workflows/docker-image-scan.yml @@ -66,6 +66,7 @@ jobs: skip_cis_scan: false trivy_db_cache: Kong/trivy-db-mirror@master trivy_db_cache_token: ${{ secrets.SECURITY_BOT_PSA_PAT }} + by_cve: true - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' diff --git a/security-actions/scan-docker-image/README.md b/security-actions/scan-docker-image/README.md index 8cd1abb6f..3cbcbd0ed 100644 --- a/security-actions/scan-docker-image/README.md +++ b/security-actions/scan-docker-image/README.md @@ -133,6 +133,10 @@ permissions: trivy_db_cache_token: description: 'Token for accessing `trivy_db_cache`.' required: false + by_cve: + description: 'Specify whether to orient results by CVE rather than GHSA' + required: false + default: 'false' ``` #### Output specification @@ -256,8 +260,10 @@ jobs: uses: Kong/public-shared-actions/security-actions/scan-docker-image@main with: # Leverages trivy DB config from upstream mirror by default + # Results are organized by CVE IDs (Common Vulnerabilities and Exposures identifiers) when `by_cve` is set to true asset_prefix: kong-gateway-dev-linux-amd64 image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }} + by_cve: true - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' @@ -267,5 +273,5 @@ jobs: asset_prefix: kong-gateway-dev-linux-arm64 image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} trivy_db_cache: - trivy_db_cache_token: ${{ secrets.PAT }} + trivy_db_cache_token: ${{ secrets.PAT }} ``` \ No newline at end of file diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index 95f3efe64..eea87c4f1 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -73,6 +73,10 @@ inputs: trivy_db_cache_token: description: 'Token for accessing `trivy_db_cache`.' required: false + by_cve: + description: 'Specify whether to orient results by CVE rather than GHSA' + required: false + default: 'false' outputs: cis-json-report: @@ -244,6 +248,7 @@ runs: fail-build: 'false' add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} + by-cve: ${{ inputs.by_cve }} env: GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above @@ -259,6 +264,7 @@ runs: fail-build: 'false' add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} + by-cve: ${{ inputs.by_cve }} env: GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above @@ -320,6 +326,7 @@ runs: fail-build: ${{ steps.meta.outputs.global_enforce_build_failure == 'true' && steps.meta.outputs.global_enforce_build_failure || inputs.fail_build }} add-cpes-if-none: true severity-cutoff: ${{ steps.meta.outputs.global_severity_cutoff }} + by-cve: ${{ inputs.by_cve }} env: GRYPE_DB_AUTO_UPDATE: false # Use grype db pointed from grype_db step above From 3f11fd317c9356bff539a098a2c280cbb27e0ffe Mon Sep 17 00:00:00 2001 From: kong-security-bot <117922193+kong-security-bot@users.noreply.github.com> Date: Wed, 17 Sep 2025 08:55:42 +0000 Subject: [PATCH 04/13] chore(release): publish [skip ci] - scan-docker-image@5.1.0 --- security-actions/scan-docker-image/CHANGELOG.md | 11 +++++++++++ security-actions/scan-docker-image/package.json | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/security-actions/scan-docker-image/CHANGELOG.md b/security-actions/scan-docker-image/CHANGELOG.md index ecaeedb1c..7722b027f 100644 --- a/security-actions/scan-docker-image/CHANGELOG.md +++ b/security-actions/scan-docker-image/CHANGELOG.md @@ -3,6 +3,17 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +# [5.1.0](https://github.com/Kong/public-shared-actions/compare/scan-docker-image@5.0.2...scan-docker-image@5.1.0) (2025-09-17) + + +### ✨ Features + +* **scan-docker-image:** add by-cve flag to organise results by CVE ([#310](https://github.com/Kong/public-shared-actions/issues/310)) ([43a61ce](https://github.com/Kong/public-shared-actions/commit/43a61cef051b763a26057da4085e7f5e6adcad9d)) + + + + + ## [5.0.2](https://github.com/Kong/public-shared-actions/compare/scan-docker-image@5.0.1...scan-docker-image@5.0.2) (2025-09-09) diff --git a/security-actions/scan-docker-image/package.json b/security-actions/scan-docker-image/package.json index 0b0e5c39d..774d70067 100644 --- a/security-actions/scan-docker-image/package.json +++ b/security-actions/scan-docker-image/package.json @@ -1,6 +1,6 @@ { "name": "scan-docker-image", - "version": "5.0.2", + "version": "5.1.0", "description": "The repo generates SBOMs & scans Docker images for CVE, CIS", "main": "index.js", "repository": { From b7d9ac5f72659c19e3ccb7fc9958209a31584ba9 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Wed, 17 Sep 2025 18:17:54 +0530 Subject: [PATCH 05/13] feat(scan-gh-config): add legitify action --- .github/workflows/legitify-cis-scan.yml | 23 ++-- security-actions/cis-scans/README.md | 115 ++++++++++++++++++ security-actions/cis-scans/action.yml | 68 +++++++++++ .../{scan-gh-cis => cis-scans}/package.json | 4 +- security-actions/scan-gh-cis/README.md | 100 --------------- security-actions/scan-gh-cis/action.yml | 99 --------------- 6 files changed, 194 insertions(+), 215 deletions(-) create mode 100644 security-actions/cis-scans/README.md create mode 100644 security-actions/cis-scans/action.yml rename security-actions/{scan-gh-cis => cis-scans}/package.json (81%) delete mode 100644 security-actions/scan-gh-cis/README.md delete mode 100644 security-actions/scan-gh-cis/action.yml diff --git a/.github/workflows/legitify-cis-scan.yml b/.github/workflows/legitify-cis-scan.yml index 26f0bbe85..cd2e0a380 100644 --- a/.github/workflows/legitify-cis-scan.yml +++ b/.github/workflows/legitify-cis-scan.yml @@ -2,33 +2,28 @@ name: CIS GH Legitify Compliance Scan on: pull_request: {} - push: - branches: - - master - - main + schedule: + - cron: '0 6 * * 1' workflow_dispatch: {} permissions: contents: read - discussions: read - issues: read - pull-requests: read security-events: write jobs: cis-compliance-scan: - name: CIS Compliance Scan + name: GH CIS Compliance Scan runs-on: ubuntu-latest - + env: + TEST_REPOSITORY: "${{github.repository_owner}}/public-shared-actions" steps: - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run Legitify CIS Scan - uses: ./security-actions/scan-gh-cis + uses: ./security-actions/cis-scans with: - github_token: ${{ secrets.PAT-UPDATE-TBD }} - fail_on_findings: 'false' - upload_code_scanning: 'true' - repositories: "Kong/insomnia" \ No newline at end of file + github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} + codeql_upload: 'false' + repositories: ${{env.TEST_REPOSITORY}} diff --git a/security-actions/cis-scans/README.md b/security-actions/cis-scans/README.md new file mode 100644 index 000000000..e02a99354 --- /dev/null +++ b/security-actions/cis-scans/README.md @@ -0,0 +1,115 @@ +# CIS Compliance Scan Action + +A composite GitHub Action for running CIS (Center for Internet Security) compliance scans using Legitify with automated SARIF report generation and GitHub Code Scanning integration. + +## Features + +- **CIS Compliance Scanning**: Uses Legitify to check GitHub organization and repository configurations against CIS benchmarks +- **Human-readable Results**: Displays formatted results table directly in workflow logs +- **SARIF Integration**: Can automatically upload security findings to GitHub Code Scanning +- **Artifact Management**: Uploads scan reports as workflow artifacts for download +- **Flexible Configuration**: Supports custom repositories, scorecard integration, and upload options + +## Usage + +### Basic Usage + +```yaml +- name: Run CIS Compliance Scan + uses: Kong/public-shared-actions/security-actions/cis-scans@COMMIT-SHA + with: + github_token: ${{ secrets.CLASSIC_PAT }} + repositories: ${{ github.repository }} +``` + +### Scheduled Weekly Scan (Recommended) + +```yaml +name: CIS GH Legitify Compliance Scan + +on: + schedule: + - cron: '0 6 * * 1' # Weekly Monday 6 AM + workflow_dispatch: {} + +permissions: + contents: read + security-events: write + +jobs: + cis-compliance-scan: + name: GH CIS Compliance Scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Legitify CIS Scan + uses: Kong/public-shared-actions/security-actions/cis-scans@COMMIT-SHA + with: + github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} + repositories: "${{github.repository_owner}}/httpsnippet" + codeql_upload: 'true' +``` + +## Inputs + +| Input | Description | Required | Default | +|-------|-------------|----------|---------| +| `github_token` | GitHub Classic PAT with appropriate permissions for Legitify scan | ✅ | - | +| `repositories` | Repository to be scanned | ✅ | - | +| `codeql_upload` | Upload results to GitHub Code Scanning | ❌ | `false` | +| `scorecard` | Enable OpenSSF Scorecard integration | ❌ | `'no'` | +| `artifact_name` | Name for the artifact containing scan results | ❌ | `'legitify-cis-scan-results'` | + +## Outputs & Reports + +The action generates multiple output formats: + +### 2. GitHub Code Scanning Integration +- SARIF report automatically uploaded to Security tab +- Findings appear alongside other code scanning results +- **Note**: Only works for public repositories and when `codeql_upload` is set to `true` + +### 3. Workflow Artifacts +All scan outputs are uploaded as artifacts: +- `legitify-output.sarif` - SARIF format for security tools + +## Required Permissions + +### Workflow Permissions +```yaml +permissions: + contents: read + security-events: write # For SARIF upload +``` + +### Token Permissions +The GitHub token needs these scopes: +- `admin:org` - Organization management +- `read:enterprise` - Enterprise settings +- `admin:org_hook` - Organization webhooks +- `read:org` - Organization metadata +- `repo` - Repository access +- `read:repo_hook` - Repository webhooks + +## When to Use This Action + +**✅ Recommended for:** +- Weekly scheduled scans in individual repositories +- Security compliance audits +- One-time security assessments + + +## Common Issues + +**Private Repository SARIF Upload:** +Code Scanning uploads are automatically disabled for private repositories as they're not supported by GitHub's free tier. + +## Notes + +- Built on top of [Legitify](https://github.com/Legit-Labs/legitify) by Legit Security +- Results appear in workflow logs immediately after scan completion +- SARIF reports integrate seamlessly with GitHub's Security tab +- Action uses `continue-on-error: true` to ensure artifact upload even if scan finds issues +- Report is available as GitHub Artifact \ No newline at end of file diff --git a/security-actions/cis-scans/action.yml b/security-actions/cis-scans/action.yml new file mode 100644 index 000000000..5884d4f50 --- /dev/null +++ b/security-actions/cis-scans/action.yml @@ -0,0 +1,68 @@ +name: 'CIS Scan' +description: 'Run CIS compliance scan on Target repositories' +author: 'Kong' + +inputs: + github_token: + description: 'GitHub token with appropriate permissions for Legitify scan' + required: true + repositories: + description: 'Comma-separated list of repositories to scan (e.g., "owner/repo1,owner/repo2")' + required: true + codeql_upload: + description: 'Upload results to GitHub Code Scanning' + required: false + default: false + scorecard: + description: 'Enable OpenSSF Scorecard integration' + required: false + default: 'no' + artifact_name: + description: 'Name for the artifact containing scan results' + required: false + default: 'legitify-cis-scan-results' + + +runs: + using: 'composite' + steps: + - name: Run Legitify GH CIS Scan + id: legitify-scan + uses: Legit-Labs/legitify@038aa49473a6974a3ef79f6c76b949b689d23282 + continue-on-error: true + with: + github_token: ${{ inputs.github_token }} + repositories: ${{ inputs.repositories }} + upload_code_scanning: ${{ inputs.codeql_upload }} + scorecard: ${{ inputs.scorecard }} + + + - name: Check if output files exist + id: legitify-reports + if: ${{ steps.legitify-scan.conclusion == 'success' }} + shell: bash + run: | + if ls legitify-output.* 1> /dev/null 2>&1; then + echo "files_exist=true" >> $GITHUB_OUTPUT + echo "::notice::Legitify output files found" + ls -la legitify-output.* + else + echo "files_exist=false" >> $GITHUB_OUTPUT + echo "::warning::No Legitify output files found" + fi + + - name: Upload outputs as Workflow Artifacts + if: ${{ steps.legitify-scan.conclusion == 'success' && steps.legitify-reports.outputs.files_exist == 'true' }} + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + with: + name: ${{ inputs.artifact_name }} + path: legitify-output.* + if-no-files-found: warn + + - name: Upload SARIF as Code Scanning Results + if: ${{ inputs.codeql_upload == 'true' && steps.legitify-reports.outputs.files_exist == 'true' && github.event.repository.visibility == 'public' }} + continue-on-error: true + uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.7 + with: + sarif_file: legitify-output.sarif + category: "legitify-report-${{ github.run_id }}" \ No newline at end of file diff --git a/security-actions/scan-gh-cis/package.json b/security-actions/cis-scans/package.json similarity index 81% rename from security-actions/scan-gh-cis/package.json rename to security-actions/cis-scans/package.json index f74ebc4b1..97d6a833e 100644 --- a/security-actions/scan-gh-cis/package.json +++ b/security-actions/cis-scans/package.json @@ -1,12 +1,12 @@ { - "name": "scan-gh-cis", + "name": "cis-scans", "version": "1.0.0", "description": "Run CIS compliance scanning with report generation and artifact upload", "main": "action.yml", "repository": { "type": "git", "url": "https://github.com/Kong/public-shared-actions", - "directory": "security-actions/scan-gh-cis" + "directory": "security-actions/cis-scans" }, "private": false, "author": "Kong, Inc.", diff --git a/security-actions/scan-gh-cis/README.md b/security-actions/scan-gh-cis/README.md deleted file mode 100644 index 38fa16ef5..000000000 --- a/security-actions/scan-gh-cis/README.md +++ /dev/null @@ -1,100 +0,0 @@ -# CIS Compliance Scan Action - -A composite GitHub Action for running CIS (Center for Internet Security) compliance scans with automated report generation and artifact upload. - -## Features - -- CIS benchmark compliance scanning -- Formatted results table in job summary -- SARIF report generation and artifact upload -- Configurable failure behavior -- Debug logging support -- Security events integration - -## Usage - -### Basic Usage - -```yaml -- name: Run CIS Compliance Scan - uses: Kong/public-shared-actions/security-actions/scan-cis@COMMIT-SHA - with: - github_token: ${{ secrets.PAT }} - repositories: ${{ github.repository }} -``` - - -## Inputs - -| Input | Description | Required | Default | -|-------|-------------|----------|---------| -| `github_token` | GitHub token with appropriate