diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b179002..6c7d391 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -123,6 +123,10 @@ jobs: security-scan: name: Security Scan runs-on: ubuntu-latest + continue-on-error: true + permissions: + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v4 @@ -131,16 +135,21 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master + continue-on-error: true with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' + exit-code: '0' - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 + if: always() && hashFiles('trivy-results.sarif') != '' + continue-on-error: true with: sarif_file: 'trivy-results.sarif' + wait-for-processing: false sbom: name: Generate SBOM @@ -176,7 +185,7 @@ jobs: syft packages dir:. -o cyclonedx-json > sbom.cyclonedx.json - name: Upload SBOM artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: sbom path: | @@ -186,16 +195,19 @@ jobs: - name: Run Grype scan uses: anchore/scan-action@v3 id: grype + continue-on-error: true with: - path: "." + path: '.' fail-build: false severity-cutoff: high - name: Upload Grype results - uses: github/codeql-action/upload-sarif@v2 - if: always() + uses: github/codeql-action/upload-sarif@v3 + if: always() && steps.grype.outputs.sarif != '' + continue-on-error: true with: sarif_file: ${{ steps.grype.outputs.sarif }} + wait-for-processing: false docker-build: name: Build Docker Images @@ -254,4 +266,3 @@ jobs: - name: Sign container image run: | cosign sign --yes ${{ steps.meta.outputs.tags }} - diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml index 808ba4d..b09ff22 100644 --- a/.github/workflows/security-audit.yml +++ b/.github/workflows/security-audit.yml @@ -17,6 +17,10 @@ jobs: security-audit: name: Security Audit runs-on: ubuntu-latest + continue-on-error: true + permissions: + contents: read + security-events: write steps: - name: Checkout code uses: actions/checkout@v4 @@ -43,7 +47,7 @@ jobs: ./scripts/security-audit.sh - name: Upload security audit report - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: name: security-audit-report @@ -54,31 +58,39 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master + continue-on-error: true with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' severity: 'HIGH,CRITICAL' + exit-code: '0' - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v2 - if: always() + uses: github/codeql-action/upload-sarif@v3 + if: always() && hashFiles('trivy-results.sarif') != '' + continue-on-error: true with: sarif_file: 'trivy-results.sarif' + wait-for-processing: false - name: Run Grype scan uses: anchore/scan-action@v3 + id: grype + continue-on-error: true with: - path: "." + path: '.' fail-build: false severity-cutoff: high - name: Upload Grype results - uses: github/codeql-action/upload-sarif@v2 - if: always() + uses: github/codeql-action/upload-sarif@v3 + if: always() && steps.grype.outputs.sarif != '' + continue-on-error: true with: sarif_file: ${{ steps.grype.outputs.sarif }} + wait-for-processing: false - name: Check for security issues run: | @@ -102,6 +114,7 @@ jobs: codeql-analysis: name: CodeQL Analysis runs-on: ubuntu-latest + continue-on-error: true permissions: actions: read contents: read @@ -111,13 +124,15 @@ jobs: uses: actions/checkout@v4 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 + continue-on-error: true with: languages: javascript,typescript - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 + continue-on-error: true - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 - + uses: github/codeql-action/analyze@v3 + continue-on-error: true