-
Notifications
You must be signed in to change notification settings - Fork 8
Add GitHub Actions workflow for private security scan #477
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,69 @@ | ||||||||
| name: Private Security Scan | ||||||||
|
|
||||||||
| # Epyon private-repo scanner entrypoint. | ||||||||
| # This workflow delegates execution to the local reusable workflow. | ||||||||
|
|
||||||||
| permissions: | ||||||||
| contents: read | ||||||||
|
|
||||||||
| concurrency: | ||||||||
| group: epyon-scan-${{ github.repository }} | ||||||||
| cancel-in-progress: false | ||||||||
|
|
||||||||
| on: | ||||||||
| schedule: | ||||||||
| # Nightly run at 2 AM UTC | ||||||||
| - cron: "0 2 * * *" | ||||||||
| # checkov:skip=CKV_GHA_7:Workflow inputs control scan parameters not build artifacts | ||||||||
| workflow_dispatch: | ||||||||
| inputs: | ||||||||
| subdirectory: | ||||||||
| description: "Optional: Subdirectory path to scan (e.g., apps/api)" | ||||||||
| required: false | ||||||||
| type: string | ||||||||
| scan_mode: | ||||||||
| description: "Scan mode (quick/full/nightly/baseline)" | ||||||||
| required: false | ||||||||
| default: "full" | ||||||||
| type: choice | ||||||||
| options: | ||||||||
| - quick | ||||||||
| - full | ||||||||
| - nightly | ||||||||
| - baseline | ||||||||
| garak_target_type: | ||||||||
| description: "Garak generator type (e.g. test, openai, huggingface)" | ||||||||
| required: false | ||||||||
| default: "openai" | ||||||||
| type: string | ||||||||
| garak_target_name: | ||||||||
| description: "Garak target model name (e.g. gpt-4o-mini)" | ||||||||
| required: false | ||||||||
| default: "gpt-4o-mini" | ||||||||
| type: string | ||||||||
| garak_probes: | ||||||||
| description: "Garak probe set (comma-separated, e.g. promptinject,dan,encoding)" | ||||||||
| required: false | ||||||||
| default: "promptinject" | ||||||||
| type: string | ||||||||
|
|
||||||||
| env: | ||||||||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | ||||||||
|
|
||||||||
| jobs: | ||||||||
| security-scan-main: | ||||||||
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | ||||||||
| permissions: | ||||||||
| contents: read | ||||||||
| actions: read | ||||||||
| pull-requests: write | ||||||||
| security-events: write | ||||||||
| issues: write | ||||||||
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@main | ||||||||
|
||||||||
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@main | |
| uses: MetroStar/epyon/.github/workflows/epyon-scan.yml@v1 |
Copilot
AI
Mar 31, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
secrets: inherit passes all repository/environment secrets to the called workflow in another repo. To reduce blast radius if the upstream workflow is ever compromised (or misbehaves), pass only the specific secrets the scan needs (and keep the reusable workflow ref pinned to an immutable SHA).
| secrets: inherit | |
| secrets: | |
| EPYON_SCAN_TOKEN: ${{ secrets.EPYON_SCAN_TOKEN }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The header comment says this delegates to a "local reusable workflow", but the job actually calls a reusable workflow in the external
MetroStar/epyonrepository. Please update the comment to accurately describe where the workflow is sourced from (or switch to a local reusable workflow if that was the intent).