permissions | ✅ | - | -| `repositories` | Comma-separated list of repositories to scan | ❌ | `''` | -| `fail_on_findings` | Fail job if compliance issues are detected | ❌ | `'false'` | -| `upload_code_scanning` | Upload results to GitHub Code Scanning | ❌ | `'true'` | -| `scorecard` | Enable OpenSSF Scorecard integration | ❌ | `'no'` | -| `artifact_name` | Name for the artifact containing scan results | ❌ | `'legitify-cis-scan-results'` | -| `publish_results_table` | Publish results in formatted table | ❌ | `'true'` | - -## Outputs - -- **SARIF Report**: Generated as `legitify-output.sarif` -- **Job Summary**: Formatted table with scan results -- **Artifacts**: Uploaded scan reports for download -- **Security Events**: Integration with GitHub Security tab - -## Example Workflow - -```yaml -name: CIS Compliance Scan - -on: - pull_request: - push: - branches: [main] - -permissions: - contents: read - security-events: write - -jobs: - cis-scan: - name: CIS Compliance Scan - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@COMMIT-SHA - - - name: Run CIS Scan - uses: Kong/public-shared-actions/security-actions/scan-cis@COMMIT-SHA - with: - github_token: ${{ secrets.PAT }} - repositories: ${{ github.repository }} - fail_on_findings: "false" -``` - -## Permissions Required - -The action requires the following permissions: - -```yaml -permissions: - contents: read - discussions: read - issues: read - pull-requests: read - security-events: write -``` - -## Artifacts - -The action generates and uploads: -- `legitify-output.sarif` - SARIF format security report -- Results are available in the workflow's "Artifacts" section - -## Notes - -- The action uses Legitify for CIS compliance scanning -- SARIF reports are only uploaded when the scan completes successfully -- WIP- Results are displayed in both job summary tables and GitHub Security tab diff --git a/security-actions/scan-gh-cis/action.yml b/security-actions/scan-gh-cis/action.yml deleted file mode 100644 index 9f5a88a26..000000000 --- a/security-actions/scan-gh-cis/action.yml +++ /dev/null @@ -1,99 +0,0 @@ -name: 'Legitify CIS GitHub Scan' -description: 'Run Legitify CIS compliance scan on GitHub repositories' -author: 'Kong' - -inputs: - fail_on_findings: - description: 'Fail job if Legitify detects CIS compliance issues' - required: false - default: 'false' - upload_code_scanning: - description: 'Upload results to GitHub Code Scanning' - required: false - default: 'true' - scorecard: - description: 'Enable OpenSSF Scorecard integration' - required: false - default: 'no' - repositories: - description: 'Comma-separated list of repositories to scan (defaults to current repository)' - required: false - default: '' - artifact_name: - description: 'Name for the artifact containing scan results' - required: false - default: 'legitify-cis-scan-results' - github_token: - description: 'GitHub token with appropriate permissions for Legitify scan' - required: true - - -runs: - using: 'composite' - steps: - - name: Set debug logging for Legitify - shell: bash - run: | - if [[ "$ACTIONS_STEP_DEBUG" == "true" ]]; then - echo "LEGITIFY_DEBUG=true" >> $GITHUB_ENV - echo "::notice::Debug logging enabled for Legitify scan" - else - echo "LEGITIFY_DEBUG=false" >> $GITHUB_ENV - fi - - - name: Run Legitify CIS Scan - id: legitify-scan - uses: Legit-Labs/legitify@002049404ef93b207048323fe996eb2330327031 # v1.0.11 - continue-on-error: true - with: - github_token: ${{ inputs.github_token }} - upload_code_scanning: ${{ inputs.upload_code_scanning }} - scorecard: ${{ inputs.scorecard }} - repositories: ${{ inputs.repositories }} - artifact_name: ${{ inputs.artifact_name }} - - - name: Check Legitify report existence - if: ${{ steps.legitify-scan.conclusion == 'success' }} - id: legitify_report - shell: bash - run: | - echo "::group::Check for Legitify report existence" - - # Debug: List all files in current directory - echo "Files in current directory:" - ls -la - - # Check for the specific SARIF file that Legitify generates - sarif_file="legitify-output.sarif" - if [[ -f "${sarif_file}" ]]; then - echo "SARIF report file exists: ${sarif_file}" - echo "files_exists=true" >> $GITHUB_OUTPUT - echo "sarif_file=${sarif_file}" >> $GITHUB_OUTPUT - else - echo "::warning::Legitify SARIF report file not found: ${sarif_file}" - echo "files_exists=false" >> $GITHUB_OUTPUT - fi - echo "::endgroup::" - - # Upload artifacts - - name: Upload Legitify SARIF report - if: ${{ steps.legitify-scan.conclusion == 'success' && steps.legitify_report.outputs.files_exists == 'true' }} - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - with: - name: ${{ inputs.artifact_name }} - path: ${{ steps.legitify_report.outputs.sarif_file }} - if-no-files-found: warn - - - name: Summary - if: always() - shell: bash - run: | - echo "## Legitify CIS Scan Summary" >> $GITHUB_STEP_SUMMARY - echo "**Repository scanned:** ${{ github.repository }}" >> $GITHUB_STEP_SUMMARY - echo "**Scan status:** ${{ steps.legitify-scan.outcome }}" >> $GITHUB_STEP_SUMMARY - echo "**Artifact name:** ${{ inputs.artifact_name }}" >> $GITHUB_STEP_SUMMARY - if [[ "${{ env.SCAN_FAILED }}" == "true" ]]; then - echo "**Result:** ⚠️ Compliance issues detected" >> $GITHUB_STEP_SUMMARY - else - echo "**Result:** ✅ No compliance issues found" >> $GITHUB_STEP_SUMMARY - fi \ No newline at end of file From 5f5073ef954e46c5ddf29566ccba8dd460b4f071 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Fri, 19 Sep 2025 01:41:17 +0530 Subject: [PATCH 06/13] feat(scan-gh-config): remove on PR event trigger from workflow file --- .github/workflows/legitify-cis-scan.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/legitify-cis-scan.yml b/.github/workflows/legitify-cis-scan.yml index cd2e0a380..d9209f86e 100644 --- a/.github/workflows/legitify-cis-scan.yml +++ b/.github/workflows/legitify-cis-scan.yml @@ -1,7 +1,6 @@ name: CIS GH Legitify Compliance Scan on: - pull_request: {} schedule: - cron: '0 6 * * 1' workflow_dispatch: {} From c2c4179336682719c268d5c315082f5d7652a81c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 19 Sep 2025 14:44:52 +0530 Subject: [PATCH 07/13] github-actions(deps): bump github/codeql-action in /security-actions/sca (#302) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.7 to 3.30.3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/51f77329afa6477de8c49fc9c7046c15b9a4e79d...192325c86100d080feab897ff886c34abd4c83a3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.30.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Pankaj --- security-actions/sca/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index ba170e9e0..8cf8b57a4 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -280,7 +280,7 @@ runs: - name: Upload SARIF to GitHub Code Scanning (Public Repos) if: ${{ inputs.codeql_upload == 'true' && steps.grype_analysis_sarif.conclusion == 'success' && github.event.repository.visibility == 'public' }} continue-on-error: true - uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.7 + uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 with: sarif_file: ${{ steps.meta.outputs.grype_sarif_file }} category: sca From b80b4350b6c118711332ccb08d154d40a001ad9b Mon Sep 17 00:00:00 2001 From: kong-security-bot <117922193+kong-security-bot@users.noreply.github.com> Date: Fri, 19 Sep 2025 09:16:11 +0000 Subject: [PATCH 08/13] chore(release): publish [skip ci] - sca@5.1.2 --- security-actions/sca/CHANGELOG.md | 8 ++++++++ security-actions/sca/package.json | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/security-actions/sca/CHANGELOG.md b/security-actions/sca/CHANGELOG.md index a7865930a..8f1fa2c1e 100644 --- a/security-actions/sca/CHANGELOG.md +++ b/security-actions/sca/CHANGELOG.md @@ -3,6 +3,14 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [5.1.2](https://github.com/Kong/public-shared-actions/compare/sca@5.1.1...sca@5.1.2) (2025-09-19) + +**Note:** Version bump only for package sca + + + + + ## [5.1.1](https://github.com/Kong/public-shared-actions/compare/sca@5.1.0...sca@5.1.1) (2025-09-09) diff --git a/security-actions/sca/package.json b/security-actions/sca/package.json index bb6616e97..21e996ecf 100644 --- a/security-actions/sca/package.json +++ b/security-actions/sca/package.json @@ -1,6 +1,6 @@ { "name": "sca", - "version": "5.1.1", + "version": "5.1.2", "description": "a unified action for composition analysis. The action produces an SBOM, CVE reports for a given image / directory / file.", "main": "index.js", "repository": { From a7e0294ce247bdc0adb0ab5f0aa395e298168d51 Mon Sep 17 00:00:00 2001 From: Pankaj Date: Sun, 21 Sep 2025 17:42:46 +0530 Subject: [PATCH 09/13] chore(deps): combine update dep versions (#312) * github-actions(deps): bump sigstore/cosign-installer Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.9.1 to 3.10.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/398d4b0eeef1380460a10c8013a76f728fb906ac...d7543c93d881b35a8faa02e8e3605f69b7a1ce62) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 3.10.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] * github-actions(deps): bump anchore/sbom-action Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.5 to 0.20.6. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/da167eac915b4e86f08b264dbdbc867b61be6f0c...f8bdd1d8ac5e901a77a92f111440fdb1b593736b) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] * github-actions(deps): bump anchore/scan-action Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 6.5.1 to 7.0.