-
Notifications
You must be signed in to change notification settings - Fork 10
62 lines (54 loc) · 1.95 KB
/
security-checks.yml
File metadata and controls
62 lines (54 loc) · 1.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: "Static analysis checks for security vulnerabilities"
on:
workflow_call:
inputs:
base_branch:
required: true
type: string
jobs:
run-semgrep:
name: "Run Semgrep to find vulnerabilities and security antipatterns"
runs-on: ubuntu-latest
container:
image: returntocorp/semgrep-action
if: |
github.actor != 'dependabot[bot]'
steps:
- name: "Checkout this branch"
uses: actions/checkout@v6
- name: "Checkout base branch"
uses: actions/checkout@v6
with:
ref: ${{ github.event.inputs.base_branch }}
- name: "Determine which Semgrep config(s) to use"
run: |
REPO_NAME=${{ github.event.repository.name }}
if [[ $REPO_NAME =~ "android" ]]; then
SEMGREP_RULES="p/java p/kotlin p/javascript r/bash r/yaml"
elif [[ $REPO_NAME =~ "apple" ]]; then
SEMGREP_RULES="p/ci p/javascript p/ruby r/bash r/yaml"
elif [[ $REPO_NAME =~ "web" || $REPO_NAME =~ "node" ]]; then
SEMGREP_RULES="p/javascript p/typescript"
else
SEMGREP_RULES="auto"
fi
echo "SEMGREP_RULES=$SEMGREP_RULES" >> $GITHUB_ENV
echo "Setting SEMGREP_RULES to \'$SEMGREP_RULES\'"
- name: "Run Semgrep"
run: "semgrep ci"
env:
SEMGREP_RULES: ${{ env.SEMGREP_RULES }}
SEMGREP_BASELINE_REF: ${{ github.event.inputs.base_branch }} # enables diff-aware scans
run-mobsfscan:
name: "Run mobsfscan to find Android/iOS vulnerabilities and misconfigurations"
runs-on: ubuntu-latest
if: |
github.actor != 'dependabot[bot]' &&
( contains(github.event.repository.name, 'android') || contains(github.event.repository.name, 'apple'))
steps:
- name: "Checkout repository"
uses: actions/checkout@v6
- name: "Run mobsfscan"
uses: MobSF/mobsfscan@main
with:
args: '. --sonarqube'