Update Go version to 1.24.0 #60
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: # Allow manual trigger | |
| permissions: | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| jobs: | |
| trivy-container-scan: | |
| name: Trivy Container Image Scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [api, ui, controller] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build container image for scanning | |
| run: | | |
| if [ "${{ matrix.component }}" = "api" ]; then | |
| docker build -t streamspace-api:scan ./api | |
| elif [ "${{ matrix.component }}" = "ui" ]; then | |
| docker build -t streamspace-ui:scan ./ui | |
| elif [ "${{ matrix.component }}" = "controller" ]; then | |
| docker build -t streamspace-controller:scan ./controller | |
| fi | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'streamspace-${{ matrix.component }}:scan' | |
| format: 'sarif' | |
| output: 'trivy-${{ matrix.component }}-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| exit-code: ${{ github.event_name == 'pull_request' && '0' || '1' }} | |
| - name: Upload Trivy results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-${{ matrix.component }}-results.sarif' | |
| category: 'trivy-${{ matrix.component }}' | |
| - name: Generate Trivy HTML report | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'streamspace-${{ matrix.component }}:scan' | |
| format: 'html' | |
| output: 'trivy-${{ matrix.component }}-report.html' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| - name: Upload Trivy HTML report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-${{ matrix.component }}-report | |
| path: trivy-${{ matrix.component }}-report.html | |
| retention-days: 30 | |
| go-dependency-scan: | |
| name: Go Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [api, controller] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.24' | |
| - name: Download dependencies | |
| run: | | |
| cd ${{ matrix.component }} | |
| go mod tidy | |
| go mod download | |
| - name: Run govulncheck | |
| run: | | |
| cd ${{ matrix.component }} | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck ./... | |
| - name: Run Nancy (Sonatype) dependency check | |
| run: | | |
| cd ${{ matrix.component }} | |
| go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth | |
| npm-dependency-scan: | |
| name: npm Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| cache: 'npm' | |
| cache-dependency-path: ui/package-lock.json | |
| - name: Install dependencies | |
| run: | | |
| cd ui | |
| npm ci | |
| - name: Run npm audit | |
| continue-on-error: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| cd ui | |
| npm audit --audit-level=moderate | |
| - name: Run Snyk security scan | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high --file=ui/package.json | |
| secret-scan: | |
| name: Secret Scanning with Gitleaks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # Full history for comprehensive scanning | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| sast-scan: | |
| name: SAST with Semgrep | |
| runs-on: ubuntu-latest | |
| container: | |
| image: returntocorp/semgrep | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Semgrep | |
| run: | | |
| semgrep scan --config=auto \ | |
| --sarif \ | |
| --output=semgrep-results.sarif \ | |
| --severity=ERROR \ | |
| --severity=WARNING | |
| - name: Upload Semgrep results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: semgrep-results.sarif | |
| category: semgrep | |
| codeql-analysis: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: ['go', 'javascript'] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: +security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: '/language:${{ matrix.language }}' | |
| kubernetes-manifest-scan: | |
| name: Kubernetes Manifest Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Kubesec | |
| continue-on-error: ${{ github.event_name == 'pull_request' }} | |
| uses: controlplaneio/kubesec-action@v0.0.2 | |
| with: | |
| input: manifests/ | |
| format: json | |
| exit-code: ${{ github.event_name == 'pull_request' && '0' || '1' }} | |
| - name: Run Checkov on Kubernetes manifests | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| directory: manifests/ | |
| framework: kubernetes | |
| output_format: sarif | |
| output_file_path: checkov-k8s-results.sarif | |
| soft_fail: ${{ github.event_name == 'pull_request' }} | |
| - name: Upload Checkov results | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: checkov-k8s-results.sarif | |
| category: checkov-kubernetes | |
| docker-lint: | |
| name: Dockerfile Linting | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [api, ui, controller] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Hadolint | |
| uses: hadolint/hadolint-action@v3.1.0 | |
| with: | |
| dockerfile: ${{ matrix.component }}/Dockerfile | |
| failure-threshold: warning | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| continue-on-error: true | |
| uses: actions/dependency-review-action@v4 | |
| with: | |
| fail-on-severity: high | |
| deny-licenses: GPL-2.0, GPL-3.0 | |
| security-summary: | |
| name: Security Scan Summary | |
| runs-on: ubuntu-latest | |
| needs: | |
| - trivy-container-scan | |
| - go-dependency-scan | |
| - npm-dependency-scan | |
| - secret-scan | |
| - sast-scan | |
| - codeql-analysis | |
| - kubernetes-manifest-scan | |
| - docker-lint | |
| if: always() | |
| steps: | |
| - name: Check scan results | |
| run: | | |
| echo "Security scanning completed" | |
| echo "Review the artifacts and security alerts for details" | |
| - name: Create security summary | |
| run: | | |
| echo "## 🔒 Security Scan Results" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Container Image Scanning (Trivy)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Go Dependency Scanning (govulncheck, Nancy)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ npm Dependency Scanning (npm audit, Snyk)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Secret Scanning (Gitleaks)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ SAST (Semgrep, CodeQL)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Kubernetes Manifest Scanning (Kubesec, Checkov)" >> $GITHUB_STEP_SUMMARY | |
| echo "✅ Dockerfile Linting (Hadolint)" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Review the detailed results in the Security tab." >> $GITHUB_STEP_SUMMARY |