Skip to content
TerraSecure Security Scan

security scan on every monday #68

Sign in to view logs

security scan on every monday

security scan on every monday #68

Workflow file for this run

.github/workflows/scan.yml at 442b7d7
name: TerraSecure Security Scan
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main ]
workflow_dispatch: # Manual trigger
inputs:
external_repo:
description: 'External repo to scan (e.g., JashwanthMU/SIET-results)'
required: false
terraform_path:
description: 'Path to Terraform files'
required: false
default: 'infrastructure'
jobs:
# Job 1: Scan TerraSecure's own examples
scan-examples:
name: Scan Example Terraform Files
runs-on: ubuntu-latest
steps:
- name: Checkout TerraSecure
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Generate Training Data
run: |
python scripts/generate_training_data.py
- name: Train ML Model
run: |
python src/ml/train_model.py
- name: Scan Vulnerable Examples (Expected to Fail)
run: |
echo "🔍 Scanning vulnerable examples..."
python src/cli.py examples/vulnerable --format json --output vulnerable-results.json || true
continue-on-error: true
- name: Scan Secure Examples (Expected to Pass)
run: |
echo "🔍 Scanning secure examples..."
python src/cli.py examples/secure --format json --output secure-results.json
- name: Display Results Summary
if: always()
run: |
echo "📊 Vulnerable Examples Results:"
python -c "import json; data=json.load(open('vulnerable-results.json')); print(f'Critical: {data[\"stats\"][\"CRITICAL\"]}, High: {data[\"stats\"][\"HIGH\"]}, Medium: {data[\"stats\"][\"MEDIUM\"]}')"
echo "📊 Secure Examples Results:"
python -c "import json; data=json.load(open('secure-results.json')); print(f'Critical: {data[\"stats\"][\"CRITICAL\"]}, High: {data[\"stats\"][\"HIGH\"]}, Medium: {data[\"stats\"][\"MEDIUM\"]}')"
- name: Upload Scan Results
uses: actions/upload-artifact@v4 # ✅ UPDATED TO v4
if: always()
with:
name: example-scan-results
path: |
vulnerable-results.json
secure-results.json
# Job 2: Scan External Repository (SIET-results)
scan-external-repo:
name: Scan External Repository
runs-on: ubuntu-latest
if: github.event.inputs.external_repo != '' || github.event_name == 'push'
steps:
- name: Checkout TerraSecure
uses: actions/checkout@v4
with:
path: terrasecure
- name: Determine External Repo
id: repo
run: |
if [ "${{ github.event.inputs.external_repo }}" != "" ]; then
echo "repo=${{ github.event.inputs.external_repo }}" >> $GITHUB_OUTPUT
echo "path=${{ github.event.inputs.terraform_path }}" >> $GITHUB_OUTPUT
else
# Default: Scan SIET-results
echo "repo=JashwanthMU/SIET-results" >> $GITHUB_OUTPUT
echo "path=infrastructure" >> $GITHUB_OUTPUT
fi
- name: Checkout External Repository
uses: actions/checkout@v4
with:
repository: ${{ steps.repo.outputs.repo }}
path: external-repo
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install TerraSecure
run: |
cd terrasecure
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Generate Training Data
run: |
cd terrasecure
python scripts/generate_training_data.py
- name: Train ML Model
run: |
cd terrasecure
python src/ml/train_model.py
- name: Scan External Repository
id: scan
run: |
cd terrasecure
echo "🔍 Scanning ${{ steps.repo.outputs.repo }}/${{ steps.repo.outputs.path }}"
python src/cli.py ../external-repo/${{ steps.repo.outputs.path }} \
--format json \
--output external-scan-results.json \
--fail-on critical || echo "scan_failed=true" >> $GITHUB_OUTPUT
continue-on-error: true
- name: Display Scan Results
if: always()
run: |
cd terrasecure
echo "📊 External Repository Scan Results:"
python src/cli.py ../external-repo/${{ steps.repo.outputs.path }}
- name: Generate Security Report
if: always()
run: |
cd terrasecure
cat > security-report.md << 'EOF'
