Upgrade setup-php action from v4 to v3 #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Advanced Security Scans | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| env: | |
| PHP_VERSION: '8.0' # Change to 8.2/8.3 if needed | |
| jobs: | |
| prepare: | |
| name: Prepare PHP & Repo | |
| runs-on: ubuntu-latest | |
| outputs: | |
| has-composer: ${{ steps.check.outputs.has_composer }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v3 | |
| with: | |
| php-version: ${{ env.PHP_VERSION }} | |
| extensions: mbstring, intl, pdo, pdo_mysql, ftp | |
| - name: Check for composer.json | |
| id: check | |
| run: | | |
| if [ -f composer.json ]; then | |
| echo "has_composer=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_composer=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Install composer deps | |
| if: steps.check.outputs.has_composer == 'true' | |
| run: composer install --no-interaction --prefer-dist || true | |
| dependency-audit: | |
| name: Composer Dependency Audit | |
| runs-on: ubuntu-latest | |
| needs: prepare | |
| if: needs.prepare.outputs.has-composer == 'true' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v3 | |
| with: | |
| php-version: ${{ env.PHP_VERSION }} | |
| - name: Composer audit | |
| run: composer audit --format=json > composer-audit.json || true | |
| - name: Upload composer audit report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: composer-audit | |
| path: composer-audit.json | |
| - name: Add Roave security advisory | |
| run: composer require --dev roave/security-advisories:^1 || true | |
| semgrep: | |
| name: Semgrep SAST Scan | |
| runs-on: ubuntu-latest | |
| needs: prepare | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Semgrep | |
| run: | | |
| python3 -m pip install --user semgrep | |
| export PATH="$HOME/.local/bin:$PATH" | |
| semgrep --version | |
| - name: Run Semgrep scan | |
| run: | | |
| export PATH="$HOME/.local/bin:$PATH" | |
| semgrep --config p/php --json --output semgrep-report.json || true | |
| - name: Upload Semgrep report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: semgrep-report | |
| path: semgrep-report.json | |
| sast-php: | |
| name: PHP SAST (PHPStan / Psalm) | |
| runs-on: ubuntu-latest | |
| needs: prepare | |
| if: needs.prepare.outputs.has-composer == 'true' | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup PHP | |
| uses: shivammathur/setup-php@v3 | |
| with: | |
| php-version: ${{ env.PHP_VERSION }} | |
| - name: Run PHPStan if present | |
| run: | | |
| if [ -x vendor/bin/phpstan ]; then | |
| vendor/bin/phpstan analyse -l max src || true | |
| elif command -v phpstan >/dev/null 2>&1; then | |
| phpstan analyse -l max src || true | |
| else | |
| echo "phpstan not found, skipping" | |
| fi | |
| - name: Run Psalm if present | |
| run: | | |
| if [ -x vendor/bin/psalm ]; then | |
| vendor/bin/psalm --show-info=false --taint-analysis --report=psalm-security-report.xml || true | |
| else | |
| echo "psalm not found, skipping" | |
| fi | |
| - name: Upload Psalm report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: psalm-security-report | |
| path: psalm-security-report.xml | |
| secret-scan: | |
| name: Secret Scanning (Gitleaks) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Gitleaks | |
| uses: zricethezav/gitleaks-action@v2 | |
| with: | |
| args: detect --source . --report-format json --report-path gitleaks-report.json || true | |
| - name: Upload Gitleaks report | |
| if: always() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: gitleaks-report | |
| path: gitleaks-report.json | |
| dast-zap: | |
| name: DAST - OWASP ZAP baseline | |
| runs-on: ubuntu-latest | |
| needs: prepare | |
| steps: | |
| - name: Check STAGING_URL secret | |
| run: | | |
| if [ -z "${{ secrets.STAGING_URL }}" ]; then | |
| echo "STAGING_URL not set, skipping ZAP scan" | |
| exit 0 | |
| fi | |
| - name: Run ZAP baseline scan | |
| uses: zaproxy/action-baseline@v1 | |
| with: | |
| target: ${{ secrets.STAGING_URL }} | |
| rules_file_name: zap-rules.md | |
| format: 'github' | |
| - name: Upload ZAP artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: zap-output | |
| path: . | |
| dependency-review: | |
| name: GitHub Dependency Review | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Dependency Review | |
| uses: github/dependency-review-action@v2 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| summary: | |
| name: Summary | |
| runs-on: ubuntu-latest | |
| needs: [dependency-audit, semgrep, sast-php, secret-scan, dast-zap, dependency-review] | |
| steps: | |
| - name: Print summary | |
| run: | | |
| echo "Advanced Security Scans finished. Check artifacts (composer/semgrep/psalm/gitleaks/ZAP) and PR annotations." |