-
Notifications
You must be signed in to change notification settings - Fork 4
41 lines (37 loc) · 1.81 KB
/
jit-security.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
name: Workflows generated by the MVS plan
on:
workflow_dispatch:
inputs:
client_payload:
description: The Client payload
required: true
jobs:
enrich:
if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'enrich'
runs-on: ubuntu-20.04
steps:
- name: enrichment
uses: jitsecurity-controls/[email protected]
with:
docker_user: jit-bot
docker_password: ${{fromJSON(github.event.inputs.client_payload).payload.container_registry_token}}
security_control: ghcr.io/jitsecurity-controls/control-enrichment-slim:latest
security_control_args: --path \${WORK_DIR:-.}
dispatch_type: workflow
context: ${{toJSON(fromJSON(github.event.inputs.client_payload).context)}}
runner_setup: ${{toJSON(fromJSON(github.event.inputs.client_payload).context.job.runner.setup)}}
secret-detection:
if: fromJSON(github.event.inputs.client_payload).payload.workflow_job_name == 'secret-detection'
runs-on: ubuntu-20.04
steps:
- name: gitleaks
uses: jitsecurity-controls/[email protected]
with:
docker_user: jit-bot
docker_password: ${{fromJSON(github.event.inputs.client_payload).payload.container_registry_token}}
security_control: ghcr.io/jitsecurity-controls/control-gitleaks-alpine:latest
security_control_args: detect --config \$GITLEAKS_CONFIG_FILE_PATH --source \${WORK_DIR:-.} -v --report-format json --report-path \$REPORT_FILE --redact --no-git --exit-code 0
security_control_output_file: /tmp/report.json
dispatch_type: workflow
context: ${{toJSON(fromJSON(github.event.inputs.client_payload).context)}}
runner_setup: ${{toJSON(fromJSON(github.event.inputs.client_payload).context.job.runner.setup)}}