GitHub SecOps

name: DevSecOps Pipeline

on:
  push:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: GitSecret check
        uses: gitsecret/action@v1
        with:
          secret-file: .gitsecret

      - name: SAST for SonarQube
        uses: sonarsource/sonarcloud-github-action@v1
        with:
          sonar-project-key: [your-sonar-project-key]
          sonar-login: [your-sonar-login]

      - name: SCA (Dependency Check)
        uses: owasp/dependency-check-action@v1
        with:
          dependency-check-report: ./dependency-check-report.xml

      - name: Container Audit (Trivy)
        uses: aquasec/trivy-action@v1
        with:
          image: [your-image-name]

      - name: DAST (WASP Zap)
        uses: owasp/zap-action@v1
        with:
          zap-url: http://[your-zap-url]
          zap-token: [your-zap-token]

      - name: System Security Audit (Lynis)
        uses: github/lyses-action@v1
        with:
          lyses-url: https://[your-lyses-url]
          lyses-token: [your-lyses-token]

      - name: Bugzilla for tracking
        uses: bz-action/bugzilla-action@v1
        with:
          bugzilla-url: https://[your-bugzilla-url]
          bugzilla-user: [your-bugzilla-user]
          bugzilla-password: [your-bugzilla-password]