.github/workflows/security.yaml

name: Security checks

permissions:
  contents: read
  security-events: write

on: # yamllint disable-line rule:truthy
  pull_request:
    paths-ignore:
      - "doc/**"
      - "*.md"
      - "DCO"
      - "LICENSE"
      - "OWNERS"
      - "PROJECT"
  push:
    branches: [main]
  schedule:
    - cron: '0 0 * * *' # run at midnight daily

concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  gosec:
    name: Gosec
    runs-on: ubuntu-22.04

    steps:
      - name: Checkout Git Repository
        uses: actions/checkout@v4

      - name: Run gosec
        uses: securego/gosec@v2.19.0
        with:
          args: '-exclude=G601 -no-fail -fmt sarif -out gosec.sarif ./...'

      - name: Upload scan results
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: gosec.sarif

  trivy:
    name: Trivy
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'

  lint-sh:
    name: Lint shell scripts
    runs-on: ubuntu-22.04
    permissions:
      security-events: write

    steps: 
      - name: Checkout Git Repository
        uses: actions/checkout@v4
        with:
          # we need a full history for differential shellcheck
          fetch-depth: 0

      - name: Differential ShellCheck
        id: ShellCheck
        uses: redhat-plumbers-in-action/differential-shellcheck@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

      - if: ${{ always() }}
        name: Upload ShellCheck defects
        uses: actions/upload-artifact@v4
        with:
          name: Differential ShellCheck SARIF
          path: ${{ steps.ShellCheck.outputs.sarif }}