Add SAST/SCA scan (#79)

chore: create sast.yml

Signed-off-by: Lukas Jokubauskas <[email protected]>

Author: lukjok

.github/workflows/sast.yml

@@ -0,0 +1,39 @@
+# By default this workflow will be running for PRs and pushes to other branches except main
+on:
+  pull_request_target:
+    types: [labeled]
+  push:
+    branches-ignore: 
+      - 'main'
+jobs:
+  sast:
+    runs-on: sast
+    if: |
+      github.event_name == 'push' ||
+      (
+        github.event_name == 'pull_request_target' &&
+        github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name &&
+        github.event.label.name == 'security scan'
+      )
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+      # Checking out SAST composite action
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+        with: 
+          repository: NordSecurity/sast-configs
+          ref: main
+          ssh-key: ${{ secrets.SAST_ACTION_KEY }}
+          path: .github/workflows/sast
+          # Checking out only SAST action and composite project configuration action
+          sparse-checkout: |
+            base/sast-action
+            actions/storyblok-rich-text-astro-renderer-sast-action
+      - uses: ./.github/workflows/sast/actions/storyblok-rich-text-astro-renderer-sast-action
+        with:
+          SAST_TEAM: ${{ secrets.SAST_TEAM }}
+          SAST_URL: ${{ secrets.SAST_URL }}
+          SAST_USERNAME: ${{ secrets.SAST_USERNAME }}
+          SAST_PASSWORD: ${{ secrets.SAST_PASSWORD }}
+          SAST_CLIENT_SECRET: ${{ secrets.SAST_CLIENT_SECRET }}
+    

.github/workflows/sca.yml

@@ -0,0 +1,62 @@
+# By default this workflow will be running for PRs (rapid scans) and on push to main branch (full scan)
+on:
+  pull_request_target:
+    types: [labeled]
+  pull_request:
+    branches: [main]
+  push:
+    branches: [main]
+jobs:
+  sca-full:
+    runs-on: sca
+    if: github.event_name == 'push'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+      # Checking out SCA composite action
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+        with: 
+          repository: NordSecurity/sca-configs
+          ref: main
+          ssh-key: ${{ secrets.SCA_ACTION_KEY }}
+          path: .github/workflows/sca
+          # Checking out only SCA action and composite project configuration action
+          sparse-checkout: |
+            base/sca-action
+            SCA/nordsecurity-storyblok-rich-text-astro-renderer-sca-action
+      - uses: ./.github/workflows/sca/SCA/nordsecurity-storyblok-rich-text-astro-renderer-sca-action
+        with:
+          SCA_URL: ${{ secrets.SCA_URL }}
+          SCA_API_TOKEN: ${{ secrets.SCA_API_TOKEN }}
+          SCA_FULL_SCAN: true
+  sca-rapid:
+    runs-on: sca
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
+      ) ||
+      (
+        github.event_name == 'pull_request_target' &&
+        github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name &&
+        github.event.label.name == 'security scan'
+      )
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+      # Checking out SCA composite action
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+        with: 
+          repository: NordSecurity/sca-configs
+          ref: main
+          ssh-key: ${{ secrets.SCA_ACTION_KEY }}
+          path: .github/workflows/sca
+          # Checking out only SCA action and composite project configuration action
+          sparse-checkout: |
+            base/sca-action
+            SCA/nordsecurity-storyblok-rich-text-astro-renderer-sca-action
+      - uses: ./.github/workflows/sca/SCA/nordsecurity-storyblok-rich-text-astro-renderer-sca-action
+        with:
+          SCA_URL: ${{ secrets.SCA_URL }}
+          SCA_API_TOKEN: ${{ secrets.SCA_API_TOKEN }}
+          SCA_FULL_SCAN: false