Security Analysis #48

	---
	name: Security Analysis

	on:
	push:
	branches: [master]
	pull_request:
	branches: [master]
	schedule:
	- cron: "0 6 * * *"

	jobs:
	codeql:
	name: CodeQL
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3

	- name: Initialize CodeQL
	uses: github/codeql-action/init@v2
	with:
	languages: go

	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v2

	trivy:
	name: Trivy
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Build an image from Dockerfile
	run: \|
	docker build . -t kubesec:${{ github.sha }}

	- name: Run Trivy
	uses: aquasecurity/[email protected]
	with:
	image-ref: kubesec:${{ github.sha }}
	format: template
	template: "@/contrib/sarif.tpl"
	output: trivy-results.sarif

	- name: Upload Trivy results to the Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: trivy-results.sarif

	trufflehog:
	name: TruffleHog
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v3
	with:
	fetch-depth: 0
	- name: Run Trufflehog
	uses: trufflesecurity/[email protected]
	with:
	path: ./
	base: ${{ github.event.repository.default_branch }}
	head: HEAD
	extra_args: --debug --only-verified

Provide feedback