composite-actions-example.yml
name: Security Scanning with Composite Actions
# This example workflow demonstrates how to use the argus composite actions
# for comprehensive security scanning. Copy this to your repository and customize as needed.
#
# Available Composite Actions:
# - scanner-bandit: Python security scanner
# - scanner-codeql: GitHub CodeQL SAST scanner
# - scanner-opengrep: Pattern-based SAST scanner
# - scanner-gitleaks: Secrets detection
# - scanner-zap: DAST/web application security
# - scanner-clamav: Malware scanning
# - scanner-trivy-iac: Infrastructure-as-code scanning
# - scanner-checkov: Infrastructure-as-code scanning (multi-framework)
# - scanner-container: Container image scanning
# - scanner-osv: Dependency vulnerability scanning (any trigger)
# - scanner-dependency-review: PR dependency review & license compliance (PR-only)
# - scanner-supply-chain: GitHub Actions workflow security (zizmor + actionlint)
#
# Each scanner runs independently and generates reports that can be uploaded to GitHub Security.
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
pull-requests: write
security-events: write
actions: read
checks: write
id-token: write
packages: read
env:
PYTHON_VERSION: '3.12'
jobs:
# Python Security Scanning
bandit-scan:
name: Bandit Python Security
runs-on: ubuntu-latest
timeout-minutes: 10
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Bandit Scanner
uses: huntridge-labs/argus/.github/actions/scanner-bandit@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
post_pr_comment: true
enable_code_security: false
fail_on_severity: 'high'
python_version: ${{ env.PYTHON_VERSION }}
# Secrets Detection
gitleaks-scan:
name: Gitleaks Secrets Detection
runs-on: ubuntu-latest
timeout-minutes: 5
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
fetch-depth: 0 # Full history for comprehensive secrets scanning
- name: Run Gitleaks Scanner
uses: huntridge-labs/argus/.github/actions/scanner-gitleaks@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Optional: for org features
with:
post_pr_comment: true
enable_code_security: false
fail_on_severity: 'none' # Gitleaks fails on any secret found
# CodeQL SAST
codeql-scan:
name: CodeQL SAST Analysis
runs-on: ubuntu-latest
timeout-minutes: 20
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run CodeQL Scanner (Python)
uses: huntridge-labs/argus/.github/actions/scanner-codeql@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
language: 'python'
setup_python_version: ${{ env.PYTHON_VERSION }}
enable_code_security: false
fail_on_severity: 'high'
# OpenGrep SAST
opengrep-scan:
name: OpenGrep SAST Analysis
runs-on: ubuntu-latest
timeout-minutes: 15
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run OpenGrep Scanner
uses: huntridge-labs/argus/.github/actions/scanner-opengrep@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
config: 'auto'
paths: '.'
enable_code_security: false
fail_on_severity: 'high'
# Infrastructure-as-Code Security
trivy-iac-scan:
name: Trivy IaC Security
runs-on: ubuntu-latest
timeout-minutes: 15
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Trivy IaC Scanner
uses: huntridge-labs/argus/.github/actions/scanner-trivy-iac@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
iac_path: 'tests/infrastructure' # Customize to your IaC directory
enable_code_security: false
post_pr_comment: true
fail_on_severity: 'high'
# Checkov IaC Security
checkov-scan:
name: Checkov IaC Security
runs-on: ubuntu-latest
timeout-minutes: 15
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Checkov Scanner
uses: huntridge-labs/argus/.github/actions/scanner-checkov@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
iac_path: 'infrastructure' # Customize to your IaC directory
framework: 'terraform'
enable_code_security: false
post_pr_comment: true
fail_on_severity: 'high'
# Malware Scanning
clamav-scan:
name: ClamAV Malware Detection
runs-on: ubuntu-latest
timeout-minutes: 20
continue-on-error: true
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run ClamAV Scanner
uses: huntridge-labs/argus/.github/actions/scanner-clamav@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_path: '.'
