Skip to content

Commit 993559b

Browse files
scandog-io[bot]scandog-io[bot]
authored
Add .github/workflows/scandog-combined-scanner.yml with Scandog security configuration
1 parent 6b98ef6 commit 993559b

1 file changed

Lines changed: 285 additions & 0 deletions

File tree

.github/workflows/scandog-combined-scanner.yml

Lines changed: 285 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,285 @@
1+
# Combined configuration from 12 templates
2+
# Scanners: osv-scanner, opengrep, Trufflehog, Trivy, checkov, Trivy, CDXGen, Gitleaks, grype, tfsec, OWASP Depscan + cdxgen, Semgrep
3+
# Generated for GITHUB by ScanDog
4+
name: Combined Security Scanner Pipeline
5+
on:
6+
push:
7+
branches:
8+
- main
9+
10+
jobs:
11+
# Jobs from template: osv-scanner
12+
scandog_osv_scanner_scan:
13+
runs-on: ubuntu-latest
14+
steps:
15+
- uses: actions/checkout@v4
16+
- name: Install osv-scanner
17+
run: |
18+
sudo apt-get update
19+
sudo apt-get install -y snapd
20+
sudo snap install osv-scanner
21+
- name: Run osv-scanner
22+
run: osv-scanner scan . --json osv-results.json
23+
- name: Import results to ScanDog
24+
uses: scandogio/scandog-import@v1.0
25+
with:
26+
ci_run_id: ${{ github.run_id }}
27+
report_file: osv-results.json
28+
workflow_id: "77870259287eac45b40e65decf2207c3"
29+
scan_type: SCA
30+
scanner: osv-scanner
31+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
32+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
33+
# Jobs from template: opengrep
34+
scandog_opengrep_scan:
35+
runs-on: ubuntu-latest
36+
steps:
37+
- name: Checkout code
38+
uses: actions/checkout@v4
39+
- name: Install Opengrep
40+
run: |
41+
apt-get update && apt-get install -y curl jq
42+
latest_version=$(curl --silent "https://api.github.com/repos/opengrep/opengrep/releases/latest" | jq -r .tag_name)
43+
curl -L -o opengrep "https://github.com/opengrep/opengrep/releases/download/${latest_version}/opengrep_manylinux_x86"
44+
chmod +x opengrep
45+
mv opengrep /usr/local/bin/opengrep
46+
- name: Run Opengrep
47+
run: opengrep scan --config auto --json-output=opengrep.json .
48+
- name: Import results to ScanDog
49+
uses: scandogio/scandog-import@v1.0
50+
with:
51+
ci_run_id: ${{ github.run_id }}
52+
report_file: opengrep.json
53+
workflow_id: "77870259287eac45b40e65decf2207c3"
54+
scan_type: SAST
55+
scanner: opengrep
56+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
57+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
58+
# Jobs from template: Trufflehog
59+
scandog_trufflehog_scan:
60+
runs-on: ubuntu-latest
61+
steps:
62+
- uses: actions/checkout@v4
63+
- name: Install & Run Trufflehog
64+
run: |
65+
curl -sSfL https://raw.githubusercontent.com/trufflesecurity/trufflehog/main/scripts/install.sh | sh -s -- -b /usr/local/bin
66+
trufflehog filesystem --json . > trufflehog.json
67+
- name: Import results to ScanDog
68+
uses: scandogio/scandog-import@v1.0
69+
with:
70+
ci_run_id: ${{ github.run_id }}
71+
report_file: trufflehog.json
72+
workflow_id: "77870259287eac45b40e65decf2207c3"
73+
scan_type: Secret Scanning
74+
scanner: trufflehog
75+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
76+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
77+
# Jobs from template: Trivy
78+
scandog_trivy_scan:
79+
runs-on: ubuntu-latest
80+
steps:
81+
- name: Checkout code
82+
uses: actions/checkout@v4
83+
- name: Trivy vulnerability scanner
84+
uses: aquasecurity/trivy-action@master
85+
with:
86+
scan-type: 'fs'
87+
scan-ref: .
88+
format: 'json'
89+
output: 'trivy-results.json'
90+
scanners: 'misconfig'
91+
- name: Import results to ScanDog
92+
uses: scandogio/scandog-import@v1.0
93+
with:
94+
ci_run_id: ${{ github.run_id }}
95+
report_file: trivy-results.json
96+
workflow_id: "77870259287eac45b40e65decf2207c3"
97+
scan_type: IaC Scanner
98+
scanner: Trivy
99+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
100+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
101+
# Jobs from template: checkov
102+
scandog_checkov_scan:
103+
permissions:
104+
contents: read # for actions/checkout to fetch code
105+
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
106+
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
107+
runs-on: ubuntu-latest
108+
steps:
109+
- uses: actions/checkout@v3
110+
- name: Checkov GitHub Action
111+
uses: bridgecrewio/checkov-action@v12
112+
with:
113+
soft_fail: true
114+
output_format: json
115+
output_file_path: .
116+
- name: Import results to ScanDog
117+
uses: scandogio/scandog-import@v1.0
118+
with:
119+
ci_run_id: ${{ github.run_id }}
120+
report_file: results_json.json
121+
workflow_id: "77870259287eac45b40e65decf2207c3"
122+
scan_type: IaC Scanner
123+
scanner: checkov
124+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
125+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
126+
# Jobs from template: Trivy
127+
scandog_trivy_scan:
128+
runs-on: ubuntu-latest
129+
steps:
130+
- name: Checkout code
131+
uses: actions/checkout@v4
132+
- name: Trivy vulnerability scanner
