Security Gate

Simple and pratical security gate for Github Security Alerts

This is a project that allows you to use a Security Gate within Github, using Actions and your project's Security Alerts as an information base. Currently alerts from DependaBot, Code Scanning and Secret Scanning are supported.

You can define a vulnerability policy based on impact i.e. the number of vulnerabilities per threat, and automatically block your CI/CD pipeline if these policies are not met. This ensures that your application has greater protection, preventing codes that contain known threats from being deployed in production.

You need to create a token with read access to Security Alerts and configure it within the Secrets resource of your repository, then: In your repository, create a YAML file at: .github/workflows/security-gate.yml with this content:

name: Security Gate - LESIS

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      MAX_CRITICAL: 1
      MAX_HIGH: 2
      MAX_MEDIUM: 3
      MAX_LOW: 4
      GITHUB_TOKEN: ${{ secrets.TOKEN }}
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Pull Docker image from GitHub Container Registry
      run: docker pull ghcr.io/instriq/security-gate/security-gate:latest

    - name: Verify security alerts from dependabot
      run: |
        docker run ghcr.io/instriq/security-gate/security-gate:latest \
        -t $GITHUB_TOKEN \
        -r ${{ github.repository }} \
        --critical $MAX_CRITICAL \
        --high $MAX_HIGH \
        --medium $MAX_MEDIUM \
        --low $MAX_LOW \
        --dependency-alerts \
        --code-alerts \
        --secret-alerts 

# Download
$ git clone https://github.com/instriq/security-gate && cd security-gate
    
# Install libs dependencies
$ sudo cpanm --installdeps .

# Basic usage
$ perl security-gate.pl --help

Security Gate v0.1.0
Core Commands
====================
        Command                Description
        -------                -----------
        -t, --token            GitHub token
        -r, --repo             GitHub repository, organization/repository-name
        -c, --critical         Critical severity limit
        -h, --high             High severity limit
        -m, --medium           Medium severity limit
        -l, --low              Low severity limit
        --dependency-alerts    Check dependency alerts
        --secret-alerts        Check secret scanning alerts
        --code-alerts          Check code scanning alerts

$ docker build -t security-gate .
$ docker run -ti --rm security-gate -t <GITHUB_TOKEN> \
  -r <organization/repository> \
  --critical 1 \
  --high 2 \
  --medium 3 \
  --low 5 \
  --dependency-alerts --code-alerts --secret-alerts 

Your contributions and suggestions are heartily ♥ welcome. See here the contribution guidelines. Please, report bugs via issues page and for security issues, see here the security policy. (✿ ◕‿◕)

This work is licensed under MIT License.