evanharmon1 is running Security Actions #21
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Test | |
| run-name: ${{ github.actor }} is running Security Actions | |
| on: [pull_request] | |
| jobs: | |
| secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: echo "Triggered by a ${{ github.event_name }} event." | |
| - uses: actions/checkout@v3 | |
| # E.g., to check for my `~/Local/.secret` file | |
| - name: Custom check for secret files | |
| run: ./check_for_pattern.sh . "*secret*" | |
| - name: Force the installation of the required versions due to pip not being able to uninstall system packages | |
| run: | | |
| sudo pip install --ignore-installed typing_extensions==4.12.2 | |
| sudo pip install --ignore-installed PyYAML | |
| sudo pip install --ignore-installed jsonschema | |
| - name: Install Whispers | |
| run: sudo pip install whispers | |
| # Use whispers to check repo for unecrypted secrets, passwords, etc. | |
| - name: Run whispers | |
| run: whispers --config test/whisperConfig.yml --severity BLOCKER,CRITICAL . > /tmp/scan_output.json | |
| # Upload Artifacts | |
| - name: Upload the scan output | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: scan_results | |
| path: /tmp/scan_output.json | |
| retention-days: 7 | |
| sast-dependencies: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: test | |
| args: > | |
| --all-projects | |
| --severity-threshold=high | |
| --show-vulnerable-paths=all | |
| sast-code: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| command: code test | |
| args: > | |
| --severity-threshold=high | |
| --json-file-output=snyk-code-test.json |