Fix security workflow to generate reports locally instead of uploading to GitHub Security (#1950)
- Changed security-events permission from write to read - Disabled automatic SARIF upload in CodeQL analysis - Removed Trivy SARIF upload step that was causing permission errors - Added artifact uploads for all security scan results (CodeQL, Trivy secrets, SBOM) - Reports are now available for download as workflow artifacts for local review
This commit is contained in:
Stijnus
27
.github/workflows/security.yaml
vendored
27
.github/workflows/security.yaml
vendored
@@ -12,7 +12,7 @@ on:
|
|||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: read
|
||||||
contents: read
|
contents: read
|
||||||
security-events: write
|
security-events: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
codeql:
|
codeql:
|
||||||
@@ -42,6 +42,16 @@ jobs:
|
|||||||
uses: github/codeql-action/analyze@v3
|
uses: github/codeql-action/analyze@v3
|
||||||
with:
|
with:
|
||||||
category: "/language:${{matrix.language}}"
|
category: "/language:${{matrix.language}}"
|
||||||
|
upload: false
|
||||||
|
|
||||||
|
- name: Upload CodeQL results as artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
name: codeql-results-${{ matrix.language }}
|
||||||
|
path: |
|
||||||
|
**/results/**/*.sarif
|
||||||
|
**/results/**/*.sarif.json
|
||||||
|
|
||||||
dependency-scan:
|
dependency-scan:
|
||||||
name: Dependency Vulnerability Scan
|
name: Dependency Vulnerability Scan
|
||||||
@@ -75,6 +85,13 @@ jobs:
|
|||||||
format: spdx-json
|
format: spdx-json
|
||||||
artifact-name: sbom.spdx.json
|
artifact-name: sbom.spdx.json
|
||||||
|
|
||||||
|
- name: Upload SBOM as artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
name: sbom-results
|
||||||
|
path: sbom.spdx.json
|
||||||
|
|
||||||
secrets-scan:
|
secrets-scan:
|
||||||
name: Secrets Detection
|
name: Secrets Detection
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -94,8 +111,10 @@ jobs:
|
|||||||
output: 'trivy-secrets-results.sarif'
|
output: 'trivy-secrets-results.sarif'
|
||||||
scanners: 'secret'
|
scanners: 'secret'
|
||||||
|
|
||||||
- name: Upload Trivy scan results to GitHub Security
|
- name: Upload Trivy secrets results as artifact
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: actions/upload-artifact@v4
|
||||||
if: always()
|
if: always()
|
||||||
with:
|
with:
|
||||||
sarif_file: 'trivy-secrets-results.sarif'
|
name: trivy-secrets-results
|
||||||
|
path: trivy-secrets-results.sarif
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user