44 push :
55 branches :
66 - main
7- - " feature/**"
87 pull_request :
98
109jobs :
1110
1211 # -----------------------------
13- # 1) Trivy Scan (container & code)
12+ # 1) Trivy Scan
1413 # -----------------------------
1514 trivy_scan :
1615 name : Trivy Vulnerability Scan
1716 runs-on : ubuntu-latest
1817 steps :
19- - name : Checkout repository
20- uses : actions/checkout@v4
18+ - uses : actions/checkout@v4
2119
2220 - name : Install Trivy
2321 run : |
@@ -27,35 +25,36 @@ jobs:
2725 tar zxvf trivy_*.tar.gz
2826 sudo mv trivy /usr/local/bin/
2927
30- name : Run Trivy File System Scan
31- run : trivy fs --security-checks vuln,config . --exit-code 1 || true
28+ name : Run Trivy FS Scan
29+ run : trivy fs --security-checks vuln,config . --format json --output trivy-report.json || true
3230
33- - name : Trivy SBOM + Report
34- run : trivy sbom . --output trivy-sbom.json
31+ - name : Upload Trivy Report
32+ uses : actions/upload-artifact@v4
33+ with :
34+ name : trivy-report
35+ path : trivy-report.json
3536
3637 # -----------------------------
37- # 2) Bandit Scan (Python SAST)
38+ # 2) Bandit Scan
3839 # -----------------------------
3940 bandit_scan :
4041 name : Bandit Python Static Scan
4142 runs-on : ubuntu-latest
4243 steps :
43- - name : Checkout repository
44- uses : actions/checkout@v4
44+ - uses : actions/checkout@v4
4545
46- - name : Setup Python
47- uses : actions/setup-python@v4
46+ - uses : actions/setup-python@v5
4847 with :
4948 python-version : " 3.x"
5049
5150 - name : Install Bandit
5251 run : pip install bandit
5352
5453 - name : Run Bandit
55- run : bandit -r . -f html -o bandit-report.html
54+ run : bandit -r . -f html -o bandit-report.html || true
5655
5756 - name : Upload Bandit Report
58- uses : actions/upload-artifact@v3
57+ uses : actions/upload-artifact@v4
5958 with :
6059 name : bandit-report
6160 path : bandit-report.html
@@ -67,53 +66,49 @@ jobs:
6766 name : Coverity Static Analysis
6867 runs-on : ubuntu-latest
6968 steps :
70- - name : Checkout repository
71- uses : actions/checkout@v4
69+ - uses : actions/checkout@v4
7270
73- - name : Install Coverity Toolset
71+ - name : Install Dependencies
7472 run : |
75- # Install or bootstrap Coverity CLI if available
76- # (Replace with your specific Coverity setup instructions)
77- echo "Installing Coverity…"
7873 sudo apt-get update
79- sudo apt-get install -y flex bison build-essential
74+ sudo apt-get install -y build-essential flex bison
8075
76+ # You MUST replace this with real Coverity install
8177 - name : Run Coverity Analysis
8278 run : |
8379 mkdir cov-out
84- # Replace below with your Coverity tour of code commands
85- cov-build --dir cov-out make
80+ echo "Run cov-build here"
81+ # Example:
82+ # cov-build --dir cov-out make
8683
8784name : Upload Coverity Output
88- uses : actions/upload-artifact@v3
85+ uses : actions/upload-artifact@v4
8986 with :
9087 name : coverity-output
9188 path : cov-out
9289
9390 # -----------------------------
94- # 4) ClamAV Malware Scan
91+ # 4) ClamAV Scan
9592 # -----------------------------
9693 clamav_scan :
9794 name : ClamAV Malware Scan
9895 runs-on : ubuntu-latest
9996 steps :
100- - name : Checkout repository
101- uses : actions/checkout@v4
97+ - uses : actions/checkout@v4
10298
10399 - name : Install ClamAV
104100 run : |
105101 sudo apt-get update
106- sudo apt-get install -y clamav clamav-daemon
102+ sudo apt-get install -y clamav
107103
108- name : Update ClamAV DB
104+ name : Update Virus DB
109105 run : sudo freshclam
110106
111- - name : Run ClamAV Against Repo
112- run : |
113- clamscan -r . > clamav-results.txt || true
107+ - name : Run ClamAV
108+ run : clamscan -r . --infected --no-summary > clamav-report.txt || true
114109
115110 - name : Upload ClamAV Report
116- uses : actions/upload-artifact@v3
111+ uses : actions/upload-artifact@v4
117112 with :
118113 name : clamav-report
119- path : clamav-results .txt
114+ path : clamav-report .txt
0 commit comments