-
Notifications
You must be signed in to change notification settings - Fork 1
141 lines (119 loc) · 3.78 KB
/
Copy pathsecurity.yml
File metadata and controls
141 lines (119 loc) · 3.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Security
on:
schedule:
- cron: '0 8 * * 1' # Every Monday at 8 AM UTC
push:
branches: [master]
pull_request:
branches: [master]
workflow_dispatch:
permissions:
security-events: write
contents: read
jobs:
# Rust dependency audit
cargo-audit:
name: Cargo Audit
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Audit Rust dependencies
run: |
# All ignored advisories are transitive rustls-webpki 0.102.8 issues
# pinned by wasmtime-wasi-http 43.0.1 via rustls 0.22.4. Fix requires
# an upstream wasmtime release bumping rustls.
# RUSTSEC-2026-0049: rustls-webpki CRL matching bug
# RUSTSEC-2026-0098: name constraints accepted for URI names
# RUSTSEC-2026-0099: name constraints accepted for wildcard names
cargo audit \
--ignore RUSTSEC-2026-0049 \
--ignore RUSTSEC-2026-0098 \
--ignore RUSTSEC-2026-0099
# Maven dependency vulnerability check
dependency-check:
name: OWASP Dependency Check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Cache Maven
uses: actions/cache@v4
with:
path: ~/.m2/repository
key: m2-security-${{ hashFiles('**/pom.xml') }}
restore-keys: m2-security-
- name: Run OWASP dependency check
continue-on-error: true
run: |
./mvnw org.owasp:dependency-check-maven:check \
-DfailBuildOnCVSS=7 \
-P skip-native \
-B
- name: Upload report
if: always()
uses: actions/upload-artifact@v4
with:
name: dependency-check-report
path: '**/target/dependency-check-report.html'
retention-days: 30
# CodeQL analysis
codeql:
name: CodeQL
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '23'
distribution: 'temurin'
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: java
- name: Build for CodeQL
run: |
COMMON_ARGS="-B -P skip-native -DskipTests -DskipQuality -Dmaven.javadoc.skip=true -Dgpg.skip=true -Dcheckstyle.skip=true -Dspotless.check.skip=true"
./mvnw install $COMMON_ARGS -Dmaven.test.skip=true -pl '!:wasmtime4j-tests-stress' -q
./mvnw compile $COMMON_ARGS -pl wasmtime4j,wasmtime4j-jni,wasmtime4j-native-loader
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
# Secret scanning
secret-scan:
name: Secret Scanning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@v3.88.0
with:
path: ./
base: ${{ github.event.pull_request.base.sha || 'HEAD~1' }}
head: HEAD
# SBOM generation
sbom:
name: SBOM
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/master'
steps:
- uses: actions/checkout@v4
- uses: actions/setup-java@v4
with:
java-version: '21'
distribution: 'temurin'
- name: Generate SBOM
run: ./mvnw org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom -B -P skip-native
- uses: actions/upload-artifact@v4
with:
name: sbom
path: target/bom.xml
retention-days: 90