.github/workflows/security.yml

name: Security

on:
  push:
    branches:
      - main
  pull_request:

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

permissions:
  # Required to stop running workflows
  actions: write

jobs:
  vulns:
    name: Nancy scanner
    continue-on-error: true
    runs-on: ubuntu-latest
    steps:
      -
        name: Cancel previous workflows
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        uses: actions/checkout@v3
      -
        uses: actions/setup-go@v3
        with:
          go-version: 1.19
      -
        name: Run go list
        run: go list -json -m all > go.list
      -
        name: Nancy
        uses: sonatype-nexus-community/nancy-github-action@v1.0.2

  trivy:
    name: Trivy scanner
    continue-on-error: true
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: read

    steps:
      -
        name: Cancel previous workflows
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        uses: actions/checkout@v3
      -
        name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'
      -
        name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

#  snyk:
#    name: Snyk scanner
#    continue-on-error: true
#    if: (github.action != 'dependabot[bot]')
#    runs-on: ubuntu-latest
#    permissions:
#      contents: read
#      security-events: write
#      pull-requests: read
#      actions: write
#
#    steps:
#      -
#        name: Cancel previous workflows
#        uses: styfle/cancel-workflow-action@0.9.1
#        with:
#          access_token: ${{ secrets.GITHUB_TOKEN }}
#      -
#        uses: actions/checkout@v3
#      -
#        name: Run Snyk to check for vulnerabilities
#        uses: snyk/actions/golang@master
#        continue-on-error: true # To make sure that SARIF upload gets called
#        env:
#          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
#        with:
#          args: --sarif-file-output=snyk-results.sarif
#      -
#        name: Upload result to GitHub Code Scanning
#        uses: github/codeql-action/upload-sarif@v2
#        with:
#          sarif_file: snyk-results.sarif

  semgrep:
    name: Static analysis (semgrep)
    continue-on-error: true
    runs-on: ubuntu-latest
    if: (github.action != 'dependabot[bot]')
    permissions:
      contents: read
      security-events: write
      pull-requests: read

    steps:
      -
        name: Cancel previous workflows
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        uses: actions/checkout@v3
      -
        uses: returntocorp/semgrep-action@v1
        with:
          generateSarif: "1"
          config: >-
            p/security-audit
            p/secrets
            p/supply-chain
            p/docker
            p/golang
            p/trailofbits
      -
        name: Upload result to GitHub Code Scanning
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: semgrep.sarif