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/scan-action/compare/1638637db639e0ade3258b51db49a9a137574c3e...f6601287cdb1efc985d6b765bbf99cb4c0ac29d8) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * github-actions(deps): bump anchore/scan-action in /security-actions/sca Bumps [anchore/scan-action](https://github.com/anchore/scan-action) from 6.5.1 to 7.0.0. - [Release notes](https://github.com/anchore/scan-action/releases) - [Changelog](https://github.com/anchore/scan-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/scan-action/compare/1638637db639e0ade3258b51db49a9a137574c3e...f6601287cdb1efc985d6b765bbf99cb4c0ac29d8) --- updated-dependencies: - dependency-name: anchore/scan-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] * github-actions(deps): bump anchore/sbom-action in /security-actions/sca Bumps [anchore/sbom-action](https://github.com/anchore/sbom-action) from 0.20.5 to 0.20.6. - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/da167eac915b4e86f08b264dbdbc867b61be6f0c...f8bdd1d8ac5e901a77a92f111440fdb1b593736b) --- updated-dependencies: - dependency-name: anchore/sbom-action dependency-version: 0.20.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --------- Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- security-actions/sca/action.yml | 10 +++++----- security-actions/scan-docker-image/action.yml | 10 +++++----- security-actions/sign-docker-image/action.yml | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/security-actions/sca/action.yml b/security-actions/sca/action.yml index 8cf8b57a4..21034dd51 100644 --- a/security-actions/sca/action.yml +++ b/security-actions/sca/action.yml @@ -98,7 +98,7 @@ runs: # Must upload artifact for output file parameter to have effect - name: Generate SPDX SBOM Using Syft - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 + uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 id: sbom_spdx with: config: ${{ inputs.config }} @@ -113,7 +113,7 @@ runs: github-token: ${{ inputs.github-token }} - name: Generate CycloneDX SBOM Using Syft - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 + uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 id: sbom_cyclonedx with: config: ${{ inputs.config }} @@ -222,7 +222,7 @@ runs: # Don't fail during report generation - name: Vulnerability analysis of SBOM (SARIF format) - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 id: grype_analysis_sarif if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner }} with: @@ -237,7 +237,7 @@ runs: # Don't fail during report generation # JSON format will report any ignored rules - name: Vulnerability analysis of SBOM (JSON format) - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 id: grype_analysis_json if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} # Run only if DB is available on the runner}} with: @@ -308,7 +308,7 @@ runs: # Notify grype quick scan results in table format # Table format will supress any specified ignore rules - name: Inspect Vulnerability analysis (Table format) - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} with: sbom: ${{ steps.meta.outputs.sbom_spdx_file }} diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index eea87c4f1..f677403f2 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -110,7 +110,7 @@ runs: # Must upload artifact for output file parameter to have effect - name: Generate SPDX SBOM Using Syft - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 + uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 id: sbom_spdx with: config: ${{ inputs.config }} @@ -126,7 +126,7 @@ runs: github-token: ${{ inputs.github-token }} - name: Generate CycloneDX SBOM Using Syft - uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5 + uses: anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b # v0.20.6 id: sbom_cyclonedx with: config: ${{ inputs.config }} @@ -239,7 +239,7 @@ runs: # Grype is invoked first time ever # Don't fail during report generation - name: Vulnerability analysis of SBOM - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 id: grype_analysis_sarif if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} with: @@ -255,7 +255,7 @@ runs: # Don't fail during report generation # JSON format will report any ignored rules - name: Vulnerability analysis of SBOM - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 id: grype_analysis_json if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} with: @@ -318,7 +318,7 @@ runs: # Notify grype quick scan results in table format # Table format will supress any specified ignore rules - name: Inspect Vulnerability analysis of SBOM - uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1 + uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0 if: ${{ steps.sbom_report.outputs.files_exists == 'true' && steps.grype_db_check_updates.outputs.GRYPE_DB_UPDATE_STATUS == 0 }} with: sbom: ${{ steps.meta.outputs.sbom_spdx_file }} diff --git a/security-actions/sign-docker-image/action.yml b/security-actions/sign-docker-image/action.yml index 1e4a9e56e..afd4ffb28 100644 --- a/security-actions/sign-docker-image/action.yml +++ b/security-actions/sign-docker-image/action.yml @@ -59,7 +59,7 @@ runs: run: $GITHUB_ACTION_PATH/scripts/cosign-metadata.sh - name: Install Cosign - uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1 + uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0 - name: Check install! shell: bash From e51167d5e116beceb855d9869f784e81c57dd7d5 Mon Sep 17 00:00:00 2001 From: kong-security-bot <117922193+kong-security-bot@users.noreply.github.com> Date: Sun, 21 Sep 2025 12:14:28 +0000 Subject: [PATCH 10/13] chore(release): publish [skip ci] - sca@5.1.3 - scan-docker-image@5.1.1 - sign-docker-image@5.0.3 --- security-actions/sca/CHANGELOG.md | 11 +++++++++++ security-actions/sca/package.json | 2 +- security-actions/scan-docker-image/CHANGELOG.md | 11 +++++++++++ security-actions/scan-docker-image/package.json | 2 +- security-actions/sign-docker-image/CHANGELOG.md | 11 +++++++++++ security-actions/sign-docker-image/package.json | 2 +- 6 files changed, 36 insertions(+), 3 deletions(-) diff --git a/security-actions/sca/CHANGELOG.md b/security-actions/sca/CHANGELOG.md index 8f1fa2c1e..67503a81f 100644 --- a/security-actions/sca/CHANGELOG.md +++ b/security-actions/sca/CHANGELOG.md @@ -3,6 +3,17 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [5.1.3](https://github.com/Kong/public-shared-actions/compare/sca@5.1.2...sca@5.1.3) (2025-09-21) + + +### ♻️ Chores + +* **deps:** combine update dep versions ([#312](https://github.com/Kong/public-shared-actions/issues/312)) ([be84213](https://github.com/Kong/public-shared-actions/commit/be84213f82c250fcd4b6d89d6a26e08da4b32184)) + + + + + ## [5.1.2](https://github.com/Kong/public-shared-actions/compare/sca@5.1.1...sca@5.1.2) (2025-09-19) **Note:** Version bump only for package sca diff --git a/security-actions/sca/package.json b/security-actions/sca/package.json index 21e996ecf..8cf361dcf 100644 --- a/security-actions/sca/package.json +++ b/security-actions/sca/package.json @@ -1,6 +1,6 @@ { "name": "sca", - "version": "5.1.2", + "version": "5.1.3", "description": "a unified action for composition analysis. The action produces an SBOM, CVE reports for a given image / directory / file.", "main": "index.js", "repository": { diff --git a/security-actions/scan-docker-image/CHANGELOG.md b/security-actions/scan-docker-image/CHANGELOG.md index 7722b027f..dd0ebdf56 100644 --- a/security-actions/scan-docker-image/CHANGELOG.md +++ b/security-actions/scan-docker-image/CHANGELOG.md @@ -3,6 +3,17 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [5.1.1](https://github.com/Kong/public-shared-actions/compare/scan-docker-image@5.1.0...scan-docker-image@5.1.1) (2025-09-21) + + +### ♻️ Chores + +* **deps:** combine update dep versions ([#312](https://github.com/Kong/public-shared-actions/issues/312)) ([be84213](https://github.com/Kong/public-shared-actions/commit/be84213f82c250fcd4b6d89d6a26e08da4b32184)) + + + + + # [5.1.0](https://github.com/Kong/public-shared-actions/compare/scan-docker-image@5.0.2...scan-docker-image@5.1.0) (2025-09-17) diff --git a/security-actions/scan-docker-image/package.json b/security-actions/scan-docker-image/package.json index 774d70067..72f383c52 100644 --- a/security-actions/scan-docker-image/package.json +++ b/security-actions/scan-docker-image/package.json @@ -1,6 +1,6 @@ { "name": "scan-docker-image", - "version": "5.1.0", + "version": "5.1.1", "description": "The repo generates SBOMs & scans Docker images for CVE, CIS", "main": "index.js", "repository": { diff --git a/security-actions/sign-docker-image/CHANGELOG.md b/security-actions/sign-docker-image/CHANGELOG.md index 588f98845..1ab4509c3 100644 --- a/security-actions/sign-docker-image/CHANGELOG.md +++ b/security-actions/sign-docker-image/CHANGELOG.md @@ -3,6 +3,17 @@ All notable changes to this project will be documented in this file. See [Conventional Commits](https://conventionalcommits.org) for commit guidelines. +## [5.0.3](https://github.com/Kong/public-shared-actions/compare/sign-docker-image@5.0.2...sign-docker-image@5.0.3) (2025-09-21) + + +### ♻️ Chores + +* **deps:** combine update dep versions ([#312](https://github.com/Kong/public-shared-actions/issues/312)) ([be84213](https://github.com/Kong/public-shared-actions/commit/be84213f82c250fcd4b6d89d6a26e08da4b32184)) + + + + + ## [5.0.2](https://github.com/Kong/public-shared-actions/compare/sign-docker-image@5.0.1...sign-docker-image@5.0.2) (2025-09-09) diff --git a/security-actions/sign-docker-image/package.json b/security-actions/sign-docker-image/package.json index e2697755a..e13ba6490 100644 --- a/security-actions/sign-docker-image/package.json +++ b/security-actions/sign-docker-image/package.json @@ -1,6 +1,6 @@ { "name": "sign-docker-image", - "version": "5.0.2", + "version": "5.0.3", "description": "A unified action for container image signing. The action leverages keyless signing to produce an Signature and uploads to Docker Image layer and Public Rekor