Add reusable security workflow using ScopeGuardian v0.0.1

.github/security-config.toml

@@ -0,0 +1,15 @@
+title = "ScopeGuardian CI Security Scan"
+
+protected_branches = ["main", "master"]
+path = "."
+
+[kics]
+platform = "Dockerfile"
+
+[grype]
+ignore_states = "not-fixed,unknown,wont-fix"
+transitive_libraries = false
+
+[opengrep]
+exclude = ["*_test.go", "docker-compose.yml"]
+exclude_rule = ["go.lang.security.audit.dangerous-exec-command.dangerous-exec-command"]

.github/workflows/ci.yml

@@ -21,3 +21,11 @@ jobs:
 
       - name: Run unit tests
         run: go test ./...
+
+  security:
+    name: Security
+    needs: test
+    uses: ./.github/workflows/security.yml
+    permissions:
+      contents: read
+      packages: read

.github/workflows/security.yml

@@ -0,0 +1,37 @@
+name: Security
+
+on:
+  workflow_dispatch:
+  workflow_call:
+
+jobs:
+  security:
+    name: ScopeGuardian
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Verify security config exists
+        run: test -f "$GITHUB_WORKSPACE/.github/security-config.toml"
+
+      - name: Run ScopeGuardian
+        run: |
+          docker run --rm \
+            -v "$GITHUB_WORKSPACE:/tmp/data" \
+            -e SCAN_DIR=/tmp/data \
+            ghcr.io/paranoihack/scopeguardian:v0.0.1 \
+            --projectName ScopeGuardian \
+            --branch "${{ github.ref_name }}" \
+            --threshold "critical=1,high=1,medium=1,low=1" \
+            /tmp/data/.github/security-config.toml

Dockerfile

@@ -15,7 +15,7 @@ ARG KICS_VERSION=v2.1.17
 
 WORKDIR /tmp
 
-RUN apk add --no-cache git make
+RUN apk add --no-cache git=2.52.0-r0 make=4.4.1-r3
 
 RUN git clone --depth 1 --branch ${KICS_VERSION} https://github.com/Checkmarx/kics.git
 
@@ -31,7 +31,7 @@ ARG OPENGREP_VERSION=v1.13.1
 
 WORKDIR /tmp
 
-RUN apk add --no-cache git bash curl
+RUN apk add --no-cache git=2.52.0-r0 bash=5.3.3-r1 curl=8.17.0-r1
 
 RUN git clone --depth 1 --branch ${OPENGREP_VERSION} https://github.com/opengrep/opengrep.git
 
@@ -53,7 +53,7 @@ ARG GRYPE_VERSION=v0.104.2
 
 WORKDIR /tmp
 
-RUN apk add --no-cache git
+RUN apk add --no-cache git=2.52.0-r0
 
 RUN git clone --depth 1 --branch ${GRYPE_VERSION} https://github.com/anchore/grype.git
 
@@ -69,7 +69,7 @@ ARG SYFT_VERSION=v1.38.2
 
 WORKDIR /tmp
 
-RUN apk add --no-cache git
+RUN apk add --no-cache git=2.52.0-r0
 
 RUN git clone --depth 1 --branch ${SYFT_VERSION} https://github.com/anchore/syft.git
 
@@ -95,4 +95,10 @@ COPY --from=syft_builder /tmp/syft/bin/syft /opt/syft/bin/syft
 COPY features/scans/syft/config/syft.yaml /opt/syft/config/syft.yaml
 COPY features/scans/grype/config/grype.yaml /opt/grype/config/grype.yaml
 
+RUN addgroup -S scopeguardian && adduser -S -G scopeguardian scopeguardian
+
+USER scopeguardian
+
+HEALTHCHECK NONE
+
 ENTRYPOINT ["/opt/ScopeGuardian/bin/ScopeGuardian"]