Enterprise-Grade Reusable GitHub Actions for Security Automation
A comprehensive collection of production-ready, enterprise-grade GitHub Actions that standardise and automate DevSecOps security practices across the software development lifecycle. This suite provides best-in-class security scanning, dependency management, template synchronisation, and compliance reporting capabilities.
Core Capabilities:
- Software Composition Analysis - Multi-tool dependency vulnerability detection
- Secret Scanning - Dual-engine credential exposure prevention
- SAST & Code Analysis - Semantic security vulnerability detection
- Template Synchronisation - Automated Cookiecutter/Cruft updates
- SBOM Generation - Software Bill of Materials for supply chain transparency
- Repository Management - Dormant repository detection and archival workflows
- Commit Validation - Signature verification and conventional commit enforcement
- Compliance Reporting - Security posture assessment and audit trails
- Composite Actions: Reusable composite actions in dedicated directories provide modular functionality
- Explicit Permissions: Workflows must explicitly declare all required permissions following least-privilege principle
- Version Pinning: Use
@vx.x.xfor latest updates or@<commit-sha>for maximum stability - Centralized Maintenance: Developed and managed by Ministry of Justice - OCTO Cyber team
- Zero Configuration: Sensible defaults with optional customisation via configuration files
Path: ministryofjustice/devsecops-actions/sca
Enterprise-grade composite action for comprehensive software composition analysis, dependency management and security review across the entire software supply chain.
Orchestrates 9 specialised security steps:
- 📦 Repository Checkout - Secure code retrieval
- 📊 Dependency Review - PR vulnerability scanning
- 🔎 OWASP Dependency-Check - CVE detection (CVSS ≥7.0 fails)
- 🔁 Renovate - Automated dependency updates
- 🔑 MOJ Secret Scanner - Custom secret patterns
- 🐷 TruffleHog - Entropy-based secret detection (700+ detectors)
- ⚙️ CodeQL - SAST semantic analysis (includes SLSA/Safe-Chain)
- 🛡️ OpenSSF Scorecard - Security posture (18+ checks)
- 📋 SBOM Generator - CycloneDX-compliant bill of materials
- uses: ministryofjustice/devsecops-actions/sca@8c77d3a65a46d1d4b5416eafae5b84371ecd797d # v1.5.0
with:
token: ${{ secrets.GITHUB_TOKEN }}- ✅ Zero Configuration - Works out-of-the-box
- ✅ Multi-Language - JavaScript, Python, Java, .NET, Go, Ruby, Swift, Kotlin, C/C++
- ✅ Container Scanning - Docker image SBOM generation
- ✅ GitHub Integration - Results in Security tab
- ✅ Compliance Ready - NTIA SBOM & EO 14028 compliant
Path: ministryofjustice/devsecops-actions/cruft
Automated template synchronisation action that maintains consistency between repositories created from Cookiecutter/Cruft templates and their upstream sources.
Orchestrates 4 specialised components:
- ⚒️ Install - Python environment and Cruft setup
- 🔑 Authenticate - HTTPS token authentication for private templates
- 🔎 Check - Template update detection and availability checking
- ✏️ Create - Pull request creation with template updates
Public Template:
- uses: ministryofjustice/devsecops-actions/cruft@8c77d3a65a46d1d4b5416eafae5b84371ecd797d # v1.5.0
with:
token: ${{ secrets.GITHUB_TOKEN }}Private Template:
- uses: ministryofjustice/devsecops-actions/cruft@8c77d3a65a46d1d4b5416eafae5b84371ecd797d # v1.5.0
with:
private: "true"
github-app-id: ${{ secrets.CRUFT_APP_ID }}
github-app-private-key: ${{ secrets.CRUFT_APP_PRIVATE_KEY }}
github-app-owner: "${{ github.repository_owner }}"
github-app-repositories: "${{ github.event.repository.name }},template-repository"- ✅ Automatic Sync - Detects upstream template changes
- ✅ PR Automation - Creates pull requests automatically
- ✅ Private Support - HTTPS token authentication for private repos
- ✅ GitHub App Integration - Verified commits via GitHub App
- ✅ Smart Naming - Date-based branch naming
Path: ministryofjustice/devsecops-actions/github
Repository health monitoring, lifecycle management, and commit validation actions that automate governance, compliance, and quality workflows.
- 📦 Repository Archive Check - Identifies dormant repositories eligible for archival
- 🔐 Commit Validation - Enforces commit signing and conventional commit messages
Path: ministryofjustice/devsecops-actions/github/repository/archive
Automated repository health monitoring that scans commit history to identify dormant repositories.
