Skip to content

chore: Add Trivy and Bandit scan workflow #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

chore: Add Trivy and Bandit scan workflow #4

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
8fca3a5
Add trivy and bandit yaml
AmberJBlue Aug 14, 2025
0ab80c9
Merge pull request #1 from AmberJBlue/add-security-scan
AmberJBlue Aug 14, 2025
ff23941
move to workflows dir
AmberJBlue Aug 14, 2025
926326b
move to workflows dir
AmberJBlue Aug 14, 2025
bfd1bdb
update security-scan.yaml
AmberJBlue Aug 14, 2025
a7cbbc8
Merge pull request #2 from AmberJBlue/add-security-scan
AmberJBlue Aug 14, 2025
fa15326
Pin actions and upload bandit results
AmberJBlue Aug 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
82 changes: 82 additions & 0 deletions .github/workflows/security-scan.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: Security Scan

on:
pull_request:
branches: [main]
push:
branches: [main]
workflow_dispatch:

jobs:
trivy-scan:
name: Trivy
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
checks: write

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH,MEDIUM,LOW
exit-code: 0

- name: Check for critical and high vulnerabilities
uses: aquasecurity/trivy-action@77137e9dc3ab1b329b7c8a38c2eb7475850a14e8
with:
scan-type: fs
scan-ref: .
format: table
severity: CRITICAL,HIGH
exit-code: 1

- name: Upload SARIF to Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: trivy-security-scan

bandit:
name: Bandit
runs-on: ubuntu-latest
permissions:
security-events: write
actions: read
contents: read
checks: write

steps:
- uses: actions/checkout@v4

- name: Run Bandit code scan
uses: PyCQA/bandit-action@67a458d90fa11fb1463e91e7f4c8f068b5863c7f
with:
project_path: .
bandit_args: "-r . -f sarif -o results.sarif"
continue-on-error: true

- name: Upload SARIF results to GitHub Security tab
if: github.ref == 'refs/heads/main'
uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe
with:
sarif_file: results.sarif
category: bandit-security-scan
continue-on-error: true

- name: Upload SARIF as artifact
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: bandit-security-scan