-
Notifications
You must be signed in to change notification settings - Fork 0
367 lines (334 loc) · 13.8 KB
/
security.yml
File metadata and controls
367 lines (334 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
# Consolidated OSS-CLI security stack — RAN-55.
#
# Mirrors the (B) OSS-CLI stack from the codeiq sibling, language-adapted for
# Vigil's PowerShell + WPF tree:
#
# * Semgrep (SAST) — `p/default` + `p/security-audit` registry packs;
# covers GHA YAML, generic secret-audit, and miscellaneous rules. The
# PowerShell ruleset is small upstream so most signal here will come from
# the workflow / config files in the repo.
# * OSV-Scanner (deps) — Vigil ships no language lockfile, so this scan is
# largely a no-op today. Kept in place so coverage flips on automatically
# if a `*.lock` is ever added (e.g., a Node tooling subpackage).
# * Trivy (filesystem CVEs + IaC misconfig) — language-agnostic; main
# value here is GitHub Actions YAML and any binary asset we ever drop in.
# * Gitleaks (secret scan) — full git history.
# * jscpd (copy-paste detection) — supports PowerShell via tokenization.
# * anchore/sbom-action (SBOM) — Syft → SPDX over the source tree;
# populates the GitHub Dependency Submission API on push to `main`.
#
# Each tool publishes its findings as SARIF to GitHub code scanning where
# supported and uploads the raw report as a workflow artifact regardless,
# so the Security tab plus the artifact tarball are both first-class
# observability surfaces. SARIF upload jobs use `continue-on-error: true`
# during the OSS-CLI bootstrap window because GitHub may already have a
# default-setup CodeQL category bound (same trap that bit codeiq's PR #74).
# Findings still appear in the workflow logs and artifacts; promotion to
# gate-blocking happens once the baseline is clean.
#
# Cron: Mondays 06:00 UTC, same window as `scorecard.yml` so the weekly
# observability sweep runs together. All third-party actions and Docker
# images are pinned by commit SHA / digest-equivalent tag, in line with
# OpenSSF Scorecard `Pinned-Dependencies`.
name: Security supply-chain scan
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 6 * * 1"
workflow_dispatch:
# Restrict default GITHUB_TOKEN to read-only; jobs opt into narrower writes.
permissions: read-all
jobs:
# ------------------------------------------------------------------
# Semgrep — SAST. Runs the official `semgrep` PyPI distribution rather
# than the deprecated `semgrep/semgrep-action` (last release 2023). The
# `p/default` registry pack covers YAML / GHA / generic rules; PowerShell
# coverage is light upstream but the security-audit pack still catches
# secret-shaped strings and dangerous patterns in shell + workflow files.
# ------------------------------------------------------------------
semgrep:
name: Semgrep SAST
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Harden runner egress
# step-security/harden-runner v2.19.0
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
# actions/checkout v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Set up Python
# actions/setup-python v5
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065
with:
python-version: "3.12"
- name: Install Semgrep
run: python -m pip install --no-cache-dir 'semgrep==1.140.0'
- name: Run Semgrep
# `--error` would fail the job; we report-only at bootstrap and
# gate later. SARIF goes to code scanning, JSON to artifact.
run: |
semgrep scan \
--config=p/default \
--config=p/security-audit \
--sarif --output=semgrep.sarif \
--metrics=off || true
- name: Upload Semgrep SARIF (artifact)
# actions/upload-artifact v7.0.1
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
if: always()
with:
name: semgrep-sarif
path: semgrep.sarif
retention-days: 7
- name: Upload Semgrep SARIF to GitHub code-scanning
# github/codeql-action/upload-sarif v3.35.2
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
if: always()
continue-on-error: true
with:
sarif_file: semgrep.sarif
category: semgrep
# ------------------------------------------------------------------
# OSV-Scanner — second-source CVE feed. Installed from the official
# GitHub release as a binary; we do NOT use `google/osv-scanner-action`
# because its `action.yml` is composite-only and missing the top-level
# `runs:` block, which causes the action to fail with "Top level 'runs:'
# section is required" when invoked as a job step. Same fix codeiq landed
# on its own RAN-52 follow-up. Using the preinstalled `gh` CLI avoids
# any external `curl`/`wget` per /home/dev/.claude/CLAUDE.md.
#
# Vigil currently has no language lockfile to scan, so the recursive
# source scan exits with no findings today. Coverage flips on
# automatically the moment a `*.lock` lands in-tree.
# ------------------------------------------------------------------
osv-scanner:
name: OSV-Scanner deps
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
env:
