GitHub Security Scan Workflow
This workflow runs all phases of security scanning using the unified hashsecured-scan action. Each phase is independent and targets a specific stage of your application lifecycle.
Pre-phase: Static Application Security Testing (SAST)
Analyzes source code for vulnerabilities, hardcoded secrets, and compliance issues before build/deployment.
pre-phase:
name: Pre Phase - SAST
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Pre Phase Security Scan
uses: clockhash-kiran/scan-actions/hashsecured-scan@main
with:
phase: "pre"
target_url: "gitlab.com/your-org/your-repo-name"
user_id: "YOUR_USER_ID"
project_id: "YOUR_PROJECT_ID"
api_token: ${{ secrets.API_TOKEN }}
branch: "main" #Optional
break: "true" #Optional
tools: "semgrep,gitleaks" #OptionalMid-phase: Container Scan
Scans your container images for vulnerabilities before deployment.
mid-phase:
name: Mid Phase - Container Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Mid Phase Security Scan
uses: clockhash-kiran/scan-actions/hashsecured-scan@main
with:
phase: "mid"
target_url: "nginx:latest"
user_id: "YOUR_USER_ID"
project_id: "YOUR_PROJECT_ID"
api_token: ${{ secrets.API_TOKEN }}Post-phase: Deployment Scan
Performs security checks against live deployments.
post-phase:
name: Post Phase - Deployment Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Post Phase Security Scan
uses: clockhash-kiran/scan-actions/hashsecured-scan@main
with:
phase: "post"
target_url: "https://example.com"
user_id: "YOUR_USER_ID"
project_id: "YOUR_PROJECT_ID"
api_token: ${{ secrets.API_TOKEN }}Optional Parameters
| Parameter | Type | Phase | Description | Default |
|---|---|---|---|---|
break | true/false | All | Fail the pipeline if HIGH/CRITICAL vulnerabilities are found | true |
tools | string (comma-separated) | All | Override default tools for the phase | Uses default tools for phase |
branch | string | Pre-phase | Branch to scan for SAST | main |
pat | string | Pre-phase | Personal Access Token for private repos | None |