From 715c50ffd3f5e257cea38fd2849b805258cf8c7a Mon Sep 17 00:00:00 2001 From: Mike Odom <47093906+modom-ofn@users.noreply.github.com> Date: Thu, 4 Dec 2025 21:00:01 -0500 Subject: [PATCH] ci: add gitleaks scanning and syft sbom + grype checks --- .../build-and-publish-auth-portal.yml | 49 +++++++++++++++++++ .pre-commit-config.yaml | 6 +++ README.md | 12 +++++ 3 files changed, 67 insertions(+) create mode 100644 .pre-commit-config.yaml diff --git a/.github/workflows/build-and-publish-auth-portal.yml b/.github/workflows/build-and-publish-auth-portal.yml index dcde742..a9891a0 100644 --- a/.github/workflows/build-and-publish-auth-portal.yml +++ b/.github/workflows/build-and-publish-auth-portal.yml @@ -36,6 +36,13 @@ jobs: with: fetch-depth: 0 + - name: Secret scan (Gitleaks) + uses: gitleaks/gitleaks-action@44c470ffc35caa8b1eb3e8012ca53c2f9bea4eb5 + with: + args: detect --source . --no-git --redact + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Set up Go cache (optional) uses: actions/cache@v4 with: @@ -132,6 +139,47 @@ jobs: ${{ steps.vars.outputs.minor && format('{0}:{1}', env.IMAGE, steps.vars.outputs.minor) || '' }} ${{ steps.vars.outputs.major && format('{0}:{1}', env.IMAGE, steps.vars.outputs.major) || '' }} + - name: Install Syft + if: github.event_name != 'pull_request' + shell: bash + run: | + set -euo pipefail + SYFT_VERSION="v0.99.0" + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | \ + sh -s -- -b /usr/local/bin "$SYFT_VERSION" + + - name: Generate SBOM (Syft) + if: github.event_name != 'pull_request' + shell: bash + run: | + set -euo pipefail + syft "${IMAGE}:${{ steps.vars.outputs.sha }}" -o cyclonedx-json > auth-portal-sbom.cdx.json + ls -lh auth-portal-sbom.cdx.json + + - name: Upload SBOM artifact + if: github.event_name != 'pull_request' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 + with: + name: auth-portal-sbom-${{ steps.vars.outputs.sha }} + path: auth-portal-sbom.cdx.json + retention-days: 14 + + - name: Install Grype + if: github.event_name != 'pull_request' + shell: bash + run: | + set -euo pipefail + GRYPE_VERSION="v0.99.1" + curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \ + sh -s -- -b /usr/local/bin "$GRYPE_VERSION" + + - name: Vulnerability scan (Grype) + if: github.event_name != 'pull_request' + shell: bash + run: | + set -euo pipefail + grype sbom:auth-portal-sbom.cdx.json -o table --fail-on high + - name: Scan image with Trivy if: github.event_name != 'pull_request' uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -149,3 +197,4 @@ jobs: uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b with: generate_release_notes: true + files: auth-portal-sbom.cdx.json diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..60bb61f --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,6 @@ +repos: + - repo: https://github.com/gitleaks/gitleaks + rev: v8.9.0 + hooks: + - id: gitleaks + args: [--staged, --redact] diff --git a/README.md b/README.md index c2f2290..706ced5 100644 --- a/README.md +++ b/README.md @@ -686,6 +686,8 @@ DEBUG plex: resources match via machine id Automated security checks run on this project: +- Syft SBOM + Grype: SBOM generated from the built image; Grype scans that SBOM. +- Gitleaks: secret scanning on every push/PR; local hook below to keep commits clean. - GitHub CodeQL: static analysis for code-level vulnerabilities in every PR and on main. - Trivy: container and dependency scans to catch OS and library CVEs in our images. - Docker Scout: image-level vulnerability insights for each commit/tag, including base image and layer analysis. @@ -693,6 +695,16 @@ Automated security checks run on this project: If you spot an issue or have questions about these scans, please open an issue or reach out. +### Local secret scanning (pre-commit) + +Run Gitleaks locally before pushing: + +```bash +pip install pre-commit +pre-commit install +pre-commit run --all-files +``` + --- ## Contributing