Security Scanning #294
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scanning | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| paths: | |
| - 'manager/**' | |
| - 'proxy/**' | |
| - 'proxy-egress/**' | |
| - 'proxy-ingress/**' | |
| - '.version' | |
| - '.github/workflows/security.yml' | |
| pull_request: | |
| branches: [ main ] | |
| paths: | |
| - 'manager/**' | |
| - 'proxy/**' | |
| - 'proxy-egress/**' | |
| - 'proxy-ingress/**' | |
| - '.version' | |
| schedule: | |
| # Run security scans daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| jobs: | |
| secret-scan: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| dependency-scan: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [manager, proxy] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python (for manager) | |
| if: matrix.component == 'manager' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Set up Go (for proxy) | |
| if: matrix.component == 'proxy' | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| - name: Scan Python dependencies | |
| if: matrix.component == 'manager' | |
| run: | | |
| cd manager | |
| pip install safety | |
| safety check -r requirements.txt --json --output safety-report.json || true | |
| pip install pip-audit | |
| pip-audit -r requirements.txt --format=json --output=pip-audit-report.json || true | |
| - name: Scan Go dependencies | |
| if: matrix.component == 'proxy' | |
| run: | | |
| cd proxy | |
| go install golang.org/x/vuln/cmd/govulncheck@latest | |
| govulncheck -json ./... > govulncheck-report.json || true | |
| - name: Upload dependency scan results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dependency-scan-${{ matrix.component }} | |
| path: ${{ matrix.component }}/*-report.json | |
| container-scan: | |
| name: Container Security Scan | |
| runs-on: ubuntu-latest | |
| needs: [] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build images for scanning | |
| run: | | |
| docker build -t marchproxy/manager:scan --target manager . | |
| docker build -t marchproxy/proxy:scan --target proxy . | |
| - name: Run Trivy container scan - Manager | |
| uses: aquasecurity/trivy-action@v0.35.0 | |
| with: | |
| image-ref: 'marchproxy/manager:scan' | |
| format: 'sarif' | |
| output: 'trivy-manager-results.sarif' | |
| - name: Run Trivy container scan - Proxy | |
| uses: aquasecurity/trivy-action@v0.35.0 | |
| with: | |
| image-ref: 'marchproxy/proxy:scan' | |
| format: 'sarif' | |
| output: 'trivy-proxy-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-manager-results.sarif' | |
| - name: Upload Trivy scan results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-proxy-results.sarif' | |
| sast-scan: | |
| name: Static Application Security Testing | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [manager, proxy] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python (for manager) | |
| if: matrix.component == 'manager' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Set up Go (for proxy) | |
| if: matrix.component == 'proxy' | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| - name: Run Bandit (Python SAST) | |
| if: matrix.component == 'manager' | |
| run: | | |
| cd manager | |
| pip install bandit[toml] | |
| bandit -r . -f json -o bandit-report.json || true | |
| - name: Run Gosec (Go SAST) | |
| if: matrix.component == 'proxy' | |
| run: | | |
| cd proxy | |
| go install github.com/securecodewarrior/gosec/v2/cmd/gosec@latest | |
| gosec -fmt json -out gosec-report.json ./... || true | |
| - name: Run Semgrep | |
| uses: returntocorp/semgrep-action@v1 | |
| with: | |
| config: >- | |
| p/security-audit | |
| p/secrets | |
| p/owasp-top-ten | |
| generateSarif: "1" | |
| - name: Upload Semgrep results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: semgrep.sarif | |
| if: always() | |
| - name: Upload SAST results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: sast-scan-${{ matrix.component }} | |
| path: ${{ matrix.component }}/*-report.json | |
| license-compliance: | |
| name: License Compliance Check | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| component: [manager, proxy] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Python (for manager) | |
| if: matrix.component == 'manager' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.12' | |
| - name: Set up Go (for proxy) | |
| if: matrix.component == 'proxy' | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: '1.21' | |
| - name: Check Python licenses | |
| if: matrix.component == 'manager' | |
| run: | | |
| cd manager | |
| pip install pip-licenses | |
| pip-licenses --format=json --output-file=python-licenses.json | |
| pip-licenses --fail-on="GPL;LGPL;AGPL" --ignore-packages marchproxy | |
| - name: Check Go licenses | |
| if: matrix.component == 'proxy' | |
| run: | | |
| cd proxy | |
| go install github.com/google/go-licenses@latest | |
| go-licenses report . --template licenses.tpl > go-licenses.json || true | |
| go-licenses check . --disallowed_types=forbidden,restricted | |
| - name: Upload license reports | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: license-report-${{ matrix.component }} | |
| path: ${{ matrix.component }}/*-licenses.json | |
| security-report: | |
| name: Generate Security Report | |
| runs-on: ubuntu-latest | |
| needs: [secret-scan, dependency-scan, container-scan, sast-scan, license-compliance] | |
| if: always() | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download all artifacts | |
| uses: actions/download-artifact@v3 | |
| - name: Generate security summary | |
| run: | | |
| echo "# Security Scan Summary" > security-summary.md | |
| echo "Generated on: $(date)" >> security-summary.md | |
| echo "" >> security-summary.md | |
| echo "## Dependency Scans" >> security-summary.md | |
| if [ -d "dependency-scan-manager" ]; then | |
| echo "- Manager dependency scan completed" >> security-summary.md | |
| fi | |
| if [ -d "dependency-scan-proxy" ]; then | |
| echo "- Proxy dependency scan completed" >> security-summary.md | |
| fi | |
| echo "" >> security-summary.md | |
| echo "## SAST Scans" >> security-summary.md | |
| if [ -d "sast-scan-manager" ]; then | |
| echo "- Manager SAST scan completed" >> security-summary.md | |
| fi | |
| if [ -d "sast-scan-proxy" ]; then | |
| echo "- Proxy SAST scan completed" >> security-summary.md | |
| fi | |
| echo "" >> security-summary.md | |
| echo "## License Compliance" >> security-summary.md | |
| if [ -d "license-report-manager" ]; then | |
| echo "- Manager license check completed" >> security-summary.md | |
| fi | |
| if [ -d "license-report-proxy" ]; then | |
| echo "- Proxy license check completed" >> security-summary.md | |
| fi | |
| cat security-summary.md | |
| - name: Upload security summary | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: security-summary | |
| path: security-summary.md |