Update main.yml #12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: MobScan Security Check | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| env: | |
| # Set scan profile: 'baseline' for standard apps, 'financial' for banking/payment apps | |
| SCAN_PROFILE: baseline | |
| jobs: | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.9' | |
| - name: Install MobScan | |
| run: | | |
| pip install semgrep | |
| pip install git+https://${{ secrets.GH_PAT }}@github.com/XavLimSG/MobScan.git | |
| - name: List available profiles | |
| run: | | |
| mobscan profiles | |
| - name: Run MobScan with Compliance Mapping | |
| run: | | |
| mobscan scan . \ | |
| --profile ${{ env.SCAN_PROFILE }} \ | |
| --format sarif \ | |
| --output mobscan.sarif \ | |
| --show-compliance | |
| continue-on-error: true | |
| - name: Generate Compliance Report | |
| run: | | |
| mobscan compliance-report . \ | |
| --profile ${{ env.SCAN_PROFILE }} \ | |
| --output compliance-report.txt | |
| continue-on-error: true | |
| - name: Generate JSON Report with Compliance | |
| run: | | |
| mobscan scan . \ | |
| --profile ${{ env.SCAN_PROFILE }} \ | |
| --format json \ | |
| --output mobscan-compliance.json | |
| continue-on-error: true | |
| - name: Upload SARIF to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: mobscan.sarif | |
| - name: Upload Compliance Reports as Artifacts | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: compliance-reports | |
| path: | | |
| compliance-report.txt | |
| mobscan-compliance.json | |
| mobscan.sarif | |
| retention-days: 90 | |
| - name: Display Compliance Summary | |
| if: always() | |
| run: | | |
| echo "===================================================================" | |
| echo "COMPLIANCE SCAN SUMMARY" | |
| echo "===================================================================" | |
| echo "Profile: ${{ env.SCAN_PROFILE }}" | |
| if [ "${{ env.SCAN_PROFILE }}" == "baseline" ]; then | |
| echo "Standards: CSA SAS 2.0, OWASP MASVS 2.1" | |
| else | |
| echo "Standards: CSA SAS 2.0, OWASP MASVS 2.1, MAS TRM" | |
| fi | |
| echo "" | |
| cat compliance-report.txt || echo "No compliance report generated" | |
| echo "===================================================================" | |
| - name: Fail on security threshold | |
| run: | | |
| # Baseline profile: fail on critical severity only | |
| # Financial profile: fail on medium severity | |
| if [ "${{ env.SCAN_PROFILE }}" == "financial" ]; then | |
| mobscan scan . --profile financial | |
| else | |
| mobscan scan . --profile baseline --fail-on critical | |
| fi |