gh-advsec-devsecops/.github/workflows/security-agent-workflow.yml at 108e9e5b8e727c22b9d9a79d4a695281a3ca8136 · devopsabcs-engineering/gh-advsec-devsecops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
name: Security Agent Workflow

on:
    workflow_dispatch:

jobs:
    security-assessment:
        runs-on: ubuntu-latest
        timeout-minutes: 15
        permissions:
            contents: read
        steps:
            - name: Checkout repository
              uses: actions/checkout@v4

            - name: Setup Node.js
              uses: actions/setup-node@v4
              with:
                  node-version: 22

            - name: Install GitHub Copilot CLI
              run: npm i -g @github/copilot

            - name: Run Security Agent via Copilot CLI
              env:
                  COPILOT_GITHUB_TOKEN: ${{ secrets.COPILOT_GITHUB_TOKEN }}
                  GITHUB_REPOSITORY: ${{ github.repository }}
              run: |
                  set -euo pipefail
                  AGENT_PROMPT=$(cat .github/agents/security-agent.md)
                  PROMPT="$AGENT_PROMPT"
                  PROMPT+=$'\n\nContext:\n'
                  PROMPT+="- Repository: $GITHUB_REPOSITORY"
                  PROMPT+=$'\n\nTask:\n'
                  PROMPT+=$"\n- Execute the instructions on the full codebase"
                  PROMPT+=$'\n- Generate the security report at /security-reports/security-assessment-report.md summarizing findings, severity, and remediation guidance.'

                  copilot --prompt "$PROMPT" --allow-all-tools --allow-all-paths < /dev/null

            - name: Output security report as summary
              if: always()
              run: |
                  set -euo pipefail
                  REPORT_PATH="security-reports/security-assessment-report.md"

                  if [ ! -f "$REPORT_PATH" ]; then
                    echo "No security report generated; skipping summary."
                    exit 0
                  fi

                  echo "## Security Assessment Report" >> $GITHUB_STEP_SUMMARY
                  cat "$REPORT_PATH" >> $GITHUB_STEP_SUMMARY

            - name: Upload security report artifact
              if: always()
              uses: actions/upload-artifact@v4
              with:
                  name: security-assessment-report-${{ github.run_id }}
                  path: security-reports/security-assessment-report.md
                  retention-days: 30

            - name: Check for critical vulnerabilities
              if: always()
              run: |
                  set -euo pipefail
                  REPORT_PATH="security-reports/security-assessment-report.md"

                  if [ ! -f "$REPORT_PATH" ]; then
                    echo "No security report generated; skipping critical check."
                    exit 0
                  fi

                  if grep -q "THIS ASSESSMENT CONTAINS A CRITICAL VULNERABILITY" "$REPORT_PATH"; then
                    echo "❌ CRITICAL VULNERABILITY DETECTED - Workflow failed"
                    echo "The security assessment found critical vulnerabilities that must be addressed before proceeding."
                    exit 1
                  else
                    echo "✅ No critical vulnerabilities detected"
                  fi