OSV_SCANNER_VERSION: 2.3.5
# `gh release download` needs an auth token; the default GITHUB_TOKEN
# (read-only, contents:read) is sufficient for public-asset downloads.
GH_TOKEN: ${{ github.token }}
steps:
- name: Harden runner egress
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Install osv-scanner
# `gh release download --output` is honoured only when downloading a
# single asset via `--archive` or by exact name; with `--pattern` the
# asset is written to the current dir at its source name. Download
# then move to a stable name. The `--version` smoke step makes any
# future regression surface as a clear error rather than `exit 127`.
run: |
gh release download "v${OSV_SCANNER_VERSION}" \
--repo google/osv-scanner \
--pattern 'osv-scanner_linux_amd64' \
--clobber
mv osv-scanner_linux_amd64 osv-scanner
chmod +x osv-scanner
./osv-scanner --version
- name: Run osv-scanner
# Recursive source scan. Vigil has no language lockfile today, so
# this exits cleanly with no findings; coverage activates the
# moment a `*.lock` is added in-tree. Observation-only at the
# OSS-CLI bootstrap window.
run: |
./osv-scanner \
--recursive \
--skip-git \
--format=sarif \
--output=osv.sarif \
./ || true
- name: Upload OSV SARIF (artifact)
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
if: always()
with:
name: osv-sarif
path: osv.sarif
retention-days: 7
- name: Upload OSV SARIF to GitHub code-scanning
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
if: always()
continue-on-error: true
with:
sarif_file: osv.sarif
category: osv-scanner
# ------------------------------------------------------------------
# Trivy — filesystem CVE + IaC misconfig scan. We scan `.` rather
# than a container image because Vigil does not ship images.
# ------------------------------------------------------------------
trivy-fs:
name: Trivy filesystem
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Harden runner egress
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Run Trivy filesystem scan
# aquasecurity/trivy-action v0.36.0
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy.sarif
ignore-unfixed: true
severity: CRITICAL,HIGH
exit-code: "0"
env:
# Mirror the public DB; harden-runner audits egress.
TRIVY_DISABLE_VEX_NOTICE: "true"
- name: Upload Trivy SARIF (artifact)
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
if: always()
with:
name: trivy-sarif
path: trivy.sarif
retention-days: 7
- name: Upload Trivy SARIF to GitHub code-scanning
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a
if: always()
continue-on-error: true
with:
sarif_file: trivy.sarif
category: trivy-fs
# ------------------------------------------------------------------
# Gitleaks — secret scan over full git history. Run via the upstream
# Docker image rather than the GHA wrapper because gitleaks-action
# requires a GITLEAKS_LICENSE for organization-owned repos
# (RandomCodeSpace is an org). Image is pinned by tag; image digest
# pinning is a follow-up once Scorecard `Pinned-Dependencies` flags it.
# ------------------------------------------------------------------
gitleaks:
name: Gitleaks secret scan
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner egress
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
# Need full history so gitleaks can scan every commit.
fetch-depth: 0
persist-credentials: false
- name: Run Gitleaks (Docker image)
run: |
docker run --rm \
-v "${{ github.workspace }}":/repo \
-w /repo \
zricethezav/gitleaks:v8.21.2 \
detect \
--source=/repo \
--report-format=sarif \
--report-path=/repo/gitleaks.sarif \
--redact \
--no-banner || EXIT=$?
# Exit 1 = leaks found; 2 = error. Surface the result without
# gating CI yet — promote to gate once we have a clean baseline.
echo "gitleaks-exit=${EXIT:-0}" >> "$GITHUB_OUTPUT"
id: gitleaks-run
- name: Upload Gitleaks SARIF (artifact)
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
if: always()
with:
name: gitleaks-sarif
path: gitleaks.sarif
retention-days: 7
# ------------------------------------------------------------------
# jscpd — copy-paste detection across the PowerShell tree. Reports
# are uploaded as artifacts; jscpd does not emit SARIF natively
# so we surface markdown + json in artifacts only.
# ------------------------------------------------------------------
jscpd:
name: jscpd duplication
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner egress
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Set up Node
# actions/setup-node v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
with:
node-version: "20"
- name: Run jscpd
run: |
npx --yes jscpd@4.0.5 \
--silent \
--reporters json,markdown \
--output reports/jscpd \
--languages 'powershell,yaml,markdown' \
--ignore '**/.git/**,**/.vigil/**,**/node_modules/**,**/dist/**,**/*.min.*' \
. || true
- name: Upload jscpd report (artifact)
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
if: always()
with:
name: jscpd-report
path: reports/jscpd
retention-days: 7
# ------------------------------------------------------------------
# SBOM — Syft via anchore/sbom-action. Generates SPDX JSON for the
# source tree. `dependency-snapshot: true` pushes to the GitHub
# Dependency Submission API on push to `main` only — keeps PR runs
# quiet and lets the scheduled run on `main` populate the graph.
# ------------------------------------------------------------------
sbom:
name: Generate SBOM (Syft)
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner egress
uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
persist-credentials: false
- name: Generate SBOM
# anchore/sbom-action v0.24.0
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610
with:
path: .
format: spdx-json
artifact-name: vigil.spdx.json
dependency-snapshot: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}