github-runner-operator/.github/workflows/security_scan.yaml at 1a5f625bd7e3ac3b8e80a1d38e4ce9606779b486 · canonical/github-runner-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# Copyright 2026 Canonical Ltd.
# See LICENSE file for licensing details.

name: Security Scan

on:
  push:
    branches: [main]
  pull_request:
  workflow_dispatch:

jobs:
  trivy-scan:
    if: ${{ false }}
    name: Run Trivy Security Scan
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6.0.2

      - name: Ensure .trivyignore exists
        run: |
          if [ ! -f .trivyignore ]; then
            echo "Creating empty .trivyignore"
            touch .trivyignore
          else
            echo ".trivyignore already exists"
          fi

      - name: Run Trivy scan for logs
        uses: aquasecurity/trivy-action@v0.35.0
        with:
          scan-type: "fs"
          scan-ref: "."
          trivy-config: "trivy.yaml"
          trivyignores: ".trivyignore"

      - name: Run Trivy scan for SARIF report
        uses: aquasecurity/trivy-action@v0.35.0
        with:
          scan-type: "fs"
          scan-ref: "."
          trivy-config: "trivy.yaml"
          trivyignores: ".trivyignore"
          format: "sarif"
          output: "trivy-results.sarif"

      - name: Upload SARIF to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4.34.1
        with:
          sarif_file: "trivy-results.sarif"

      - name: Upload diagnostic SARIF artifact
        uses: actions/upload-artifact@v7.0.0
        with:
          name: sarif-report
          path: "trivy-results.sarif"
          retention-days: 7

  generate-sbom:
    if: ${{ false }}
    name: Generate SBOM from Filesystem
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6.0.2

      - name: Ensure .trivyignore exists
        run: |
          if [ ! -f .trivyignore ]; then
            echo "Creating empty .trivyignore"
            touch .trivyignore
          else
            echo ".trivyignore already exists"
          fi

      - name: Run Trivy to generate SBOM
        uses: aquasecurity/trivy-action@v0.35.0
        with:
          scan-type: "fs"
          scan-ref: "."
          trivy-config: "trivy.yaml"
          trivyignores: ".trivyignore"
          format: "spdx-json"
          output: "dependency-results.sbom.json"
          github-pat: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload SBOM as an artifact
        uses: actions/upload-artifact@v7.0.0
        with:
          name: sbom
          path: "dependency-results.sbom.json"
          retention-days: 7