security-goat-demo.yml

name: "[security] Security Goat in pipeline"

on:
  workflow_dispatch: {}
  push:
    branches:
      - main
  pull_request:
    branches:
      - main


permissions:
  contents: read

env:
  SECURITY_GOAT_IMAGE: ghcr.io/andersonbosa/security-goat:latest
  GOAT_GITHUB_TOKEN: ${{ secrets.CI_GITHUB_ACCESS_TOKEN }}
  GOAT_GITHUB_OWNER: ${{ github.repository_owner }}
  GOAT_GITHUB_REPO: ${{ github.event.repository.name }}
  GOAT_SEVERITY_LIMITS_CRITICAL: 0
  GOAT_SEVERITY_LIMITS_HIGH: 0
  GOAT_SEVERITY_LIMITS_MEDIUM: 0
  GOAT_SEVERITY_LIMITS_LOW: 0

jobs:
  through-docker:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repository
      uses: actions/checkout@v4

    - name: Pull Docker image from GitHub Container Registry
      run: docker pull ${{ env.SECURITY_GOAT_IMAGE }}

    - name: Verify Version
      run: docker run ${{ env.SECURITY_GOAT_IMAGE }} version

    - name: Set up env file
      run: |
        env | grep 'GOAT' >.env

    - name: "[Perform Security Gate] Verify security alerts from DependaBot"
      run: |
        docker run --env-file=.env ${{ env.SECURITY_GOAT_IMAGE }} --verbose --error 20