Update PHP version and modify security workflows #5

Workflow file for this run

.github/workflows/advanced-security.yml at fbc81af

	name: Advanced Security Scans
Check failure on line 1 in .github/workflows/advanced-security.yml View workflow run for this annotation GitHub Actions / .github/workflows/advanced-security.yml Invalid workflow file `(Line: 151, Col: 9): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.STAGING_URL != ''`

	on:
	push:
	branches: [ main ]
	pull_request:
	types: [opened, synchronize, reopened]

	env:
	PHP_VERSION: '8.0' # Adjust if you prefer 8.2 or 8.3

	jobs:
	prepare:
	name: Prepare PHP & Repo
	runs-on: ubuntu-latest
	outputs:
	has-composer: ${{ steps.check.outputs.has_composer }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set up PHP
	uses: shivammathur/setup-php@v2
	with:
	php-version: ${{ env.PHP_VERSION }}
	extensions: mbstring, intl, pdo, pdo_mysql, ftp

	- name: Check for composer.json
	id: check
	run: \|
	if [ -f composer.json ]; then
	echo "has_composer=true" >> $GITHUB_OUTPUT
	else
	echo "has_composer=false" >> $GITHUB_OUTPUT
	fi

	- name: Install composer deps
	if: steps.check.outputs.has_composer == 'true'
	run: composer install --no-interaction --prefer-dist \|\| true

	dependency-audit:
	name: Composer Dependency Audit
	runs-on: ubuntu-latest
	needs: prepare
	if: needs.prepare.outputs.has-composer == 'true'
	steps:
	- uses: actions/checkout@v4

	- name: Setup PHP
	uses: shivammathur/setup-php@v2
	with:
	php-version: ${{ env.PHP_VERSION }}

	- name: Install composer deps
	run: composer install --no-interaction --prefer-dist \|\| true

	- name: Composer audit
	run: composer audit --format=json > composer-audit.json \|\| true

	- name: Upload composer audit report
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: composer-audit
	path: composer-audit.json

	- name: Add Roave security advisory
	run: composer require --dev roave/security-advisories:dev-latest --no-update \|\| true

	semgrep:
	name: Semgrep SAST Scan
	runs-on: ubuntu-latest
	needs: prepare
	steps:
	- uses: actions/checkout@v4

	- name: Run Semgrep scan
	run: \|
	python3 -m pip install --user semgrep
	export PATH="$HOME/.local/bin:$PATH"
	semgrep --version
	semgrep --config p/php --json --output semgrep-report.json \|\| true

	- name: Upload Semgrep report
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: semgrep-report
	path: semgrep-report.json

	sast-php:
	name: PHP SAST (PHPStan / Psalm)
	runs-on: ubuntu-latest
	needs: prepare
	if: needs.prepare.outputs.has-composer == 'true'
	steps:
	- uses: actions/checkout@v4

	- name: Setup PHP
	uses: shivammathur/setup-php@v2
	with:
	php-version: ${{ env.PHP_VERSION }}

	- name: Install composer deps
	run: composer install --no-interaction --prefer-dist \|\| true

	- name: Run PHPStan if present
	run: \|
	if [ -x vendor/bin/phpstan ]; then
	vendor/bin/phpstan analyse -l max src \|\| true
	elif command -v phpstan >/dev/null 2>&1; then
	phpstan analyse -l max src \|\| true
	else
	echo "phpstan not found, skipping"
	fi

	- name: Run Psalm if present
	run: \|
	if [ -x vendor/bin/psalm ]; then
	vendor/bin/psalm --show-info=false --taint-analysis --report=psalm-security-report.xml \|\| true
	else
	echo "psalm not found, skipping"
	fi

	- name: Upload Psalm report
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: psalm-security-report
	path: psalm-security-report.xml

	secret-scan:
	name: Secret Scanning (Gitleaks)
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Run Gitleaks
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GITLEAKS_ENABLE_SUMMARY: true
	continue-on-error: true

	dast-zap:
	name: DAST - OWASP ZAP baseline
	runs-on: ubuntu-latest
	needs: prepare
	if: ${{ secrets.STAGING_URL != '' }}
	steps:
	- uses: actions/checkout@v4

	- name: Run ZAP baseline scan
	uses: zaproxy/[email protected]
	with:
	target: ${{ secrets.STAGING_URL }}
	rules_file_name: zap-rules.md

	- name: Upload ZAP artifacts
	if: always()
	uses: actions/upload-artifact@v4
	with:
	name: zap-output
	path: zap_scan_report.*

	dependency-review:
	name: GitHub Dependency Review
	runs-on: ubuntu-latest
	if: github.event_name == 'pull_request'
	steps:
	- uses: actions/checkout@v4
	- name: Run Dependency Review
	uses: actions/dependency-review-action@v4
	with:
	token: ${{ secrets.GITHUB_TOKEN }}

	summary:
	name: Summary
	runs-on: ubuntu-latest
	needs: [dependency-audit, semgrep, sast-php, secret-scan]
	if: always()
	steps:
	- name: Print summary
	run: \|
	echo "Advanced Security Scans finished. Check artifacts (composer/semgrep/psalm/gitleaks/ZAP) and PR annotations."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Update PHP version and modify security workflows #5

Workflow file

Update PHP version and modify security workflows #5

Uh oh!

Jobs

Run details

Workflow file for this run

GitHub Actions / .github/workflows/advanced-security.yml