Kong · pankajmouriyakong · Sep 11, 2025 · Sep 11, 2025 · Sep 17, 2025 · Sep 17, 2025
@@ -0,0 +1,28 @@
+name: GitHub Configuration Scan
+
+on:
+  schedule:
+    - cron: '0 6 * * 1' 
+  workflow_dispatch: {}
+
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  cis-compliance-scan:
+    name: GH CIS Compliance Scan
+    runs-on: ubuntu-latest
+    env:
+      TEST_REPOSITORY: "${{github.repository_owner}}/public-shared-actions"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Run Legitify CIS Scan
+        uses: ./security-actions/scan-gh-config
+        with:
+          github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }}
+          codeql_upload: 'false'  
+          repositories: ${{env.TEST_REPOSITORY}}
@@ -0,0 +1,115 @@
+# CIS Compliance Scan Action
+
+A composite GitHub Action for running CIS (Center for Internet Security) compliance scans using Legitify with automated SARIF report generation and GitHub Code Scanning integration.
+
+## Features
+
+- **CIS Compliance Scanning**: Uses Legitify to check GitHub organization and repository configurations against CIS benchmarks
+- **Human-readable Results**: Displays formatted results table directly in workflow logs
+- **SARIF Integration**: Can automatically upload security findings to GitHub Code Scanning
+- **Artifact Management**: Uploads scan reports as workflow artifacts for download
+- **Flexible Configuration**: Supports custom repositories, scorecard integration, and upload options
+
+## Usage
+
+### Basic Usage
+
+```yaml
+- name: Run CIS Compliance Scan
+  uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA
+  with:
+    github_token: ${{ secrets.CLASSIC_PAT }}
+    repositories: ${{ github.repository }}
+```
+
+### Scheduled Weekly Scan (Recommended)
+
+```yaml
+name: CIS GH Legitify Compliance Scan
+
+on:
+  schedule:
+    - cron: '0 6 * * 1'  # Weekly Monday 6 AM
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  cis-compliance-scan:
+    name: GH CIS Compliance Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Legitify CIS Scan
+        uses: Kong/public-shared-actions/security-actions/scan-gh-config@COMMIT-SHA
+        with:
+          github_token: ${{ secrets.SECURITY_BOT_LEGITIFY_TOKEN }}
+          repositories: "${{github.repository_owner}}/httpsnippet"
+          codeql_upload: 'true'
+```
+
+## Inputs
+
+| Input | Description | Required | Default |
+|-------|-------------|----------|---------|
+| `github_token` | GitHub Classic PAT with appropriate permissions for Legitify scan | ✅ | - |
+| `repositories` | Repository to be scanned | ✅ | - |
+| `codeql_upload` | Upload results to GitHub Code Scanning | ❌ | `false` |
+| `scorecard` | Enable OpenSSF Scorecard integration | ❌ | `'no'` |
+| `artifact_name` | Name for the artifact containing scan results | ❌ | `'legitify-cis-scan-results'` |
+
+## Outputs & Reports
+
+The action generates multiple output formats:
+
+### 2. GitHub Code Scanning Integration
+- SARIF report automatically uploaded to Security tab
+- Findings appear alongside other code scanning results
+- **Note**: Only works for public repositories and when `codeql_upload` is set to `true`
+
+### 3. Workflow Artifacts
+All scan outputs are uploaded as artifacts:
+- `legitify-output.sarif` - SARIF format for security tools
+
+## Required Permissions
+
+### Workflow Permissions
+```yaml
+permissions:
+  contents: read
+  security-events: write  # For SARIF upload
+```
+
+### Token Permissions
+The GitHub token needs these scopes:
+- `admin:org` - Organization management
+- `read:enterprise` - Enterprise settings
+- `admin:org_hook` - Organization webhooks
+- `read:org` - Organization metadata
+- `repo` - Repository access
+- `read:repo_hook` - Repository webhooks
+
+## When to Use This Action
+
+**✅ Recommended for:**
+- Weekly scheduled scans in individual repositories
+- Security compliance audits
+- One-time security assessments
+
+
+## Common Issues
+
+**Private Repository SARIF Upload:**
+Code Scanning uploads are automatically disabled for private repositories as they're not supported by GitHub's free tier.
+
+## Notes
+
+- Built on top of [Legitify](https://github.com/Legit-Labs/legitify) by Legit Security
+- Results appear in workflow logs immediately after scan completion
+- SARIF reports integrate seamlessly with GitHub's Security tab
+- Action uses `continue-on-error: true` to ensure artifact upload even if scan finds issues
+- Report is available as GitHub Artifact
@@ -0,0 +1,68 @@
+name: GitHub Config Scan
+description: 'Scan GitHub repository and organization configurations for security compliance and best practices'
+author: 'Kong'
+
+inputs:
+  github_token:
+    description: 'GitHub token with appropriate permissions for Legitify scan'
+    required: true
+  repositories:
+    description: 'Comma-separated list of repositories to scan (e.g., "owner/repo1,owner/repo2")'
+    required: true
+  codeql_upload:
+    description: 'Upload results to GitHub Code Scanning'
+    required: false
+    default: false
+  scorecard:
+    description: 'Enable OpenSSF Scorecard integration'
+    required: false
+    default: 'no'
+  artifact_name:
+    description: 'Name for the artifact containing scan results'
+    required: false
+    default: 'legitify-cis-scan-results'
+
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Run Legitify GH CIS Scan
+      id: legitify-scan
+      uses: Legit-Labs/legitify@038aa49473a6974a3ef79f6c76b949b689d23282
+      continue-on-error: true
+      with:
+        github_token: ${{ inputs.github_token }}
+        repositories: ${{ inputs.repositories }}
+        upload_code_scanning: ${{ inputs.codeql_upload }}
+        scorecard: ${{ inputs.scorecard }}
+
+
+    - name: Check if output files exist
+      id: legitify-reports
+      if: ${{ steps.legitify-scan.conclusion == 'success' }}
+      shell: bash
+      run: |
+        if ls legitify-output.* 1> /dev/null 2>&1; then
+          echo "files_exist=true" >> $GITHUB_OUTPUT
+          echo "::notice::Legitify output files found"
+          ls -la legitify-output.*
+        else
+          echo "files_exist=false" >> $GITHUB_OUTPUT
+          echo "::warning::No Legitify output files found"
+        fi
+
+    - name: Upload outputs as Workflow Artifacts
+      if: ${{ steps.legitify-scan.conclusion == 'success' && steps.legitify-reports.outputs.files_exist == 'true' }}
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: ${{ inputs.artifact_name }}
+        path: legitify-output.*
+        if-no-files-found: warn
+
+    - name: Upload SARIF as Code Scanning Results
+      if: ${{ inputs.codeql_upload == 'true' && steps.legitify-reports.outputs.files_exist == 'true' && github.event.repository.visibility == 'public' }}
+      continue-on-error: true
+      uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3.29.7
+      with:
+        sarif_file: legitify-output.sarif
+        category: "legitify-report-${{ github.run_id }}"
@@ -0,0 +1,14 @@
+{
+  "name": "scan-gh-config",
+  "version": "1.0.0",
+  "description": "Scan GitHub repository and organization configurations for security compliance and best practices",
+  "main": "action.yml",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Kong/public-shared-actions",
+    "directory": "security-actions/scan-gh-config"
+  },
+  "private": false,
+  "author": "Kong, Inc.",
+  "license": "UNLICENSED"
+}