post_pr_comment: true
enable_code_security: false
fail_on_severity: 'none'
# DAST / Web Application Security (requires running application)
zap-scan:
name: ZAP DAST Security
runs-on: ubuntu-latest
timeout-minutes: 30
continue-on-error: true
# Only run if you have a web application to test
if: false # Change to true and provide target_url when ready
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# Add steps here to start your application
# Example:
# - name: Start application
# run: |
# docker-compose up -d
# sleep 10
- name: Run ZAP Scanner
uses: huntridge-labs/argus/.github/actions/scanner-zap@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
target_url: 'http://localhost:8080' # Customize to your app URL
scan_name: 'web-app'
post_pr_comment: true
enable_code_security: false
fail_on_severity: 'high'
# Container Image Scanning (requires built image)
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
timeout-minutes: 20
continue-on-error: true
# Only run if you have container images to scan
if: false # Change to true when you have images to scan
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
# Add steps here to build your container image
# Example:
# - name: Build Docker image
# run: docker build -t myapp:test .
- name: Run Container Scanner
uses: huntridge-labs/argus/.github/actions/scanner-container@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
image_ref: 'myapp:test' # Customize to your image
enable_code_security: false
fail_on_severity: 'high'
# Dependency Vulnerability Scanning (works on any trigger)
osv-scan:
name: OSV Dependency Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run OSV-Scanner
uses: huntridge-labs/argus/.github/actions/scanner-osv@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
scan_path: '.'
recursive: 'true'
enable_code_security: false
fail_on_severity: 'none' # Customize: 'high', 'critical', etc.
# Dependency Review (PR-only — skips gracefully on push/schedule)
dependency-review-scan:
name: Dependency Review Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Dependency Review
uses: huntridge-labs/argus/.github/actions/scanner-dependency-review@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
vulnerability_check: 'true'
license_check: 'false' # Enable for license compliance
# deny_licenses: 'GPL-3.0' # Uncomment to deny specific licenses
fail_on_severity: 'none'
# Supply Chain Security - Scan workflow files for security issues
supply-chain-scan:
name: Supply Chain Scan
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout Repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Run Supply Chain Scanner
uses: huntridge-labs/argus/.github/actions/scanner-supply-chain@1.1.0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
scan_path: '.'
fail_on_severity: 'none'
enable_code_security: true
run_actionlint: true
# Summary Job - Collect all scanner results
security-summary:
name: Security Scan Summary
runs-on: ubuntu-latest
needs: [bandit-scan, gitleaks-scan, codeql-scan, opengrep-scan, trivy-iac-scan, checkov-scan, clamav-scan, osv-scan, dependency-review-scan, supply-chain-scan]
if: always()
steps:
- name: Generate Combined Security Summary
uses: huntridge-labs/argus/.github/actions/security-summary@1.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
title: '🔒 Security Scan Summary'
show_metadata: true
show_stats: true
post_pr_comment: true
- name: Check job statuses
run: |
echo "Job Status Summary:"
echo "===================="
echo "Bandit: ${{ needs.bandit-scan.result }}"
echo "Gitleaks: ${{ needs.gitleaks-scan.result }}"
echo "CodeQL: ${{ needs.codeql-scan.result }}"
echo "OpenGrep: ${{ needs.opengrep-scan.result }}"
echo "Trivy IaC: ${{ needs.trivy-iac-scan.result }}"
echo "Checkov: ${{ needs.checkov-scan.result }}"
echo "ClamAV: ${{ needs.clamav-scan.result }}"
echo "OSV: ${{ needs.osv-scan.result }}"
echo "Dependency Review: ${{ needs.dependency-review-scan.result }}"
echo "Supply Chain: ${{ needs.supply-chain-scan.result }}"
# Optional: Fail if any critical scanners failed
# Uncomment the following if you want the summary job to fail
# if [[ "${{ needs.bandit-scan.result }}" == "failure" ]] || \
# [[ "${{ needs.gitleaks-scan.result }}" == "failure" ]]; then
# echo "❌ One or more critical security scanners failed"
# exit 1
# fi
echo "✅ Security scan workflow completed"