luisffc · June 9, 2025 23:59
diff --git a/security-checks.yml b/security-checks.yml
 # Reusable workflow: Security Checks for Docker repositories
 #
 # This workflow performs:
 # - Docker CIS Benchmark checks (via Powerpipe)
 # - Dockerfile linting (Hadolint)
 # - File system vulnerability scanning (Trivy)
 #
 # Expected to be invoked via `workflow_call`.
 # The caller workflow should grant:
 #   permissions:
 #     checks: write # needed for Powerpipe and Hadolint
 #     pull-requests: write # needed for Hadolint PR comments
 #     security-events: write  # needed for Trivy SARIF upload

 name: Security Checks
 on:
  workflow_call:
    inputs:
      run-cis:
        required: false
        type: boolean
        default: true
      run-lint:
        required: false
        type: boolean
        default: true
      run-fs-vulnerability-scan:
        required: false
        type: boolean
        default: true

 jobs:
  cis-benchmark:
    name: Docker CIS Benchmark Check
    if: inputs.run-cis == true
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4

      - name: Setup Steampipe
        uses: turbot/steampipe-action-setup@v1

      - name: Setup required Steampipe plugins
        run: |
          steampipe plugin install docker exec

      - name: Install Powerpipe
        uses: turbot/powerpipe-action-setup@v1

      - name: Start steampipe service
        run: |
          steampipe service start

      - name: Run Docker CIS Compliance benchmarks
        uses: turbot/powerpipe-action-check@v1
        with:
          mod-url: https://github.com/turbot/steampipe-mod-docker-compliance
          benchmarks: |
            cis_v160

  lint-dockerfile:
    name: Docker Lint Dockerfile
    if: inputs.run-lint == true
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: hadolint/[email protected]
      - name: Update Pull Request
        uses: actions/github-script@v6
        if: github.event_name == 'pull_request'
        with:
          script: |
            const output = `
            #### Hadolint: \`${{ steps.hadolint.outcome }}\`
            \`\`\`
            ${process.env.HADOLINT_RESULTS}
            \`\`\`
            `;

            github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: output
            })

  fs-vulnerability-scan:
    name: Scan for vulnerabilities on files
    if: inputs.run-vulnerability == true
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/[email protected]
        with:
          scan-type: 'fs'
          scanners: 'vuln,secret,config'
          ignore-unfixed: true
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
	# Reusable workflow: Security Checks for Docker repositories
	#
	# This workflow performs:
	# - Docker CIS Benchmark checks (via Powerpipe)
	# - Dockerfile linting (Hadolint)
	# - File system vulnerability scanning (Trivy)
	#
	# Expected to be invoked via `workflow_call`.
	# The caller workflow should grant:
	# permissions:
	# checks: write # needed for Powerpipe and Hadolint
	# pull-requests: write # needed for Hadolint PR comments
	# security-events: write # needed for Trivy SARIF upload

	name: Security Checks
	on:
	workflow_call:
	inputs:
	run-cis:
	required: false
	type: boolean
	default: true
	run-lint:
	required: false
	type: boolean
	default: true
	run-fs-vulnerability-scan:
	required: false
	type: boolean
	default: true

	jobs:
	cis-benchmark:
	name: Docker CIS Benchmark Check
	if: inputs.run-cis == true
	runs-on: ubuntu-24.04
	steps:
	- uses: actions/checkout@v4

	- name: Setup Steampipe
	uses: turbot/steampipe-action-setup@v1

	- name: Setup required Steampipe plugins
	run: \|
	steampipe plugin install docker exec

	- name: Install Powerpipe
	uses: turbot/powerpipe-action-setup@v1

	- name: Start steampipe service
	run: \|
	steampipe service start

	- name: Run Docker CIS Compliance benchmarks
	uses: turbot/powerpipe-action-check@v1
	with:
	mod-url: https://github.com/turbot/steampipe-mod-docker-compliance
	benchmarks: \|
	cis_v160

	lint-dockerfile:
	name: Docker Lint Dockerfile
	if: inputs.run-lint == true
	runs-on: ubuntu-24.04
	steps:
	- uses: actions/checkout@v4
	- uses: hadolint/[email protected]
	- name: Update Pull Request
	uses: actions/github-script@v6
	if: github.event_name == 'pull_request'
	with:
	script: \|
	const output = `
	#### Hadolint: \`${{ steps.hadolint.outcome }}\`
	\`\`\`
	${process.env.HADOLINT_RESULTS}
	\`\`\`
	`;

	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: output
	})

	fs-vulnerability-scan:
	name: Scan for vulnerabilities on files
	if: inputs.run-vulnerability == true
	runs-on: ubuntu-24.04
	steps:
	- uses: actions/checkout@v4
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	scan-type: 'fs'
	scanners: 'vuln,secret,config'
	ignore-unfixed: true
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'