Skip to content

Reusable Security Hardening Pipeline

uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@0.6.7

Triggers

  • Reusable (called by other workflows)

Permissions

Scope Access
contents read
security-events write
actions read
pull-requests write
checks write
id-token write

Inputs

Input Description Required Default
scanners Comma-separated list of scanners to run (codeql, opengrep, bandit, gitleaks, container, infrastructure, trivy-iac, ch... string No all
scan_type (Deprecated) Legacy scan type selector. Prefer the scanners input. string No โ€”
python_version Python version to use string No 3.12
aws_region AWS region for infrastructure scans string No us-east-1
iac_path Directory that contains infrastructure-as-code (Terraform) files string No infrastructure
post_pr_comment Whether to post PR comments boolean No True
enable_code_security Whether GitHub Code Security is enabled for this repository (required for CodeQL scanning) boolean No False
clamav_scan_path Path for ClamAV to scan (file, directory, or archive). Defaults to repository root. string No .
allow_failure Whether to allow the workflow to continue when vulnerabilities are found above the severity threshold. When false, sc... boolean No True
severity_threshold Minimum severity level that will cause job failure when allow_failure is false. Options: low, medium, high, critical string No high

CodeQL Options

Input Description Required Default
codeql_languages Comma-separated list of languages for CodeQL analysis (e.g., "python,javascript"). Leave empty for auto-detection. string No โ€”
codeql_config_file Path to CodeQL config file. Leave empty to auto-detect project config or generate one. string No โ€”
codeql_query_suite CodeQL query suite to use (security-extended, security-and-quality, or default). Ignored if codeql_config_file is set. string No security-extended,security-and-quality
codeql_scan_paths Comma-separated list of paths to scan (empty = scan everything). Ignored if codeql_config_file is set. string No โ€”
codeql_ignore_paths Comma-separated list of paths to ignore. Ignored if codeql_config_file is set. string No **/node_modules/**,**/venv/**,**/__pycache__/**

Bandit Options

Input Description Required Default
bandit_config_file Path to Bandit configuration file (e.g. pyproject.toml, .bandit). Passed as bandit -c flag. string No โ€”

Gitleaks Options

Input Description Required Default
gitleaks_enable_comments Enable GitLeaks inline PR comments (requires GITLEAKS_LICENSE) boolean No True
gitleaks_notify_user_list Comma-separated list of GitHub usernames to notify on secret detection (e.g., "@user1,@user2") string No โ€”
gitleaks_enable_summary Enable GitLeaks job summary boolean No True
gitleaks_enable_upload_artifact Enable uploading SARIF artifact when secrets are detected boolean No True
gitleaks_config Path to a gitleaks configuration file (e.g., "path/to/gitleaks.toml") string No โ€”

ZAP (DAST) Options

Input Description Required Default
zap_scan_mode how to obtain a running target: url (already running), docker-run (run a single container), compose (run docker compose) string No url
zap_config_file optional config file (YAML or JSON) to define targets, scan type, and options. When provided, it takes precedence ove... string No โ€”
zap_target_urls comma-separated list of target URLs (required for baseline/full) string No โ€”
zap_healthcheck_url optional URL to poll until ready (defaults to first target URL) string No โ€”
zap_app_image_ref when scan_mode=docker-run, container image to start string No โ€”
zap_app_ports when scan_mode=docker-run, comma-separated port mappings (e.g., 8080:8080,3000:3000) string No 8080:8080
zap_compose_file when scan_mode=compose, path to docker compose file string No docker-compose.yml
zap_scan_type scan type: baseline (passive), full (active), api (OpenAPI/Swagger) string No baseline
zap_api_spec when scan_type=api, URL or file path to OpenAPI/Swagger spec string No โ€”
zap_max_duration_minutes max minutes per target for ZAP to run number No 10

OSV (Dependency) Options

Input Description Required Default
osv_scan_path path to scan for lockfiles and dependency manifests string No .
osv_lockfile specific lockfile path to scan (auto-discovers if empty) string No โ€”
osv_recursive scan subdirectories recursively for lockfiles boolean No True

Dependency Review Options

Input Description Required Default
dependency_review_vulnerability_check Dependency Review: enable vulnerability checking boolean No True
dependency_review_license_check Dependency Review: enable license compliance checking boolean No False
dependency_review_allow_licenses Dependency Review: comma-separated SPDX license identifiers to allow string No โ€”
dependency_review_deny_licenses Dependency Review: comma-separated SPDX license identifiers to deny string No โ€”

Secrets

Secret Description Required
AWS_ACCOUNT_ID AWS Account ID for infrastructure scans No
GITLEAKS_LICENSE License key for GitLeaks scans within a Github Organization. Obtain from https://gitleaks.io No

Jobs

scan-coordinator โ€” Scan Coordinator

Runs on: ubuntu-latest ยท Condition: ${{ !cancelled() }}

Steps:

  1. Resolve scanner selection

code-quality-linting โ€” Code Quality & Linting

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_lint == 'true'

scanner-codeql โ€” CodeQL Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_codeql == 'true'

scanner-opengrep โ€” OpenGrep Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_opengrep == 'true'

scanner-bandit โ€” Bandit Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_bandit == 'true'

scanner-gitleaks โ€” Gitleaks Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_gitleaks == 'true'

scanner-clamav โ€” ClamAV Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_clamav == 'true'

scanner-container โ€” Container Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_container == 'true'

scanner-infrastructure โ€” Infrastructure Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_infrastructure == 'true'

scanner-sbom โ€” SBOM Generator

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_sbom == 'true'

scanner-trivy-iac โ€” Trivy IaC Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_trivy_iac == 'true'

scanner-checkov โ€” Checkov Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_checkov == 'true'

scanner-trivy-container โ€” Trivy Container Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_trivy_container == 'true'

scanner-grype โ€” Grype Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_grype == 'true'

scanner-zap โ€” ZAP (DAST) Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_zap == 'true'

scanner-osv โ€” OSV Dependency Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_osv == 'true'

scanner-dependency-review โ€” Dependency Review Scanner

Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_dependency_review == 'true'

security-summary โ€” Security Hardening Summary

Runs on: ubuntu-latest ยท Depends on: scan-coordinator, code-quality-linting, scanner-codeql, scanner-opengrep, scanner-bandit, scanner-gitleaks, scanner-clamav, scanner-container, scanner-infrastructure, scanner-sbom, scanner-trivy-iac, scanner-checkov, scanner-trivy-container, scanner-grype, scanner-zap, scanner-osv, scanner-dependency-review ยท Condition: always()

Steps:

  1. Download CodeQL artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  2. Download OpenGrep artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  3. Download Bandit artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  4. Download GitLeaks artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  5. Download ClamAV artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  6. Download Container artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  7. Download Infrastructure artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  8. Download Trivy IaC artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  9. Download Checkov artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  10. Download Trivy Container artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  11. Download Grype artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  12. Download ZAP artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  13. Download OSV artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  14. Download Dependency Review artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  15. Download Linting artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  16. Download SBOM artifacts โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  17. Download all scanner summaries โ€” actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
  18. Copy scanner summaries to expected locations
  19. Combine scanner summaries into security report
  20. Generate overall summary
  21. Get job ID โ€” huntridge-labs/argus/.github/actions/get-job-id@0.6.7
  22. Upload comprehensive security report โ€” actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
  23. Comment PR with security summary โ€” actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd