Skip to content
Security Scanning

docs: rewrite top-level docs to match the post-cleanup reality #323

Sign in to view logs

docs: rewrite top-level docs to match the post-cleanup reality

docs: rewrite top-level docs to match the post-cleanup reality #323

Workflow file for this run

.github/workflows/security-scan.yml at 930c44c
name: Security Scanning
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
# Run daily at 2 AM UTC
- cron: '0 2 * * *'
workflow_dispatch: # Allow manual trigger
permissions:
contents: read
security-events: write
pull-requests: write
jobs:
trivy-container-scan:
name: Trivy Container Image Scan
runs-on: ubuntu-latest
strategy:
matrix:
component: [api, ui, kubernetes-controller]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build container image for scanning
run: |
if [ "${{ matrix.component }}" = "api" ]; then
docker build -t streamspace-api:scan ./api
elif [ "${{ matrix.component }}" = "ui" ]; then
docker build -t streamspace-ui:scan ./ui
elif [ "${{ matrix.component }}" = "kubernetes-controller" ]; then
docker build -t streamspace-kubernetes-controller:scan ./k8s-controller
fi
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'streamspace-${{ matrix.component }}:scan'
format: 'sarif'
output: 'trivy-${{ matrix.component }}-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
exit-code: ${{ github.event_name == 'pull_request' && '0' || '1' }}
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-${{ matrix.component }}-results.sarif'
category: 'trivy-${{ matrix.component }}'
- name: Generate Trivy HTML report
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: 'streamspace-${{ matrix.component }}:scan'
format: 'html'
output: 'trivy-${{ matrix.component }}-report.html'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy HTML report
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy-${{ matrix.component }}-report
path: trivy-${{ matrix.component }}-report.html
retention-days: 30
go-dependency-scan:
name: Go Dependency Vulnerability Scan
runs-on: ubuntu-latest
strategy:
matrix:
component: [api, k8s-controller]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.25'
- name: Download dependencies
run: |
cd ${{ matrix.component }}
go mod tidy
go mod download
- name: Run govulncheck
run: |
cd ${{ matrix.component }}
go install golang.org/x/vuln/cmd/govulncheck@latest
govulncheck ./...
- name: Run Nancy (Sonatype) dependency check
run: |
cd ${{ matrix.component }}
go list -json -deps ./... | docker run --rm -i sonatypecommunity/nancy:latest sleuth
npm-dependency-scan:
name: npm Dependency Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '18'
cache: 'npm'
cache-dependency-path: ui/package-lock.json
- name: Install dependencies
run: |
cd ui
npm ci
- name: Run npm audit
continue-on-error: ${{ github.event_name == 'pull_request' }}
run: |
cd ui
npm audit --audit-level=moderate
- name: Run Snyk security scan
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high --file=ui/package.json
secret-scan:
name: Secret Scanning with Gitleaks
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for comprehensive scanning
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
sast-scan:
name: SAST with Semgrep
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Semgrep
run: |
semgrep scan --config=auto \
--sarif \
--output=semgrep-results.sarif \
--severity=ERROR \
--severity=WARNING
- name: Upload Semgrep results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep-results.sarif
category: semgrep
codeql-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: ['go', 'javascript']
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: '/language:${{ matrix.language }}'
kubernetes-manifest-scan:
name: Kubernetes Manifest Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Kubesec
continue-on-error: ${{ github.event_name == 'pull_request' }}
uses: controlplaneio/kubesec-action@v0.0.2
with:
input: manifests/
format: json
exit-code: ${{ github.event_name == 'pull_request' && '0' || '1' }}
- name: Run Checkov on Kubernetes manifests
uses: bridgecrewio/checkov-action@v12
with:
directory: manifests/
framework: kubernetes
output_format: sarif
output_file_path: checkov-k8s-results.sarif
soft_fail: ${{ github.event_name == 'pull_request' }}
- name: Upload Checkov results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: checkov-k8s-results.sarif
category: checkov-kubernetes
docker-lint:
name: Dockerfile Linting
runs-on: ubuntu-latest
strategy:
matrix:
component: [api, ui, k8s-controller]
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Hadolint
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: ${{ matrix.component }}/Dockerfile
failure-threshold: warning
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Dependency Review
continue-on-error: true
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
deny-licenses: GPL-2.0, GPL-3.0
security-summary:
name: Security Scan Summary
runs-on: ubuntu-latest
needs:
- trivy-container-scan
- go-dependency-scan
- npm-dependency-scan
- secret-scan
- sast-scan
- codeql-analysis
- kubernetes-manifest-scan
- docker-lint
if: always()
steps:
- name: Check scan results
run: |
echo "Security scanning completed"
echo "Review the artifacts and security alerts for details"
- name: Create security summary
run: |
echo "## 🔒 Security Scan Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ Container Image Scanning (Trivy)" >> $GITHUB_STEP_SUMMARY
echo "✅ Go Dependency Scanning (govulncheck, Nancy)" >> $GITHUB_STEP_SUMMARY
echo "✅ npm Dependency Scanning (npm audit, Snyk)" >> $GITHUB_STEP_SUMMARY
echo "✅ Secret Scanning (Gitleaks)" >> $GITHUB_STEP_SUMMARY
echo "✅ SAST (Semgrep, CodeQL)" >> $GITHUB_STEP_SUMMARY
echo "✅ Kubernetes Manifest Scanning (Kubesec, Checkov)" >> $GITHUB_STEP_SUMMARY
echo "✅ Dockerfile Linting (Hadolint)" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Review the detailed results in the Security tab." >> $GITHUB_STEP_SUMMARY