ci: add gitleaks scanning and syft sbom + grype checks

2025-12-17 21:54:17 -06:00 · 2025-12-04 21:00:01 -05:00
parent ca41a11510
commit 715c50ffd3
3 changed files with 67 additions and 0 deletions
--- a/.github/workflows/build-and-publish-auth-portal.yml
+++ b/.github/workflows/build-and-publish-auth-portal.yml
@@ -36,6 +36,13 @@ jobs:
        with:
          fetch-depth: 0

+      - name: Secret scan (Gitleaks)
+        uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5
+        with:
+          args: detect --source . --no-git --redact
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Set up Go cache (optional)
        uses: actions/cache@v4
        with:
@@ -132,6 +139,47 @@ jobs:
            ${{ steps.vars.outputs.minor && format('{0}:{1}', env.IMAGE, steps.vars.outputs.minor) || '' }}
            ${{ steps.vars.outputs.major && format('{0}:{1}', env.IMAGE, steps.vars.outputs.major) || '' }}

+      - name: Install Syft
+        if: github.event_name != 'pull_request'
+        shell: bash
+        run: |
+          set -euo pipefail
+          SYFT_VERSION="v0.99.0"
+          curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \
+            sh -s -- -b /usr/local/bin "$SYFT_VERSION"
+
+      - name: Generate SBOM (Syft)
+        if: github.event_name != 'pull_request'
+        shell: bash
+        run: |
+          set -euo pipefail
+          syft "${IMAGE}:${{ steps.vars.outputs.sha }}" -o cyclonedx-json > auth-portal-sbom.cdx.json
+          ls -lh auth-portal-sbom.cdx.json
+
+      - name: Upload SBOM artifact
+        if: github.event_name != 'pull_request'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+        with:
+          name: auth-portal-sbom-${{ steps.vars.outputs.sha }}
+          path: auth-portal-sbom.cdx.json
+          retention-days: 14
+
+      - name: Install Grype
+        if: github.event_name != 'pull_request'
+        shell: bash
+        run: |
+          set -euo pipefail
+          GRYPE_VERSION="v0.99.1"
+          curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
+            sh -s -- -b /usr/local/bin "$GRYPE_VERSION"
+
+      - name: Vulnerability scan (Grype)
+        if: github.event_name != 'pull_request'
+        shell: bash
+        run: |
+          set -euo pipefail
+          grype sbom:auth-portal-sbom.cdx.json -o table --fail-on high
+
      - name: Scan image with Trivy
        if: github.event_name != 'pull_request'
        uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
@@ -149,3 +197,4 @@ jobs:
        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b
        with:
          generate_release_notes: true
+          files: auth-portal-sbom.cdx.json
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,6 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.9.0
+    hooks:
+      - id: gitleaks
+        args: [--staged, --redact]
--- a/README.md
+++ b/README.md
@@ -686,6 +686,8 @@ DEBUG plex: resources match via machine id

 Automated security checks run on this project:

+- Syft SBOM + Grype: SBOM generated from the built image; Grype scans that SBOM.
+- Gitleaks: secret scanning on every push/PR; local hook below to keep commits clean.
 - GitHub CodeQL: static analysis for code-level vulnerabilities in every PR and on main.
 - Trivy: container and dependency scans to catch OS and library CVEs in our images.
 - Docker Scout: image-level vulnerability insights for each commit/tag, including base image and layer analysis.
@@ -693,6 +695,16 @@ Automated security checks run on this project:

 If you spot an issue or have questions about these scans, please open an issue or reach out.

+### Local secret scanning (pre-commit)
+
+Run Gitleaks locally before pushing:
+
+```bash
+pip install pre-commit
+pre-commit install
+pre-commit run --all-files
+```
+
 ---

 ## Contributing