Uploading basic documentation for Using PHP or Laravel in Your Projects #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Checks | |
| on: | |
| push: | |
| branches: [ main, develop ] | |
| pull_request: | |
| branches: [ main, develop ] | |
| schedule: | |
| # Run security checks weekly on Sundays at 3 AM UTC | |
| - cron: '0 3 * * 0' | |
| jobs: | |
| security-scan: | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.2' | |
| extensions: mbstring, xml, ctype, iconv, intl, pdo, pdo_mysql, dom, filter, hash, json, libxml, openssl, readline, zlib | |
| tools: composer:v2, phpunit | |
| - name: Cache Composer dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: vendor | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-composer- | |
| - name: Install PHP dependencies | |
| run: | | |
| if [ -f composer.json ]; then | |
| composer install --no-progress --prefer-dist --optimize-autoloader | |
| fi | |
| - name: Run PHP Security Checker | |
| uses: symfonycorp/security-checker-action@v5 | |
| if: always() | |
| - name: Run PHPStan Security Analysis | |
| run: | | |
| if [ -f vendor/bin/phpstan ]; then | |
| vendor/bin/phpstan analyse --error-format=github | |
| else | |
| echo "PHPStan not configured - skipping security analysis" | |
| fi | |
| - name: Run Psalm Security Analysis | |
| run: | | |
| if [ -f vendor/bin/psalm ]; then | |
| vendor/bin/psalm --output-format=github | |
| else | |
| echo "Psalm not configured - skipping security analysis" | |
| fi | |
| dependency-scan: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| codeql-analysis: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'javascript', 'php' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| queries: security-and-quality | |
| - name: Autobuild | |
| uses: github/codeql-action/autobuild@v2 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| secrets-scan: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: main | |
| head: HEAD | |
| extra_args: --debug --only-verified | |
| lint-and-format: | |
| name: Code Quality Checks | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up PHP | |
| uses: shivammathur/setup-php@v2 | |
| with: | |
| php-version: '8.2' | |
| extensions: mbstring, xml, ctype, iconv, intl, pdo, pdo_mysql, dom, filter, hash, json, libxml, openssl, readline, zlib | |
| tools: composer:v2, phpunit | |
| - name: Cache Composer dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: vendor | |
| key: ${{ runner.os }}-composer-${{ hashFiles('**/composer.lock') }} | |
| restore-keys: | | |
| ${{ runner.os }}-composer- | |
| - name: Install PHP dependencies | |
| run: composer install --no-progress --prefer-dist --optimize-autoloader | |
| - name: Run PHP CS Fixer | |
| run: | | |
| if [ -f vendor/bin/php-cs-fixer ]; then | |
| vendor/bin/php-cs-fixer fix --dry-run --format=github | |
| else | |
| echo "PHP CS Fixer not configured - skipping code style check" | |
| fi | |
| - name: Run PHP Mess Detector | |
| run: | | |
| if [ -f vendor/bin/phpmd ]; then | |
| vendor/bin/phpmd . github phpmd.xml || true | |
| else | |
| echo "PHP Mess Detector not configured - skipping mess detection" | |
| fi | |
| container-security: | |
| name: Container Security Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build Docker image | |
| run: | | |
| if [ -f Dockerfile ]; then | |
| docker build -t security-test . | |
| else | |
| echo "No Dockerfile found - skipping container scan" | |
| exit 0 | |
| fi | |
| - name: Run Trivy container scan | |
| uses: aquasecurity/trivy-action@master | |
| if: success() | |
| with: | |
| scan-type: 'image' | |
| scan-ref: 'security-test' | |
| format: 'sarif' | |
| output: 'trivy-container-results.sarif' | |
| - name: Upload container scan results | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-container-results.sarif' | |
| summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [security-scan, dependency-scan, codeql-analysis, secrets-scan, lint-and-format] | |
| if: always() | |
| steps: | |
| - name: Generate Security Report | |
| run: | | |
| echo "# Security Scan Summary" >> security-report.md | |
| echo "" >> security-report.md | |
| echo "## Job Results:" >> security-report.md | |
| echo "- Security Scan: ${{ needs.security-scan.result }}" >> security-report.md | |
| echo "- Dependency Scan: ${{ needs.dependency-scan.result }}" >> security-report.md | |
| echo "- CodeQL Analysis: ${{ needs.codeql-analysis.result }}" >> security-report.md | |
| echo "- Secrets Scan: ${{ needs.secrets-scan.result }}" >> security-report.md | |
| echo "- Code Quality: ${{ needs.lint-and-format.result }}" >> security-report.md | |
| echo "" >> security-report.md | |
| echo "Report generated at: $(date)" >> security-report.md | |
| - name: Upload Security Report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: security-report | |
| path: security-report.md | |
| - name: Comment PR with Security Status | |
| if: github.event_name == 'pull_request' | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| const status = { | |
| security: '${{ needs.security-scan.result }}', | |
| dependency: '${{ needs.dependency-scan.result }}', | |
| codeql: '${{ needs.codeql-analysis.result }}', | |
| secrets: '${{ needs.secrets-scan.result }}', | |
| quality: '${{ needs.lint-and-format.result }}' | |
| }; | |
| const allPassed = Object.values(status).every(s => s === 'success'); | |
| const body = ` | |
| ## 🔒 Security Scan Results | |
| | Check | Status | | |
| |-------|--------| | |
| | Security Scan | ${status.security === 'success' ? '✅' : '❌'} | | |
| | Dependency Scan | ${status.dependency === 'success' ? '✅' : '❌'} | | |
| | CodeQL Analysis | ${status.codeql === 'success' ? '✅' : '❌'} | | |
| | Secrets Scan | ${status.secrets === 'success' ? '✅' : '❌'} | | |
| | Code Quality | ${status.quality === 'success' ? '✅' : '❌'} | | |
| ${allPassed ? '🎉 All security checks passed!' : '⚠️ Some security checks failed. Please review the details above.'} | |
| *This comment was automatically generated by the security workflow.* | |
| `; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: body | |
| }); |