Check Security Features #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is designed to run on demand only. | |
| # See the repos API for more information: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28 | |
| # A repository secret named GH_PAT is required to run this workflow. It must have the "security_events" read permission. | |
| # If any check fails, the workflow will exit with a non-zero status. | |
| name: "Check Security Features" | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| check: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check Dependabot | |
| id: check_dependabot | |
| run: | | |
| echo "Checking if Dependabot is enabled..." | |
| DEPENDABOT=$(curl -s -H "Authorization: Bearer ${{ secrets.GH_PAT }}" https://api.github.com/repos/${{ github.repository }}/dependabot/alerts) | |
| echo "Dependabot response: $DEPENDABOT" | |
| if [[ -z "$DEPENDABOT" ]] || [[ "$DEPENDABOT" == "null" ]]; then | |
| echo "Dependabot is not enabled" | |
| exit 1 | |
| else | |
| echo "Dependabot is enabled" | |
| fi | |
| - name: Check Secret Scanning | |
| id: check_secret_scanning_features | |
| run: | | |
| echo "Checking if Secret Scanning is enabled..." | |
| REPO_SETTINGS=$(curl -s -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GH_PAT }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/${{ github.repository }}) | |
| SECRET_SCANNING=$(echo "$REPO_SETTINGS" | jq -r '.security_and_analysis.secret_scanning.status') | |
| SECRET_SCANNING_PUSH_PROTECTION=$(echo "$REPO_SETTINGS" | jq -r '.security_and_analysis.secret_scanning_push_protection.status') | |
| echo "Secret Scanning status: $SECRET_SCANNING" | |
| echo "Secret Scanning Push Protection status: $SECRET_SCANNING_PUSH_PROTECTION" | |
| if [[ "$SECRET_SCANNING" != "enabled" ]]; then | |
| echo "Secret Scanning is not enabled" | |
| exit 1 | |
| fi | |
| if [[ "$SECRET_SCANNING_PUSH_PROTECTION" != "enabled" ]]; then | |
| echo "Secret Scanning Push Protection is not enabled" | |
| exit 1 | |
| fi | |
| - name: Check Code Scanning Analyses | |
| id: check_code_scanning_analyses | |
| run: | | |
| echo "Checking if Code Scanning Analyses are present..." | |
| CODE_SCANNING_ANALYSES=$(curl -s -L -H "Accept: application/vnd.github.v3+json" -H "Authorization: Bearer ${{ secrets.GH_PAT }}" https://api.github.com/repos/${{ github.repository }}/code-scanning/analyses) | |
| TOOLS=$(echo "$CODE_SCANNING_ANALYSES" | jq -r '[.[] | .tool.name] | unique') | |
| echo "Tools: $TOOLS" | |
| if [[ "$TOOLS" == "[]" ]] || [[ "$TOOLS" == "null" ]]; then | |
| echo "No tools found in Code Scanning Analyses" | |
| exit 1 | |
| else | |
| echo "Tools found in Code Scanning Analyses" | |
| fi | |
| - name: Final Report | |
| run: | | |
| if [[ "${{ steps.check_dependabot.outcome }}" == "failure" ]]; then | |
| echo "Dependabot check failed" | |
| fi | |
| if [[ "${{ steps.check_secret_scanning_features.outcome }}" == "failure" ]]; then | |
| echo "Security features check failed" | |
| fi | |
| if [[ "${{ steps.check_code_scanning_analyses.outcome }}" == "failure" ]]; then | |
| echo "Code Scanning Analyses check failed" | |
| fi | |
| if [[ "${{ steps.check_dependabot.outcome }}" == "success" ]] && [[ "${{ steps.check_secret_scanning_features.outcome }}" == "success" ]] && [[ "${{ steps.check_code_scanning_analyses.outcome }}" == "success" ]]; then | |
| echo "All checks passed. Good job!" | |
| fi | |