Skip to content

untamed-theory/shared-workflows

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
.github/workflows
.github/workflows
 
 
README.md
README.md
 
 

Repository files navigation

Shared Workflows

... for GitHub Actions

This repo contains GitHub Action Reusable Workflows which may be called from other workflows in other repositories. These can be used to better secure your code and CI/CD pipeline.

Click the workflows below to expand for details


Workflows

CI-Security-Scan

Get Started

To set up the CI security workflow, create a new file, {repo_root}/.github/workflows/ci-security-scan.yml and paste in the folowing:

name: "CI Security Scan"
on:
    pull_request:
        types: - opened
        branches:
            - master
            - main
            - develop
jobs:
    run-security-scan:
        name: 'Untamed Theory CI Security Scan'
        uses: untamed-theory/shared-workflows/.github/workflows/ci-security-scan.yml@main

About this workflow

This workflow automatically scans CI configuration files for known injectable syntax and other known security vulnerabilities and misconfigurations. It leverages the Checkov scanner under the hood.

It will detect and assess:

  • GitHub Actions workflow files
  • GitLab CI files
  • Bitbucket pipelines configurations files

Config

Parameter Default Description
enforce-status-check false Will fail a status check for vulnerabilities found
file-name 'ci-security-scan-results.sarif' Name for zip file of scan artifacts

SAST-Security-Scan

Get Started

To set up this workflow, create a new file, {repo_root}/.github/workflows/security-scan.yml and paste in the following:

name: "My Security Scan"
on:
    pull_request:
        types: - opened
        branches:
            - master
            - main
            - develop
jobs:
    run-security-scan:
        name: 'Untamed Theory Security Scan'
        uses: untamed-theory/shared-workflows/.github/workflows/security-scan.yml@main

About this workflow

This is a quick, holistic scan of the source code in your repo leveraging the [ShiftLeft Scanner](https://github.com/ShiftLeftSecurity/sast-scan). It is capable of blocking Pull Request status checks for vulnerabilities found (Critical and High). Or it can conduct non-blocking scans while still producing an artifact.

It will automatically assess and run the following (where applicable):

  • Static Code Analysis
  • Dependency Vulnerability Scans
  • Credential Detection Scans
  • Infrastructure as Code (IaC) Analysis
  • Dockerfile and Kubernetes Analysis

Parameters & Config

Parameter Default Description
enforce-status-check false Will fail a status check for vulnerabilities found
file-name 'security-scan-artifacts' Name for zip file of scan artifacts

About

Untamed Theory - Shared Workflows for GitHub Actions

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published