WebGoat/.github/workflows/scan.yml at main · DevSecStack/WebGoat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: CloudGuard Code Security

on: push

env:
  SPECTRAL_DSN: ${{ secrets.SPECTRAL_DSN }}

  # JFrog platform url (for example: https://acme.jfrog.io)
  JF_URL: ${{ vars.JF_URL }}

  # JFrog Platform access token
  JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}

  SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}

  SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_TOKEN }}

jobs:

  semgrep:
    runs-on: ubuntu-latest
    container:
      image: semgrep/semgrep

    steps:
      - uses: actions/checkout@v4
      - run: |
          semgrep ci --code --secrets --supply-chain --no-suppress-errors

  spectral:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: CloudGuard Code Security Scan
        uses: checkpointsw/spectral-github-action@v4
        with:
          spectral-dsn: ${{ env.SPECTRAL_DSN }}
          spectral-args: scan --fail-on-error --engines secrets,iac,oss --asset-mapping github.${{ github.repository_owner }}

  jfrog-code:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: jfrog/setup-jfrog-cli@v4
      - run: |
          jf audit --iac --secrets --sast --format json | tee code
      - uses: Teebra/JSON-to-HTML-table@v2.0.0
        with:
          json-file: path/to/your/jsonfile.json

  jfrog-dependency:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: jfrog/setup-jfrog-cli@v4
      - run: |
          jf audit --sca

  snyk-iac:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Snyk to check for code vulnerabilities
        id: snyk_code
        uses: snyk/actions/node@master
        with:
          command: code iac test
          args: --sarif-file-output=snyk/iac.sarif

      - if: always()
        run: |
          cat snyk/iac.sarif

      - name: Upload sarif files
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'snyk/'

  snyk-code:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Run Snyk to check for code vulnerabilities
        id: snyk_code
        uses: snyk/actions/node@master
        with:
          command: code test
          args: --sarif-file-output=snyk/code.sarif

      - if: always()
        run: |
          cat snyk/code.sarif

      - name: Upload sarif files
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'snyk/'

  snyk-dependency:
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth:

      - name: Run Snyk to check for dependency vulnerabilities
        uses: snyk/actions/node@master
        with:
          command: test
          args: --sarif-file-output=snyk/dependencies.sarif --all-projects

      - if: always()
        run: |
          cat snyk/dependencies.sarif

      - name: Upload sarif files
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: 'snyk/'