zerv-flow/.github/workflows/security.yml at main · wislertt/zerv-flow · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: security
on:
    push:
    workflow_dispatch:
    schedule:
        - cron: "0 4 * * *" # run once a day at 4 AM

jobs:
    trivy-scan:
        runs-on: ubuntu-latest

        steps:
            - name: checkout-repository
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: run-trivy-dependency-scan
              uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
              with:
                  scan-type: fs
                  format: table
                  exit-code: "1"
                  vuln-type: "os,library"

    gitleaks:
        name: gitleaks
        runs-on: ubuntu-latest

        steps:
            - name: checkout-repository
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
              with:
                  fetch-depth: 0

            - name: run-gitleaks-scan
              uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2.3.9
              env:
                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

    cargo-audit:
        name: cargo-audit
        runs-on: ubuntu-latest
        steps:
            - name: checkout-repository
              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

            - name: setup-mise
              uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4.0.1

            - name: run-cargo-audit
              run: cargo audit