fix: update trivy-action SHA (Teller's SHA no longer in repo) #3
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | ||
|
Check failure on line 1 in .github/workflows/security.yml
|
||
| # Action SHAs are pinned, not floating tags. To bump: | ||
| # gh api repos/<owner>/<repo>/commits/<tag> --jq .sha | ||
| # (use /commits/<tag>, NOT /git/refs/tags/<tag> — annotated tags would | ||
| # return the tag-object SHA, which Actions can't resolve.) | ||
| on: | ||
| push: | ||
| branches: [develop, main] | ||
| pull_request: | ||
| branches: [develop, main] | ||
| schedule: | ||
| # Weekly Monday 06:00 UTC — re-runs the suite against the latest | ||
| # vulnerability databases even when the repo is quiet. | ||
| - cron: "0 6 * * 1" | ||
| permissions: | ||
| contents: read | ||
| jobs: | ||
| gitleaks: | ||
| name: Secret scan (gitleaks) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| fetch-depth: 0 # full history so gitleaks can scan every commit | ||
| # Install and run the binary directly — the v2 action attempts to upload | ||
| # a SARIF artifact, which trips the account-wide artifact storage quota | ||
| # on this repo. Running the CLI keeps us to a single blocking step with | ||
| # no artifact output. | ||
| - name: Install gitleaks | ||
| run: | | ||
| VERSION=8.24.3 | ||
| curl -sSL "https://github.com/zricethezav/gitleaks/releases/download/v${VERSION}/gitleaks_${VERSION}_linux_x64.tar.gz" \ | ||
| | tar -xz -C /usr/local/bin gitleaks | ||
| gitleaks version | ||
| - name: Run gitleaks | ||
| run: gitleaks detect --source . --redact --verbose --no-banner --exit-code 1 | ||
| pip-audit: | ||
| name: Python deps (pip-audit) | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8 | ||
| - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 | ||
| with: | ||
| python-version: "3.14" | ||
| - run: uv sync --frozen --extra dev | ||
| - name: Audit production deps | ||
| # --strict fails on ANY surfaced CVE, not just HIGH/CRITICAL. We don't | ||
| # have a volume problem and any CVE in pinned deps is worth a | ||
| # conscious accept-or-upgrade decision. | ||
| # | ||
| # Per-CVE ignores live in .github/security/pip-audit-ignore.txt with | ||
| # a comment per ignore. xargs ferries them onto the command line so | ||
| # the policy stays in version control rather than buried in this YAML. | ||
| run: | | ||
| uv pip install pip-audit | ||
| IGNORES=$(grep -v '^\s*#' .github/security/pip-audit-ignore.txt 2>/dev/null \ | ||
| | grep -v '^\s*$' \ | ||
| | sed 's/^/--ignore-vuln /' \ | ||
| | tr '\n' ' ') | ||
| uv run pip-audit --strict --progress-spinner off \ | ||
| --vulnerability-service osv \ | ||
| $IGNORES | ||
| npm-audit: | ||
| name: Frontend deps (npm audit) | ||
| runs-on: ubuntu-latest | ||
| # Skips cleanly until #21 lands frontend/package.json. | ||
| if: hashFiles('frontend/package-lock.json') != '' | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 | ||
| with: | ||
| node-version: "24" | ||
| cache: npm | ||
| cache-dependency-path: frontend/package-lock.json | ||
| - run: cd frontend && npm ci | ||
| # --audit-level=high — fail only on high/critical; moderate/low noted | ||
| # but not blocking. | ||
| - run: cd frontend && npm audit --audit-level=high | ||
| trivy-image: | ||
| name: Container image scan (trivy) | ||
| runs-on: ubuntu-latest | ||
| # Blocking: any fixable HIGH/CRITICAL CVE in the built image fails the PR. | ||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| - name: Build image | ||
| run: docker build -t harness-python-react:ci . | ||
| - name: Run Trivy vulnerability scanner | ||
| # Pinned to a SHA — never @master. A moving branch in a | ||
| # supply-chain workflow defeats the point of the scan. | ||
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | ||
| with: | ||
| image-ref: harness-python-react:ci | ||
| format: table | ||
| severity: HIGH,CRITICAL | ||
| exit-code: "1" | ||
| ignore-unfixed: true | ||
| vuln-type: os,library | ||
