63 lines
2.0 KiB
YAML
63 lines
2.0 KiB
YAML
name: PR -> develop
|
|
|
|
on:
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- develop
|
|
|
|
env:
|
|
GITLEAKS_VERSION: "8.30.1"
|
|
|
|
jobs:
|
|
|
|
# ── 1. Secret scan ────────────────────────────────────────────────────────────
|
|
gitleaks:
|
|
name: Scan for secrets (Gitleaks)
|
|
runs-on: stage-gatehouse-ui
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Install Gitleaks
|
|
run: |
|
|
if command -v gitleaks >/dev/null 2>&1; then
|
|
echo "gitleaks already installed: $(gitleaks version)"
|
|
exit 0
|
|
fi
|
|
curl -sSfL \
|
|
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
|
|
| tar xz gitleaks
|
|
mv gitleaks /usr/local/bin/gitleaks
|
|
|
|
- name: Run secret scan
|
|
# Scan only the commits this PR introduces (base..head), not the whole history.
|
|
run: |
|
|
gitleaks detect --source . \
|
|
--log-opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" \
|
|
--exit-code 1 --redact --verbose --log-level debug
|
|
|
|
# ── 2. CVE scan ───────────────────────────────────────────────────────────────
|
|
trivy:
|
|
name: Scan for CVEs (Trivy)
|
|
runs-on: stage-gatehouse-ui
|
|
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
command -v trivy >/dev/null 2>&1 || \
|
|
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
|
|
| sh -s -- -b /usr/local/bin
|
|
|
|
- name: Run filesystem scan
|
|
run: |
|
|
trivy fs \
|
|
--exit-code 1 \
|
|
--severity HIGH,CRITICAL \
|
|
--no-progress \
|
|
.
|