Techcle Wiki

Cascadeguard Actions

2 min read

cascadeguard-actions

Reusable composite GitHub Actions for CascadeGuard security workflows.

CI OpenSSF Scorecard License: MIT

Security-first: Pin all action references to a full commit SHA for reproducible, auditable pipelines.

Actions

ActionDescriptionDocs
setup-grypeInstall Anchore Grype vulnerability scanner at a pinned versionREADME
setup-syftInstall Anchore Syft SBOM generator at a pinned versionREADME
scan-reportParse Grype/Trivy results into a structured vulnerability reportREADME
scan-issuesCreate or update GitHub Issues from scan resultsREADME

Quick start

jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - name: Setup Grype
        uses: cascadeguard/cascadeguard-actions/setup-grype@da2a5b03ad98c2e99f9c2f9a162d1e9685aa7d67
        with:
          version: v0.110.0
 
      - name: Scan image
        run: grype python:3.12-slim --output json > grype-results.json
 
      - name: Generate report
        id: report
        uses: cascadeguard/cascadeguard-actions/scan-report@da2a5b03ad98c2e99f9c2f9a162d1e9685aa7d67
        with:
          grype-results: grype-results.json
          image: python-3.12-slim
          output-dir: reports/
 
      - name: Create CVE issues
        uses: cascadeguard/cascadeguard-actions/scan-issues@da2a5b03ad98c2e99f9c2f9a162d1e9685aa7d67
        with:
          grype-results: grype-results.json
          image: python
          tag: 3.12-slim
          repo: ${{ github.repository }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

See the cascadeguard-open-secure-images repository for real-world usage examples.

Versioning

This repository uses SHA pinning for reproducibility.

# Recommended — pinned SHA (use the latest SHA from the Actions tab)
uses: cascadeguard/cascadeguard-actions/setup-grype@da2a5b03ad98c2e99f9c2f9a162d1e9685aa7d67
 
# Or by tag after a tagged release
uses: cascadeguard/cascadeguard-actions/setup-grype@v1

After each tagged release, floating major-version tags (e.g. v1) are updated so you can opt in to automatic patch/minor updates.

Supply Chain Security

This repository practices what it preaches.

ControlStatus
All action dependencies pinned to full SHA
Dependabot for weekly SHA/pip updates
actionlint validates all workflows in CI
SBOM generated on every release (SPDX + CycloneDX)
SBOMs signed with Sigstore keyless cosign
GitHub artifact attestations (SLSA provenance)
OpenSSF Scorecard analysis (weekly)

SBOM files and cosign bundles are attached to every GitHub Release.

To verify an SBOM signature:

cosign verify-blob \
  --bundle sbom.spdx.json.bundle \
  --certificate-identity-regexp "https://github.com/cascadeguard/cascadeguard-actions/.*" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
  sbom.spdx.json

Contributing

Issues and PRs welcome. See the open roadmap issues for planned work.

License

MIT

0 items under this folder.