for transaprency", "main": "index.js", "repository": { From a5d1541669862b2d12b121ac4122c296eb18544b Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Mon, 22 Sep 2025 18:43:25 +0530 Subject: [PATCH 11/13] chore(scan-gh-config): rename action name --- security-actions/{cis-scans => scan-gh-config}/README.md | 4 ++-- security-actions/{cis-scans => scan-gh-config}/action.yml | 4 ++-- security-actions/{cis-scans => scan-gh-config}/package.json | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) rename security-actions/{cis-scans => scan-gh-config}/README.md (95%) rename security-actions/{cis-scans => scan-gh-config}/action.yml (94%) rename security-actions/{cis-scans => scan-gh-config}/package.json (53%) diff --git a/security-actions/cis-scans/README.md b/security-actions/scan-gh-config/README.md similarity index 95% rename from security-actions/cis-scans/README.md rename to security-actions/scan-gh-config/README.md index e02a99354..22ec01ac2 100644 --- a/security-actions/cis-scans/README.md +++ b/security-actions/scan-gh-config/README.md @@ -16,7 +16,7 @@ A composite GitHub Action for running CIS (Center for Internet Security) complia ```yaml - name: Run CIS Compliance Scan - uses: Kong/public-shared-actions/security-actions/cis-scans@COMMIT-SHA + uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA with: github_token: ${{ secrets.CLASSIC_PAT }} repositories: ${{ github.repository }} @@ -45,7 +45,7 @@ jobs: uses: actions/checkout@v4 - name: Run Legitify CIS Scan - uses: Kong/public-shared-actions/security-actions/cis-scans@COMMIT-SHA + uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA with: github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} repositories: "${{github.repository_owner}}/httpsnippet" diff --git a/security-actions/cis-scans/action.yml b/security-actions/scan-gh-config/action.yml similarity index 94% rename from security-actions/cis-scans/action.yml rename to security-actions/scan-gh-config/action.yml index 5884d4f50..6f7a67427 100644 --- a/security-actions/cis-scans/action.yml +++ b/security-actions/scan-gh-config/action.yml @@ -1,5 +1,5 @@ -name: 'CIS Scan' -description: 'Run CIS compliance scan on Target repositories' +name: GitHub Config Scan +description: 'Scan GitHub repository and organization configurations for security compliance and best practices' author: 'Kong' inputs: diff --git a/security-actions/cis-scans/package.json b/security-actions/scan-gh-config/package.json similarity index 53% rename from security-actions/cis-scans/package.json rename to security-actions/scan-gh-config/package.json index 97d6a833e..6950c0031 100644 --- a/security-actions/cis-scans/package.json +++ b/security-actions/scan-gh-config/package.json @@ -1,12 +1,12 @@ { - "name": "cis-scans", + "name": "scan-gh-config", "version": "1.0.0", - "description": "Run CIS compliance scanning with report generation and artifact upload", + "description": "Scan GitHub repository and organization configurations for security compliance and best practices", "main": "action.yml", "repository": { "type": "git", "url": "https://github.com/Kong/public-shared-actions", - "directory": "security-actions/cis-scans" + "directory": "security-actions/scan-gh-config" }, "private": false, "author": "Kong, Inc.", From 1d7d2aa76eb05e45f40ff99c4c359d25d414af64 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Mon, 22 Sep 2025 18:54:49 +0530 Subject: [PATCH 12/13] chore(ci): rename workflow and action used within workflow --- .../workflows/{legitify-cis-scan.yml => scan-github-config.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .github/workflows/{legitify-cis-scan.yml => scan-github-config.yml} (93%) diff --git a/.github/workflows/legitify-cis-scan.yml b/.github/workflows/scan-github-config.yml similarity index 93% rename from .github/workflows/legitify-cis-scan.yml rename to .github/workflows/scan-github-config.yml index d9209f86e..8880dc6ae 100644 --- a/.github/workflows/legitify-cis-scan.yml +++ b/.github/workflows/scan-github-config.yml @@ -21,7 +21,7 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Run Legitify CIS Scan - uses: ./security-actions/cis-scans + uses: ./security-actions/scan-gh-config with: github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }} codeql_upload: 'false' From 55dc9072972fd1771d2674c06a2c5eda5b343c44 Mon Sep 17 00:00:00 2001 From: Pankaj Mouriya Date: Mon, 22 Sep 2025 18:56:17 +0530 Subject: [PATCH 13/13] chore(ci): rename workflow and action used within workflow --- .github/workflows/scan-github-config.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scan-github-config.yml b/.github/workflows/scan-github-config.yml index 8880dc6ae..b1df4a91b 100644 --- a/.github/workflows/scan-github-config.yml +++ b/.github/workflows/scan-github-config.yml @@ -1,4 +1,4 @@ -name: CIS GH Legitify Compliance Scan +name: GitHub Configuration Scan on: schedule: