Skip to content

essentials-examples\feat(back): #1 example pr #6

essentials-examples\feat(back): #1 example pr

essentials-examples\feat(back): #1 example pr #6

Workflow file for this run

name: Security Scans
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
sast:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # required for differential scanning
- uses: fluidattacks/sast-action@main
id: scan
with:
scan_config_path: .github/.fluidattacks.yaml
scanner_mode: diff
- name: Upload SAST results
if: always()
uses: actions/upload-artifact@v4
with:
name: sast-results
path: fluidattacks-results.sarif
if-no-files-found: warn
sca-scan:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: fluidattacks/sca-action@main
id: scan
with:
scan_config_path: .github/.fluidattacks.yaml
scanner_mode: full
- name: Upload SCA results
if: always()
uses: actions/upload-artifact@v4
with:
name: sca-results
path: fluidattacks-results.sarif
if-no-files-found: warn
dast-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: fluidattacks/dast-action@main
id: scan
with:
scan_config_path: .github/.fluidattacks.yaml
- name: Fail if vulnerabilities found
if: steps.scan.outputs.vulnerabilities_found == 'true'
run: exit 1
secret-scan:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: fluidattacks/ss-action@main
id: scan
with:
scan_config_path: .github/.fluidattacks.yaml
ci-gate:
runs-on: ubuntu-latest
steps:
- uses: fluidattacks/ci-gate-action@main
with:
api_token: ${{ secrets.FA_API_TOKEN }}
strict: false
report_output_path: ci-gate-report.json
- name: Upload CI gate report
if: always()
uses: actions/upload-artifact@v4
with:
name: ci-gate-report
path: ci-gate-report.json
if-no-files-found: warn
compare:
needs: [sast, sca-scan, ci-gate]
if: '!cancelled()'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
continue-on-error: true
with:
name: sast-results
path: artifacts/sast
- uses: actions/download-artifact@v4
continue-on-error: true
with:
name: sca-results
path: artifacts/sca
- uses: actions/download-artifact@v4
continue-on-error: true
with:
name: ci-gate-report
path: artifacts/ci-gate
- name: Compare findings against platform
run: |
sast_result=0
sca_result=0
echo "--- SAST ---"
python3 .github/scripts/compare-findings.py \
--technique SAST \
artifacts/sast/fluidattacks-results.sarif \
artifacts/ci-gate/ci-gate-report.json || sast_result=$?
echo "--- SCA ---"
python3 .github/scripts/compare-findings.py \
--technique SCA \
artifacts/sca/fluidattacks-results.sarif \
artifacts/ci-gate/ci-gate-report.json || sca_result=$?
exit $((sast_result | sca_result))