Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -1,15 +1,26 @@
version: 2
updates:
# Enable version updates for npm
- package-ecosystem: 'npm'
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the `root` directory
directory: '/deployment-status/'
directory: "/deployment-status/"
# Check the npm registry for updates every day (weekdays)
schedule:
interval: 'weekly'
- package-ecosystem: 'npm'
interval: "weekly"
cooldown:
default-days: 7
- package-ecosystem: "npm"
# Look for `package.json` and `lock` files in the `root` directory
directory: '/global-variables/'
directory: "/global-variables/"
# Check the npm registry for updates every day (weekdays)
schedule:
interval: 'weekly'
interval: "weekly"
cooldown:
default-days: 7
# Maintain dependencies for GitHub Actions
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
cooldown:
default-days: 7
105 changes: 52 additions & 53 deletions .github/workflows/checkov-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,65 +5,64 @@ on:
workflow_call:
inputs:
baseline:
description: 'Path to the Checkov baseline file (default: none)'
default: ''
description: "Path to the Checkov baseline file (default: none)"
default: ""
required: false
type: string
path:
description: 'Directory path where the scan should be performed (default: .)'
description: "Directory path where the scan should be performed (default: .)"
required: false
default: '.'
default: "."
type: string
soft-fail-on:
description: 'Lowest severity level to cause a failed scan (default: LOW)'
description: "Lowest severity level to cause a failed scan (default: LOW)"
required: false
default: 'LOW'
default: "LOW"
type: string
use-test-reporter:
description: 'Attach the test results as a report (default: true)'
description: "Attach the test results as a report (default: true)"
required: false
default: true
type: boolean
issue-on-findings:
description: 'One GitHub user to mention when creating an issue for failed scans (e.g., username). If left empty, no issue will be created.'
description: "One GitHub user to mention when creating an issue for failed scans (e.g., username). If left empty, no issue will be created."
required: false
default: ''
default: ""
type: string
security-tools-ref:
description: 'Internal: Git ref for security-scanning scripts checkout (default: main)'
description: "Internal: Git ref for security-scanning scripts checkout (default: main)"
required: false
default: 'main'
default: "main"
type: string

jobs:

checkov_scan:
outputs:
NOTIFICATION: ${{ steps.scan.outcome == 'failure' && 'true' || 'false' }}
runs-on: ubuntu-latest

steps:
- name: checkout repository
uses: actions/checkout@v4
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7

- name: checkout security-scanning scripts
uses: actions/checkout@v4
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
with:
repository: zweitag/github-actions
ref: ${{ inputs.security-tools-ref }}
path: _security-tools
sparse-checkout: security-scanning

- name: create output folder
run: mkdir -p ./scan-results
- uses: actions/setup-python@v5

- uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6
with:
python-version: "3.13"

- name: setup Checkov
run: pip install checkov

- name: run Checkov
id: scan
env:
Expand All @@ -75,20 +74,20 @@ jobs:
--output json \
$BASELINE \
$SOFTFAIL > ./scan-results/checkov.json

- name: convert Checkov report to CTRF format
if: always() && inputs.use-test-reporter
run: |
python3 _security-tools/security-scanning/checkov2ctrf.py \
./scan-results/checkov.json \
./scan-results/checkov.ctrf.json

- name: Publish Test Report
if: always() && inputs.use-test-reporter
uses: ctrf-io/github-test-reporter@v1
uses: ctrf-io/github-test-reporter@e500b992f936420eb633c91644cf10d4d71df700 # v1
with:
report-path: './scan-results/checkov.ctrf.json'
template-path: '_security-tools/security-scanning/config_scan_template.hbs'
report-path: "./scan-results/checkov.ctrf.json"
template-path: "_security-tools/security-scanning/config_scan_template.hbs"
custom-report: true

create_issue:
Expand All @@ -97,34 +96,34 @@ jobs:
if: ${{ inputs.issue-on-findings != '' && needs.checkov_scan.outputs.NOTIFICATION == 'true' }}

