forked from crewAIInc/crewAI
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
5e2889c
commit 035d2e3
Showing
1 changed file
with
39 additions
and
18 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,47 +1,68 @@ | ||
| name: "CodeQL with Extended Checks and YAML Security Analysis" | ||
| name: "CodeQL Security Scan" | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "main" ] | ||
| pull_request: | ||
| branches: [ "main" ] | ||
|
|
||
| jobs: | ||
| analyze: | ||
| name: Analyze Python Code and YAML Files | ||
| name: Analyze | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| include: | ||
| - language: python | ||
| build-mode: none | ||
| language: [ 'python', 'javascript' ] # 'javascript' will analyze YAML files | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v3 | ||
|
|
||
| # Initializes the CodeQL tools for scanning. | ||
| - name: Initialize CodeQL | ||
| uses: github/codeql-action/init@v3 | ||
| uses: github/codeql-action/init@v2 | ||
| with: | ||
| languages: ${{ matrix.language }} | ||
| queries: +security-extended,security-and-quality | ||
| queries: +security-and-quality,+security-extended | ||
|
|
||
| - name: Perform CodeQL Analysis on Python Code | ||
| uses: github/codeql-action/analyze@v3 | ||
| - name: Perform CodeQL Analysis | ||
| uses: github/codeql-action/analyze@v2 | ||
| with: | ||
| category: "/language:${{matrix.language}}" | ||
|
|
||
| - name: Initialize CodeQL for YAML | ||
| uses: github/codeql-action/init@v3 | ||
| analyze-actions: | ||
| name: Analyze GitHub Actions | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| actions: read | ||
| contents: read | ||
| security-events: write | ||
|
|
||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Run yaml-lint | ||
| uses: ibiqlik/action-yamllint@v3 | ||
| with: | ||
| file_or_dir: .github/workflows | ||
| config_file: .yamllint.yml | ||
|
|
||
| - name: Run Trivy vulnerability scanner in IaC mode | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| languages: yaml | ||
| scan-type: 'config' | ||
| hide-progress: false | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| severity: 'CRITICAL,HIGH' | ||
|
|
||
| - name: Perform CodeQL Analysis on YAML Files | ||
| uses: github/codeql-action/analyze@v3 | ||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| if: always() | ||
| with: | ||
| category: "/language:yaml" | ||
| sarif_file: 'trivy-results.sarif' |