Security Scan #179

Workflow file for this run

.github/workflows/security-scan.yml at b2ac49a

	name: Security Scan

	on:
	push:
	branches: [ main, master ]
	pull_request:
	branches: [ main, master ]
	schedule:
	# Run daily at 2 AM UTC
	- cron: '0 2 * * *'
	workflow_dispatch:

	jobs:
	dependency-check:
	name: Dependency Vulnerability Scan
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup .NET SDK
	uses: actions/setup-dotnet@v4
	with:
	dotnet-version: 9.x

	- name: Restore dependencies
	run: dotnet restore

	- name: Check for vulnerable packages
	run: \|
	echo "🔍 Checking for vulnerable packages..."
	dotnet list package --vulnerable --include-transitive

	# Store the output in a variable
	OUTPUT=$(dotnet list package --vulnerable --include-transitive 2>&1)

	# Check if vulnerabilities were found
	if echo "$OUTPUT" \| grep -q "has the following vulnerable packages"; then
	echo "❌ Vulnerabilities found!"
	echo "$OUTPUT"
	exit 1
	else
	echo "✅ No vulnerabilities found"
	fi

	- name: Check for outdated packages
	run: \|
	echo "📦 Checking for outdated packages..."
	dotnet list package --outdated
	continue-on-error: true

	sast-scan:
	name: Static Application Security Testing
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup .NET SDK
	uses: actions/setup-dotnet@v4
	with:
	dotnet-version: 9.x

	- name: Install security scanner
	run: \|
	dotnet tool install --global security-scan
	continue-on-error: true

	- name: Run Security Code Scan
	run: \|
	echo "🔐 Running static security analysis..."
	dotnet build /p:AnalysisMode=AllEnabledByDefault

	codeql-analysis:
	name: CodeQL Security Analysis
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write

	strategy:
	fail-fast: false
	matrix:
	language: [ 'csharp' ]

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}

	- name: Setup .NET SDK
	uses: actions/setup-dotnet@v4
	with:
	dotnet-version: 9.x

	- name: Build
	run: dotnet build

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3

	container-scan:
	name: Container Security Scan
	runs-on: ubuntu-latest
	if: contains(github.event.head_commit.message, 'docker') \|\| github.event_name == 'schedule'
	permissions:
	actions: read
	contents: read
	security-events: write

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'fs'
	scan-ref: '.'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	continue-on-error: true

	- name: Upload Trivy results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

	license-check:
	name: License Compliance Check
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Setup .NET SDK
	uses: actions/setup-dotnet@v4
	with:
	dotnet-version: 9.x

	- name: Install license scanner
	run: \|
	dotnet tool install --global dotnet-project-licenses
	continue-on-error: true

	- name: Check licenses
	run: \|
	echo "📜 Checking license compliance..."
	dotnet-project-licenses -i . \|\| true

	security-report:
	name: Generate Security Report
	runs-on: ubuntu-latest
	needs: [dependency-check, sast-scan, codeql-analysis]
	if: always()

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Create security summary
	run: \|
	echo "# 🔒 Security Scan Summary" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "## Scan Results" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY

	if [ "${{ needs.dependency-check.result }}" == "success" ]; then
	echo "✅ Dependency Check: Passed" >> $GITHUB_STEP_SUMMARY
	else
	echo "❌ Dependency Check: Failed or Skipped" >> $GITHUB_STEP_SUMMARY
	fi

	if [ "${{ needs.sast-scan.result }}" == "success" ]; then
	echo "✅ SAST Scan: Passed" >> $GITHUB_STEP_SUMMARY
	else
	echo "⚠️ SAST Scan: Failed or Skipped" >> $GITHUB_STEP_SUMMARY
	fi

	if [ "${{ needs.codeql-analysis.result }}" == "success" ]; then
	echo "✅ CodeQL Analysis: Passed" >> $GITHUB_STEP_SUMMARY
	else
	echo "⚠️ CodeQL Analysis: Failed or Skipped" >> $GITHUB_STEP_SUMMARY
	fi

	echo "" >> $GITHUB_STEP_SUMMARY
	echo "---" >> $GITHUB_STEP_SUMMARY
	echo "_Security scan completed at $(date -u)_" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Scan #179

Workflow file

Security Scan #179

Uh oh!

Workflow file for this run