{"id":30886863,"url":"https://github.com/cloudon-one/git-security-scanner-public","last_synced_at":"2025-09-08T13:52:05.347Z","repository":{"id":311923451,"uuid":"1045616023","full_name":"cloudon-one/git-security-scanner-public","owner":"cloudon-one","description":"Git secrets, vulnurabilities scanner with rich reporting","archived":false,"fork":false,"pushed_at":"2025-08-27T14:47:55.000Z","size":81,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-27T22:21:14.050Z","etag":null,"topics":["ci-cd","code-scanning","devsecops","gitleaks","secret-detection","security-scanner","secutiry","trivy","vulnerability-scanner"],"latest_commit_sha":null,"homepage":"https://cloudon-one.com/secureops.html","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudon-one.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":null,"patreon":"yaarcloudon","open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2025-08-27T13:07:19.000Z","updated_at":"2025-08-27T14:47:59.000Z","dependencies_parsed_at":"2025-08-27T22:21:50.998Z","dependency_job_id":"2bf3de60-2d32-4226-b711-3dc24219adf8","html_url":"https://github.com/cloudon-one/git-security-scanner-public","commit_stats":null,"previous_names":["cloudon-one/git-security-scanner-public"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/cloudon-one/git-security-scanner-public","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgit-security-scanner-public","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgit-security-scanner-public/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgit-security-scanner-public/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgit-security-scanner-public/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudon-one","download_url":"https://codeload.github.com/cloudon-one/git-security-scanner-public/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudon-one%2Fgit-security-scanner-public/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274196075,"owners_count":25239148,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-08T02:00:09.813Z","response_time":121,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd","code-scanning","devsecops","gitleaks","secret-detection","security-scanner","secutiry","trivy","vulnerability-scanner"],"created_at":"2025-09-08T13:51:49.881Z","updated_at":"2025-09-08T13:52:05.329Z","avatar_url":"https://github.com/cloudon-one.png","language":"Python","funding_links":["https://patreon.com/yaarcloudon"],"categories":[],"sub_categories":[],"readme":"# Git Security Scanner - GitHub Action\n\n[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Git%20Security%20Scanner-blue?logo=github)](https://github.com/marketplace/actions/git-security-scanner)\n[![Release](https://img.shields.io/badge/Release-v1.1.1-green)](https://github.com/cloudon-one/git-security-scanner-public/releases/tag/v.1.1.1)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n[![Docker](https://img.shields.io/badge/Docker-ghcr.io-blue?logo=docker)](https://ghcr.io/cloudon-one/security-scanner)\n\n**Comprehensive security scanning for GitHub repositories** - Detect secrets, vulnerabilities, and misconfigurations in your CI/CD pipeline.\n\n## Features\n\n- **Secret Detection** - Find API keys, passwords, and tokens using Gitleaks\n- **Vulnerability Scanning** - Identify CVEs and security issues with Trivy\n- **Misconfiguration Detection** - Catch IaC security problems\n- **Multiple Report Formats** - JSON, HTML, and SARIF for GitHub Security tab\n- **PR Integration** - Automatic security comments on pull requests\n- **Quality Gates** - Fail builds on critical security issues\n\n## Quick Start\n\nAdd to your workflow (`.github/workflows/security.yml`):\n\n```yaml\nname: Security Scan\non: [push, pull_request]\n\njobs:\n  security:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      security-events: write\n      pull-requests: write\n    steps:\n      - uses: actions/checkout@v4\n      \n      - name: Run Security Scan\n        uses: cloudon-one/git-security-scanner@v1.1.1\n        with:\n          github_token: ${{ secrets.GITHUB_TOKEN }}\n          fail_on_critical: true\n```\n\n## Configuration\n\n### Inputs\n\n| Input | Required | Default | Description |\n|-------|----------|---------|-------------|\n| `github_token` | No | `${{ github.token }}` | GitHub token for API access |\n| `fail_on_critical` | No | `true` | Fail build if critical issues found |\n| `scan_type` | No | `all` | Scan type: `all`, `gitleaks`, or `trivy` |\n| `repository_path` | No | `.