Skip to content

Update README.md for CCPA #4

Update README.md for CCPA

Update README.md for CCPA #4

name: git-scan
on:
# Scan changed files in PRs (diff-aware scanning):
pull_request: {}
env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
jobs:
scan:
if: github.actor!= 'dependabot-preview[bot]'
name: scan
runs-on:
group: Checks
labels: checks
timeout-minutes: 5
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- run: pwd
- run: ls -la
- name: Run vulnerable code scan
id: grype-scan
run: |
echo "Disabled"
# /usr/local/bin/grype dir:. \
# --only-fixed \
# --by-cve \
# --fail-on critical \
# --add-cpes-if-none
continue-on-error: true
- name: Run semgrep
id: semgrep-scan
run: |
/home/ubuntu/.pyenv/shims/semgrep scan \
-j 2 \
--use-git-ignore \
--exclude="dist*" \
--config auto \
--timeout 10 \
--time
timeout-minutes: 3
continue-on-error: true
- name: Run gitleaks
id: gitleaks-scan
run: |
/usr/local/bin/gitleaks detect \
--redact \
-v \
--log-level=warn \
--max-target-megabytes=10 \
--no-git
continue-on-error: true
- name: Find Comment
uses: peter-evans/find-comment@v2
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-regex: "Security scan is turned on for this repository.*"
- name: Create comment
uses: peter-evans/create-or-update-comment@v3
if: ${{ steps.grype-scan.outcome == 'failure' || steps.semgrep-scan.outcome == 'failure' || steps.gitleaks-scan.outcome == 'failure' }}
with:
issue-number: ${{ github.event.pull_request.number }}
body: |
Security scan is turned on for this repository.
Please go to [Actions](https://github.com/${{ github.repository_owner }}/${{ github.event.repository.name }}/actions/workflows/required/ParticleMedia/action-workflow/actions/gitleaks/workflow.yaml) check the findings and fix them.
- grype check ${{ steps.grype-scan.outcome }}
- semgrep check ${{ steps.semgrep-scan.outcome }}
- gitleaks check ${{ steps.gitleaks-scan.outcome }}
reactions: eyes