steps:
- name: Create issue/Comment on issue
uses: actions/github-script@v7
with:
script: |
const repo = context.repo.repo;
const owner = context.repo.owner;
const issue_title = 'Security scan failed';
const issue_body = '@${{ inputs.issue-on-findings }} One or more security scans failed. Please check the workflow run for more information: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\nPlease check if the vulnerabilities are fixable. If there is a fix: Create a ticket for the fix or resolve it.\n'
const existing_issue = await github.rest.issues.listForRepo({
owner,
repo,
state: 'open',
labels: 'security-scan-failure'
});
if (existing_issue.data.length === 0) {
await github.rest.issues.create({
owner,
repo,
title: issue_title,
body: issue_body,
labels: ['security-scan-failure']
});
} else {
const issue_number = existing_issue.data[0].number;
await github.rest.issues.createComment({
- name: Create issue/Comment on issue
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9
with:
script: |
const repo = context.repo.repo;
const owner = context.repo.owner;
const issue_title = 'Security scan failed';
const issue_body = '@${{ inputs.issue-on-findings }} One or more security scans failed. Please check the workflow run for more information: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}\nPlease check if the vulnerabilities are fixable. If there is a fix: Create a ticket for the fix or resolve it.\n'
const existing_issue = await github.rest.issues.listForRepo({
owner,
repo,
issue_number,
body: issue_body
state: 'open',
labels: 'security-scan-failure'
});
}
if (existing_issue.data.length === 0) {
await github.rest.issues.create({
owner,
repo,
title: issue_title,
body: issue_body,
labels: ['security-scan-failure']
});
} else {
const issue_number = existing_issue.data[0].number;
await github.rest.issues.createComment({
owner,
repo,
issue_number,
body: issue_body
});
}
4 changes: 2 additions & 2 deletions .github/workflows/deployment-status.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ jobs:
build: # make sure build/ci work properly
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- run: npm install
working-directory: deployment-status
- run: npm run all
Expand All @@ -22,7 +22,7 @@ jobs:
contents: read
deployments: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- uses: ./deployment-status/
with:
environment_url: "https://my.environment.de/${{ github.sha }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/global-variables.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ jobs:

steps:
- name: checkout-repo
uses: actions/checkout@main
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
- name: set-global-vars
uses: ./global-variables
- name: test
Expand Down
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright 2019 Zweitag GmbH
Copyright 2026 Zweitag GmbH

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
20 changes: 10 additions & 10 deletions Readme.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,20 +30,20 @@ ANOTHER_KEY=VALUE2
#### with default file:

```
- uses: zweitag/github-actions/global-variables@main
- uses: zweitag/github-actions/global-variables@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
```

#### with custom environment file:

```
- uses: zweitag/github-actions/global-variables@main
- uses: zweitag/github-actions/global-variables@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
file: 'config/.env.development'
```

## trivy-scan

This reusable workflow is part of the Security-Scanning workflows. This workflow is for Security-Scanning with [Trivy](https://github.com/aquasecurity/trivy) and provides a cost-effective, reusable security scanning pipeline that works in any repository without relying on paid GitHub Code Scanning features.
This reusable workflow is part of the Security-Scanning workflows. This workflow is for Security-Scanning with [Trivy](https://github.com/aquasecurity/trivy) and provides a cost-effective, reusable security scanning pipeline that works in any repository without relying on paid GitHub Code Scanning features.

It runs Trivy scans (filesystem, image, or configuration), converts the results into a standardized CTRF report, renders a human-friendly summary via Handlebars templates in the job output, and optionally creates or comments on a GitHub Issue when findings cause the scan to fail.

Expand All @@ -62,7 +62,7 @@ filesystem scan:
```yaml
jobs:
scan_filesystem:
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@main
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
scan-type: "filesystem"
path: "."
Expand All @@ -75,7 +75,7 @@ image scan:
```yaml
jobs:
scan_docker_image:
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@main
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
scan-type: "image"
path: "."
Expand All @@ -92,7 +92,7 @@ config-scan:
```yaml
jobs:
scan_configuration:
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@main
uses: zweitag/github-actions/.github/workflows/trivy-scan.yaml@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
scan-type: "config"
path: "."
Expand Down Expand Up @@ -120,7 +120,7 @@ jobs:

## checkov-scan

This reusable workflow is part of the Security-Scanning workflows. This workflow is for Security-Scanning with [Checkov](https://github.com/bridgecrewio/checkov) and provides a cost-effective, reusable security scanning pipeline that works in any repository without relying on paid GitHub Code Scanning features.
This reusable workflow is part of the Security-Scanning workflows. This workflow is for Security-Scanning with [Checkov](https://github.com/bridgecrewio/checkov) and provides a cost-effective, reusable security scanning pipeline that works in any repository without relying on paid GitHub Code Scanning features.

It runs Checkov scans , converts the results into a standardized CTRF report, renders a human-friendly summary via Handlebars templates in the job output, and optionally creates or comments on a GitHub Issue when findings cause the scan to fail.

Expand All @@ -145,7 +145,7 @@ simple scan:
```yaml
jobs:
checkov_scan:
uses: zweitag/github-actions/.github/workflows/security-scan.yaml@main
uses: zweitag/github-actions/.github/workflows/security-scan.yaml@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
path: "."
use-test-reporter: true
Expand All @@ -157,7 +157,7 @@ scan with baseline and issue mention:
```yaml
jobs:
checkov_scan:
uses: zweitag/github-actions/.github/workflows/security-scan.yaml@main
uses: zweitag/github-actions/.github/workflows/security-scan.yaml@0cff7f8458250a53e62a8188c3858572aadaa0f2 # main
with:
path: "./infra"
baseline: "./.checkov.baseline"
Expand Down Expand Up @@ -187,7 +187,7 @@ This workflow provides standardized reports (CTRF), visual summaries, and option

# License

Copyright 2019 Zweitag GmbH
Copyright 2026 Zweitag GmbH

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
Expand Down
Loading