` | Path to repository to scan |\n| `upload_sarif` | No | `true` | Upload SARIF to GitHub Security tab |\n| `create_pr_comment` | No | `true` | Create PR comments with results |\n| `scanner_version` | No | `latest` | Docker image version to use |\n\n### Outputs\n\n| Output | Description |\n|--------|-------------|\n| `risk_level` | Overall risk: `CRITICAL`, `HIGH`, `MEDIUM`, `LOW` |\n| `critical_count` | Number of critical issues |\n| `high_count` | Number of high severity issues |\n| `medium_count` | Number of medium severity issues |\n| `low_count` | Number of low severity issues |\n| `secrets_found` | Number of secrets detected |\n| `vulnerabilities_found` | Number of vulnerabilities found |\n| `misconfigurations_found` | Number of misconfigurations detected |\n| `report_url` | Link to detailed security report |\n\n## Usage Examples\n\n### Basic Security Check\n\n```yaml\n- uses: cloudon-one/git-security-scanner@v1.1.1\n  with:\n    fail_on_critical: true\n    create_pr_comment: true\n```\n\n### Advanced Configuration\n\n```yaml\n- uses: cloudon-one/git-security-scanner@v1.1.1\n  id: security\n  with:\n    scan_type: all\n    fail_on_critical: false\n    repository_path: ./src\n    \n- name: Process Results\n  run: |\n    echo \"Risk Level: ${{ steps.security.outputs.risk_level }}\"\n    echo \"Secrets: ${{ steps.security.outputs.secrets_found }}\"\n    echo \"Vulnerabilities: ${{ steps.security.outputs.vulnerabilities_found }}\"\n```\n\n### Scheduled Security Audits\n\n```yaml\nname: Weekly Security Audit\non:\n  schedule:\n    - cron: '0 2 * * 1'  # Mondays at 2 AM\n\njobs:\n  audit:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      - uses: cloudon-one/git-security-scanner@v1.1.1\n        with:\n          fail_on_critical: false\n```\n\n## Building from Source\n\n### Prerequisites\n- Docker\n- GitHub Token (for GitHub API access)\n\n### Build Docker Image\n\n```bash\ndocker build -t git-security-scanner .\n```\n\n### Run Local Scan\n\n```bash\n# Scan current directory\ndocker run --rm \\\n  -v $(pwd):/scan_target:ro \\\n  -v $(pwd)/reports:/reports \\\n  security-scanner all\n\n# Scan specific repository\ndocker run --rm \\\n  -e GITHUB_TOKEN=$GITHUB_TOKEN \\\n  -e GITHUB_OWNER=owner \\\n  -e GITHUB_REPO=repo \\\n  -v $(pwd)/reports:/reports \\\n  security-scanner all\n```\n\n## Architecture\n\nThe scanner consists of:\n- `action.yml` - GitHub Action definition\n- `Dockerfile` - Container with security tools\n- `git-audit-script.py` - Main orchestration script\n- `run_scans.sh` - Shell wrapper for execution\n- `gitleaks.toml` - Secret detection configuration\n\n## Security Tools\n\n- **[Gitleaks](https://github.com/gitleaks/gitleaks)** v8.28.0 - Secret detection\n- **[Trivy](https://github.com/aquasecurity/trivy)** v0.65.0 - Vulnerability scanning\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development guidelines.\n\n## Support\n\n- **Issues**: [Report bugs](https://github.com/cloudon-one/git-security-scanner/issues)\n- **Discussions**: [Ask questions](https://github.com/cloudon-one/git-security-scanner/discussions)\n\n## License\n\nMIT License - see [LICENSE](LICENSE) file.\n\n---\n\nMade by [CloudOn One](https://github.com/cloudon-one)","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fgit-security-scanner-public","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudon-one%2Fgit-security-scanner-public","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudon-one%2Fgit-security-scanner-public/lists"}