Key Features:
- ✅ Configurable Thresholds - Custom inactivity periods
- ✅ Email Notifications - GOV.UK Notify integration
- ✅ Commit Analysis - Deep repository activity scanning
- ✅ Non-Destructive - Analysis only, no auto-archival
- ✅ Audit Trail - Complete logging of checks
Code:
- uses: ministryofjustice/devsecops-actions/github/repository/archive@8c77d3a65a46d1d4b5416eafae5b84371ecd797d # v1.5.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
notification-email: "team@example.gov.uk"
gov-notify-key: ${{ secrets.GOV_NOTIFY_API_KEY }}
gov-notify-template-id: ${{ secrets.GOV_NOTIFY_TEMPLATE_ID }}📖 Full Archive Check Documentation
Path: ministryofjustice/devsecops-actions/github/commit
Comprehensive commit verification that validates Git commits for security and quality standards.
Key Features:
- ✅ Signature Verification - Ensures commits are cryptographically signed (GPG/SSH)
- ✅ Conventional Commits - Enforces standardised commit message format
- ✅ Zero Configuration - Works out-of-the-box with sensible defaults
- ✅ Customisable - Supports custom commitlint configurations
- ✅ Fast Validation - Lightweight verification process
Code:
- uses: ministryofjustice/devsecops-actions/github/commit@8c77d3a65a46d1d4b5416eafae5b84371ecd797d # v1.5.0📖 Full Commit Validation Documentation
| Tool | Version | Purpose |
|---|---|---|
| Node.js | 24.x | Runtime for validation scripts |
| npm | 10.x | Package management |
| Docker | 24.x+ | Container-based security scanning |
| Git | 2.40+ | Version control |
# Clone the repository
git clone https://github.com/ministryofjustice/devsecops-actions.git
cd devsecops-actions
# Install dependencies
npm install
# Run all validation checks
npm run validate:all
# Run individual validations
npm run lint:ts # ESLint checks
npm run validate:ts # TypeScript type checking
npm run validate:yml # YAML linting
npm run validate:md # Markdown linting
npm run validate:renovate # Renovate config validation
npm run spellcheck # Spell checking# Run comprehensive housekeeping
npm run housekeeping
# Update all dependencies and validate
npm update && npm run validate:all
# Run security audit
npm audit
# Check for outdated packages
npm outdated# Test individual SCA components
cd sca/<component-name>
# Validate YAML syntax
npm run validate:yml
# Test with act (GitHub Actions local runner)
brew install act
act -W .github/workflows/sca.yml --container-architecture linux/amd64 -s GITHUB_TOKEN=<your-token>We welcome contributions from the community! Whether it's bug fixes, feature additions, documentation improvements, or security enhancements, your input is valuable.
-
Fork and Clone: Fork the repository and clone it locally
-
Branch: Create a feature branch (
git checkout -b feature/amazing-feature) -
Pre-commit Hooks: Install MoJ pre-commit hooks for automatic validation
-
Conventional Commits: Follow Conventional Commits for automatic changelog generation
git commit -m "feat: add new secret detection pattern" git commit -m "fix: resolve CodeQL configuration issue" git commit -m "docs: update SBOM usage examples"
-
Test: Ensure all validation checks pass
npm run validate:all npm run spellcheck
-
Pull Request: Submit a PR with a clear description of changes
-
Review: Wait for maintainer review and address feedback
<type>(<scope>): <subject>
<body>
<footer>Types:
feat: New featurefix: Bug fixdocs: Documentation changesrefactor: Code refactoringperf: Performance improvementstest: Adding or updating testschore: Maintenance tasksci: CI/CD changes
Examples:
feat(sca): add support for custom SBOM formats
fix(codeql): resolve timeout issue for large repositories
docs(readme): add enterprise configuration examples
chore(deps): update renovate to v43.31.1- Open an Issue: For major changes, open an issue first to discuss
- Get Feedback: Wait for maintainer feedback before significant work
- Implement: Make your changes following our coding standards
- Document: Update documentation for any user-facing changes
- Test: Ensure all checks pass
- Submit: Create a pull request with detailed description
- All PRs require approval from at least one maintainer
- Automated checks must pass (YAML validation, linting, spell check)
- Security scans must pass without introducing new vulnerabilities
- Documentation must be updated for feature changes
This project is licensed under the MIT License - see the LICENSE file for full details.
- 📖 Documentation: Check this README and inline action documentation
- 🐛 Bug Reports: GitHub Issues
- ✨ Feature Requests: GitHub Issues
- 🔒 Security Issues: See Security for responsible disclosure
When reporting issues, please use the appropriate template:
- 🐛 Bug Report: For reproducible issues with the actions
- 💡 Feature Request: For new capabilities or enhancements
- 📖 Documentation: For documentation improvements or corrections
- 🔒 Security: For security vulnerabilities (use private reporting)
- Critical Security Issues: Within 24 hours
- Bugs: Within 3-5 business days
- Feature Requests: Within 1-2 weeks
- Documentation: Within 1 week
- Maintainer: Ministry of Justice OCTO Cyber team
- Active Development: ✅ Actively maintained
- Support: Community-driven with MoJ maintainer oversight
Made with ❤️ by the Ministry of Justice UK - OCTO Cyber