Security Scan #113
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [main, develop] | |
| paths: | |
| - 'services/**' | |
| - 'governance/**' | |
| - 'infra/**' | |
| - '.github/workflows/security.yml' | |
| pull_request: | |
| branches: [main] | |
| schedule: | |
| # Run daily at 2 AM UTC | |
| - cron: '0 2 * * *' | |
| env: | |
| AWS_REGION: ${{ secrets.AWS_REGION || 'us-east-1' }} | |
| PROJECT_NAME: ${{ secrets.PROJECT_NAME || 'agent-runtime' }} | |
| jobs: | |
| trivy-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # Scan Dockerfiles (always works, no AWS credentials needed) | |
| - name: Run Trivy vulnerability scanner on Axon Dockerfile | |
| id: trivy-axon-dockerfile | |
| uses: aquasecurity/trivy-action@master | |
| continue-on-error: true | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: './services/axon' | |
| format: 'sarif' | |
| output: 'trivy-axon-dockerfile-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| - name: Run Trivy vulnerability scanner on Orbit Dockerfile | |
| id: trivy-orbit-dockerfile | |
| uses: aquasecurity/trivy-action@master | |
| continue-on-error: true | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: './services/orbit' | |
| format: 'sarif' | |
| output: 'trivy-orbit-dockerfile-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| # Scan ECR images (only if AWS credentials are available) | |
| - name: Configure AWS credentials | |
| id: aws-credentials | |
| continue-on-error: true | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_INFRA_DEPLOY_ROLE }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| if: steps.aws-credentials.outcome == 'success' | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Run Trivy vulnerability scanner on Axon image | |
| id: trivy-axon-image | |
| if: steps.aws-credentials.outcome == 'success' | |
| uses: aquasecurity/trivy-action@master | |
| continue-on-error: true | |
| with: | |
| scan-type: 'image' | |
| image-ref: ${{ steps.login-ecr.outputs.registry }}/${{ env.PROJECT_NAME }}/axon:latest | |
| format: 'sarif' | |
| output: 'trivy-axon-image-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| - name: Run Trivy vulnerability scanner on Orbit image | |
| id: trivy-orbit-image | |
| if: steps.aws-credentials.outcome == 'success' | |
| uses: aquasecurity/trivy-action@master | |
| continue-on-error: true | |
| with: | |
| scan-type: 'image' | |
| image-ref: ${{ steps.login-ecr.outputs.registry }}/${{ env.PROJECT_NAME }}/orbit:latest | |
| format: 'sarif' | |
| output: 'trivy-orbit-image-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' | |
| - name: Upload Trivy Axon Dockerfile scan results to GitHub Security tab | |
| if: always() && steps.trivy-axon-dockerfile.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-axon-dockerfile-results.sarif' | |
| category: 'trivy-axon-dockerfile' | |
| wait-for-processing: true | |
| - name: Upload Trivy Orbit Dockerfile scan results to GitHub Security tab | |
| if: always() && steps.trivy-orbit-dockerfile.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-orbit-dockerfile-results.sarif' | |
| category: 'trivy-orbit-dockerfile' | |
| wait-for-processing: true | |
| - name: Upload Trivy image scan results to GitHub Security tab | |
| if: always() && steps.aws-credentials.outcome == 'success' && steps.trivy-axon-image.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-axon-image-results.sarif' | |
| category: 'trivy-axon-image' | |
| wait-for-processing: true | |
| - name: Upload Trivy image scan results to GitHub Security tab | |
| if: always() && steps.aws-credentials.outcome == 'success' && steps.trivy-orbit-image.outcome == 'success' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-orbit-image-results.sarif' | |
| category: 'trivy-orbit-image' | |
| wait-for-processing: true | |
| - name: Fail on critical vulnerabilities | |
| if: > | |
| steps.trivy-axon-dockerfile.outputs.exit-code == 1 || | |
| steps.trivy-orbit-dockerfile.outputs.exit-code == 1 || | |
| (steps.aws-credentials.outcome == 'success' && | |
| (steps.trivy-axon-image.outputs.exit-code == 1 || | |
| steps.trivy-orbit-image.outputs.exit-code == 1)) | |
| run: | | |
| echo "Critical or high severity vulnerabilities found" | |
| exit 1 | |
| codeql-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: go,python | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v3 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| checkov-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Checkov | |
| uses: bridgecrewio/checkov-action@master | |
| with: | |
| directory: infra/ | |
| framework: terraform | |
| output_format: cli | |
| output_file_path: checkov-results.txt | |
| soft_fail: true | |
| - name: Upload Checkov results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: checkov-results | |
| path: checkov-results.txt | |