# 🛡️ TerraSecure Security Scan Report
**Repository:** ${{ steps.repo.outputs.repo }}
**Path:** ${{ steps.repo.outputs.path }}
**Scan Date:** $(date)
**Triggered By:** ${{ github.actor }}
## Summary
EOF
python << 'PYTHON'
import json
with open('external-scan-results.json') as f:
data = json.load(f)
print(f"- **Total Resources Scanned:** {data['total_resources']}")
print(f"- **Resources Passed:** {data['passed']}")
print(f"- **Total Issues:** {len(data['issues'])}")
print(f"- 🔴 **Critical Issues:** {data['stats']['CRITICAL']}")
print(f"- 🟡 **High Severity:** {data['stats']['HIGH']}")
print(f"- 🔵 **Medium Severity:** {data['stats']['MEDIUM']}")
print()
if data['issues']:
print("## Top Security Issues\n")
for i, issue in enumerate(data['issues'][:10], 1):
print(f"### {i}. [{issue['severity']}] {issue['message']}")
print(f"- **File:** `{issue['file']}`")
print(f"- **Resource:** `{issue['resource_type']}.{issue['resource_name']}`")
print(f"- **ML Risk Score:** {issue['ml_risk_score']:.0%}")
if issue.get('llm_explanation'):
print(f"- **AI Analysis:** {issue['llm_explanation'][:200]}...")
print()
PYTHON
cat security-report.md
- name: Upload Security Report
uses: actions/upload-artifact@v4 # ✅ UPDATED TO v4
if: always()
with:
name: security-report
path: terrasecure/security-report.md
- name: Upload Detailed Results
uses: actions/upload-artifact@v4 # ✅ UPDATED TO v4
if: always()
with:
name: external-scan-results
path: terrasecure/external-scan-results.json
- name: Comment on PR (if applicable)
if: github.event_name == 'pull_request'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = fs.readFileSync('terrasecure/security-report.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: report
});
- name: Fail Build on Critical Issues
if: steps.scan.outputs.scan_failed == 'true'
run: |
echo "❌ Build failed due to critical security issues!"
exit 1
# Job 3: Compare with Checkov
compare-with-checkov:
name: Compare TerraSecure vs Checkov
runs-on: ubuntu-latest
steps:
- name: Checkout TerraSecure
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.9'
- name: Install TerraSecure
run: |
pip install -r requirements.txt
python scripts/generate_training_data.py
python src/ml/train_model.py
- name: Install Checkov
run: |
pip install checkov
- name: Run TerraSecure
run: |
echo "🛡️ Running TerraSecure..."
python src/cli.py examples/vulnerable --format json --output terrasecure-results.json || true
- name: Run Checkov
run: |
echo "🔍 Running Checkov..."
checkov -d examples/vulnerable --output json --output-file-path . || true
- name: Generate Comparison Report
run: |
python << 'EOF'
import json
import os
# Load TerraSecure results
with open('terrasecure-results.json') as f:
ts_data = json.load(f)
# Load Checkov results
checkov_file = 'results_json.json'
if os.path.exists(checkov_file):
with open(checkov_file) as f:
cv_data = json.load(f)
else:
cv_data = {'summary': {'failed': 0}}
print("=" * 60)
print("TerraSecure vs Checkov Comparison")
print("=" * 60)
print()
print("TerraSecure Results:")
print(f" - Total Issues: {len(ts_data['issues'])}")
print(f" - Critical: {ts_data['stats']['CRITICAL']}")
print(f" - High: {ts_data['stats']['HIGH']}")
print(f" - Medium: {ts_data['stats']['MEDIUM']}")
print(f" - ML-powered: ✅")
print(f" - LLM Analysis: ✅")
print()
cv_failed = cv_data.get('summary', {}).get('failed', 0)
print("Checkov Results:")
print(f" - Total Issues: {cv_failed}")
print(f" - ML-powered: ❌")
print(f" - LLM Analysis: ❌")
print()
print("TerraSecure Advantages:")
print(" ✅ AI-powered explanations")
print(" ✅ Business impact analysis")
print(" ✅ Attack scenario descriptions")
print(" ✅ ML risk scoring (50 security features)")
print(" ✅ Context-aware recommendations")
print()
EOF
- name: Upload Comparison Results
uses: actions/upload-artifact@v4 # ✅ UPDATED TO v4
if: always()
with:
name: comparison-results
path: |
terrasecure-results.json
results_json.json