Reusable Security Hardening Pipeline
uses: huntridge-labs/argus/.github/workflows/reusable-security-hardening.yml@1.1.0
Triggers
- Reusable (called by other workflows)
Permissions
| Scope | Access |
|---|---|
contents |
read |
security-events |
write |
actions |
read |
pull-requests |
write |
checks |
write |
id-token |
write |
Inputs
| Input | Description | Required | Default |
|---|---|---|---|
scanners |
Comma-separated list of scanners to run (codeql, opengrep, bandit, gitleaks, container, infrastructure, trivy-iac, ch... string | No | all |
scan_type |
(Deprecated) Legacy scan type selector. Prefer the scanners input. string | No | โ |
python_version |
Python version to use string | No | 3.12 |
aws_region |
AWS region for infrastructure scans string | No | us-east-1 |
iac_path |
Directory that contains infrastructure-as-code (Terraform) files string | No | infrastructure |
post_pr_comment |
Whether to post PR comments boolean | No | True |
enable_code_security |
Whether GitHub Code Security is enabled for this repository (required for CodeQL scanning) boolean | No | False |
clamav_scan_path |
Path for ClamAV to scan (file, directory, or archive). Defaults to repository root. string | No | . |
allow_failure |
Whether to allow the workflow to continue when any scanner fails or reports findings above the severity threshold. De... boolean | No | False |
severity_threshold |
Minimum severity level that will cause job failure when allow_failure is false. Options: low, medium, high, critical string | No | high |
supply_chain_scan_path |
Path to scan for GitHub Actions workflows and actions string | No | . |
supply_chain_persona |
Zizmor audit strictness: regular (default), pedantic, or auditor string | No | regular |
supply_chain_zizmor_config |
Path to zizmor configuration file string | No | โ |
CodeQL Options
| Input | Description | Required | Default |
|---|---|---|---|
codeql_languages |
Comma-separated list of languages for CodeQL analysis (e.g., "python,javascript"). Leave empty for auto-detection. string | No | โ |
codeql_config_file |
Path to CodeQL config file. Leave empty to auto-detect project config or generate one. string | No | โ |
codeql_query_suite |
CodeQL query suite to use (security-extended, security-and-quality, or default). Ignored if codeql_config_file is set. string | No | security-extended,security-and-quality |
codeql_scan_paths |
Comma-separated list of paths to scan (empty = scan everything). Ignored if codeql_config_file is set. string | No | โ |
codeql_ignore_paths |
Comma-separated list of paths to ignore. Ignored if codeql_config_file is set. string | No | **/node_modules/**,**/venv/**,**/__pycache__/** |
Bandit Options
| Input | Description | Required | Default |
|---|---|---|---|
bandit_config_file |
Path to Bandit configuration file (e.g. pyproject.toml, .bandit). Passed as bandit -c flag. string | No | โ |
Gitleaks Options
| Input | Description | Required | Default |
|---|---|---|---|
gitleaks_enable_comments |
Enable GitLeaks inline PR comments (requires GITLEAKS_LICENSE) boolean | No | True |
gitleaks_notify_user_list |
Comma-separated list of GitHub usernames to notify on secret detection (e.g., "@user1,@user2") string | No | โ |
gitleaks_enable_summary |
Enable GitLeaks job summary boolean | No | True |
gitleaks_enable_upload_artifact |
Enable uploading SARIF artifact when secrets are detected boolean | No | True |
gitleaks_config |
Path to a gitleaks configuration file (e.g., "path/to/gitleaks.toml") string | No | โ |
ZAP (DAST) Options
| Input | Description | Required | Default |
|---|---|---|---|
zap_scan_mode |
how to obtain a running target: url (already running), docker-run (run a single container), compose (run docker compose) string | No | url |
zap_config_file |
optional config file (YAML or JSON) to define targets, scan type, and options. When provided, it takes precedence ove... string | No | โ |
zap_target_urls |
comma-separated list of target URLs (required for baseline/full) string | No | โ |
zap_healthcheck_url |
optional URL to poll until ready (defaults to first target URL) string | No | โ |
zap_app_image_ref |
when scan_mode=docker-run, container image to start string | No | โ |
