Securing via github actions
Contents
Securing via github actions#
Github Actions is a CI platform builtin to Github that allows us to run CI pipeline upon changes of our code.
We will add these Github actions:
Let’s begin.
Create this folder in your project’s dir .github/workflows.
All files should be generated under that folder.
Gitleaks#
Create a file called gitleaks.yml and copy this content.
name: gitleaks - secret detection
on:
pull_request:
push:
branches:
- main
jobs:
scan:
name: gitleaks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SAST (Static application security testing)#
Let’s create this workflow sast.yml
and copy this to the file:
name: Test SAST Bandit action PR comment
on:
pull_request:
push:
branches:
- main
jobs:
bandit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: jpetrucciani/bandit-check@master
SCA - Dependency Check#
Let’s create this workflow sca.yml
and copy this to the file:
# This is a basic workflow to help you get started with Actions
name: SCA Dependency Check
on:
pull_request:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
# workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
SCA:
runs-on: ubuntu-latest
name: Dependency-Checker
steps:
- uses: actions/checkout@v1
- run: |
pip install safety
- run: |
safety check -r requirements.txt
IaC Scanning With Kics#
Let’s create this workflow iac.yml
and copy this to the file:
name: Test KICS action PR comment
on:
pull_request:
push:
branches:
- main
jobs:
kics:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: run kics Scan
uses: checkmarx/kics-github-action@v1.6
with:
path: serverless.yml
token: ${{ secrets.GITHUB_TOKEN }}
output_path: myResults/
enable_comments: true