Skip to content
Security Scan

Security Scan #177

Sign in to view logs

Security Scan

Security Scan #177

Workflow file for this run

.github/workflows/security.yml at c02d52d
name: Security Scan
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
- cron: '0 0 * * 1' # Weekly on Monday
permissions:
contents: read
security-events: write
pull-requests: read
jobs:
codeql-analysis:
name: CodeQL Security Analysis
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
language: ['java']
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
submodules: true
token: ${{ secrets.GIT_ACTION_TOKEN }}
- name: Init submodules
run: git submodule update --remote
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: "17"
distribution: "temurin"
cache: gradle
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
queries: security-extended
- name: Build project
run: |
chmod +x gradlew
./gradlew build -x test
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{ matrix.language }}"
trivy-scan:
name: Trivy Vulnerability Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'