zap_app_ports |
when scan_mode=docker-run, comma-separated port mappings (e.g., 8080:8080,3000:3000) string | No | 8080:8080 |
zap_compose_file |
when scan_mode=compose, path to docker compose file string | No | docker-compose.yml |
zap_scan_type |
scan type: baseline (passive), full (active), api (OpenAPI/Swagger) string | No | baseline |
zap_api_spec |
when scan_type=api, URL or file path to OpenAPI/Swagger spec string | No | โ |
zap_max_duration_minutes |
max minutes per target for ZAP to run number | No | 10 |
OSV (Dependency) Options
| Input | Description | Required | Default |
|---|---|---|---|
osv_scan_path |
path to scan for lockfiles and dependency manifests string | No | . |
osv_lockfile |
specific lockfile path to scan (auto-discovers if empty) string | No | โ |
osv_recursive |
scan subdirectories recursively for lockfiles boolean | No | True |
Dependency Review Options
| Input | Description | Required | Default |
|---|---|---|---|
dependency_review_vulnerability_check |
Dependency Review: enable vulnerability checking boolean | No | True |
dependency_review_license_check |
Dependency Review: enable license compliance checking boolean | No | False |
dependency_review_allow_licenses |
Dependency Review: comma-separated SPDX license identifiers to allow string | No | โ |
dependency_review_deny_licenses |
Dependency Review: comma-separated SPDX license identifiers to deny string | No | โ |
Secrets
| Secret | Description | Required |
|---|---|---|
AWS_ACCOUNT_ID |
AWS Account ID for infrastructure scans | No |
GITLEAKS_LICENSE |
License key for GitLeaks scans within a Github Organization. Obtain from https://gitleaks.io | No |
Jobs
scan-coordinator โ Scan Coordinator
Runs on: ubuntu-latest ยท Condition: ${{ !cancelled() }}
Steps:
- Resolve scanner selection
code-quality-linting โ Code Quality & Linting
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_lint == 'true'
scanner-codeql โ CodeQL Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_codeql == 'true'
scanner-opengrep โ OpenGrep Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_opengrep == 'true'
scanner-bandit โ Bandit Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_bandit == 'true'
scanner-gitleaks โ Gitleaks Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_gitleaks == 'true'
scanner-clamav โ ClamAV Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_clamav == 'true'
scanner-container โ Container Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_container == 'true'
scanner-infrastructure โ Infrastructure Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_infrastructure == 'true'
scanner-sbom โ SBOM Generator
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_sbom == 'true'
scanner-trivy-iac โ Trivy IaC Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_trivy_iac == 'true'
scanner-checkov โ Checkov Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_checkov == 'true'
scanner-trivy-container โ Trivy Container Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_trivy_container == 'true'
scanner-grype โ Grype Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_grype == 'true'
scanner-zap โ ZAP (DAST) Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_zap == 'true'
scanner-osv โ OSV Dependency Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_osv == 'true'
scanner-dependency-review โ Dependency Review Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_dependency_review == 'true'
scanner-supply-chain โ Supply Chain Scanner
Depends on: scan-coordinator ยท Condition: needs.scan-coordinator.outputs.run_supply_chain == 'true'
security-summary โ Security Hardening Summary
Runs on: ubuntu-latest ยท Depends on: scan-coordinator, code-quality-linting, scanner-codeql, scanner-opengrep, scanner-bandit, scanner-gitleaks, scanner-clamav, scanner-container, scanner-infrastructure, scanner-sbom, scanner-trivy-iac, scanner-checkov, scanner-trivy-container, scanner-grype, scanner-zap, scanner-osv, scanner-dependency-review, scanner-supply-chain ยท Condition: always()
Steps:
- Checkout argus for composite action โ
actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd - Aggregate scanner results โ
./.argus-actions/.github/actions/security-summary