133+
uses: aquasecurity/trivy-action@master
134+
with:
135+
image-ref: rabbitmq:management
136+
format: 'json'
137+
output: 'trivy-results.json'
138+
- name: Import results to ScanDog
139+
uses: scandogio/scandog-import@v1.0
140+
with:
141+
ci_run_id: ${{ github.run_id }}
142+
report_file: trivy-results.json
143+
workflow_id: "77870259287eac45b40e65decf2207c3"
144+
scan_type: Container Scanner
145+
scanner: Trivy
146+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
147+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
148+
# Jobs from template: CDXGen
149+
scandog_cdxgen_scan:
150+
runs-on: ubuntu-latest
151+
steps:
152+
- uses: actions/checkout@v4
153+
- name: Install cdxgen
154+
run: npm install -g @cyclonedx/cdxgen
155+
- name: Generate SBOM
156+
run: cdxgen --input . --output sbom.json
157+
- name: Import results to ScanDog
158+
uses: scandogio/scandog-import@v1.0
159+
with:
160+
ci_run_id: ${{ github.run_id }}
161+
report_file: sbom.json
162+
workflow_id: "77870259287eac45b40e65decf2207c3"
163+
scan_type: SBOM
164+
scanner: cdxgen
165+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
166+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
167+
# Jobs from template: Gitleaks
168+
scandog_gitleaks_scan:
169+
runs-on: ubuntu-latest
170+
steps:
171+
- uses: actions/checkout@v4
172+
with:
173+
fetch-depth: 0
174+
- name: Install & Run Gitleaks
175+
run: |
176+
git clone https://github.com/gitleaks/gitleaks.git
177+
cd gitleaks
178+
make build
179+
cd $GITHUB_WORKSPACE
180+
gitleaks dir . -f json -r gitleaks.json
181+
- name: Import results to ScanDog
182+
uses: scandogio/scandog-import@v1.0
183+
with:
184+
ci_run_id: ${{ github.run_id }}
185+
report_file: gitleaks.json
186+
workflow_id: "77870259287eac45b40e65decf2207c3"
187+
scan_type: Secret Scanning
188+
scanner: gitleaks
189+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
190+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
191+
# Jobs from template: grype
192+
scandog_grype_sca:
193+
runs-on: ubuntu-latest
194+
steps:
195+
- uses: actions/checkout@v4
196+
- name: Run Grype
197+
uses: anchore/scan-action@v6
198+
with:
199+
path: .
200+
output-format: json
201+
output-file: grype-results.json
202+
fail-build: false
203+
- name: Import results to ScanDog
204+
uses: scandogio/scandog-import@v1.0
205+
with:
206+
ci_run_id: ${{ github.run_id }}
207+
report_file: grype-results.json
208+
workflow_id: "77870259287eac45b40e65decf2207c3"
209+
scan_type: SCA
210+
scanner: grype
211+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
212+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
213+
# Jobs from template: tfsec
214+
scandog_tfsec_scan:
215+
runs-on: ubuntu-latest
216+
steps:
217+
- uses: actions/checkout@v4
218+
- name: Run tfsec
219+
uses: aquasecurity/tfsec-action@v1.0.0
220+
with:
221+
format: json
222+
out: tfsec-results.json
223+
- name: Import results to ScanDog
224+
uses: scandogio/scandog-import@v1.0
225+
with:
226+
ci_run_id: ${{ github.run_id }}
227+
report_file: tfsec-results.json
228+
workflow_id: "77870259287eac45b40e65decf2207c3"
229+
scan_type: IaC Scanner
230+
scanner: tfsec
231+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
232+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
233+
# Jobs from template: OWASP Depscan + cdxgen
234+
scandog_depscan_sca:
235+
runs-on: ubuntu-latest
236+
steps:
237+
- uses: actions/checkout@v4
238+
- name: Set up Python
239+
uses: actions/setup-python@v4
240+
with:
241+
python-version: '3.x'
242+
- name: Install OWASP-depscan
243+
run: |
244+
pip install owasp-depscan
245+
- name: Set up Node.js
246+
uses: actions/setup-node@v4
247+
with:
248+
node-version: 21
249+
- name: Install cdxgen
250+
run: npm install -g @cyclonedx/cdxgen
251+
- name: scan SBOM by OWASP depscan
252+
run: |
253+
cd $GITHUB_WORKSPACE
254+
export FETCH_LICENSE=true
255+
depscan -i . --reports-dir .
256+
- name: Import results to ScanDog
257+
uses: scandogio/scandog-import@v1.0
258+
with:
259+
ci_run_id: ${{ github.run_id }}
260+
report_file: sbom-universal.vdr.json
261+
workflow_id: "77870259287eac45b40e65decf2207c3"
262+
scan_type: SCA
263+
scanner: depscan
264+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
265+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}
266+
# Jobs from template: Semgrep
267+
scandog_semgrep_scan:
268+
runs-on: ubuntu-latest
269+
container:
270+
image: semgrep/semgrep
271+
steps:
272+
- name: Checkout code
273+
uses: actions/checkout@v4
274+
- name: semgrep scan
275+
run: semgrep scan --config auto --json > semgrep.json
276+
- name: Import results to ScanDog
277+
uses: scandogio/scandog-import@v1.0
278+
with:
279+
ci_run_id: ${{ github.run_id }}
280+
report_file: semgrep.json
281+
workflow_id: "77870259287eac45b40e65decf2207c3"
282+
scan_type: SAST
283+
scanner: Semgrep
284+
backend_api_token: ${{ secrets.SCANDOG_BACKEND_API_TOKEN }}
285+
backend_url: ${{ secrets.SCANDOG_BACKEND_URL }}

0 commit comments

Comments
 (0)