Security scan actions should and must (in case of the modules scanner) be launched after a build job see example here
To scan the magento 2 files for common vulnerabilities using mwscan, the job can be set up as follows
name: m2-actions-test
on: [push]
jobs:
magento2-build:
runs-on: ubuntu-latest
container: ubuntu
name: 'm2 tests & build'
services:
mysql:
image: docker://mysql:8.0
env:
MYSQL_ROOT_PASSWORD: magento
MYSQL_DATABASE: magento
ports:
- 3306:3306
options: --health-cmd="mysqladmin ping" --health-interval=10s --health-timeout=5s --health-retries=3
elasticsearch:
image: docker://elasticsearch:7.1.0
ports:
- 9200:9200
options: -e="discovery.type=single-node" --health-cmd="curl http://localhost:9200/_cluster/health" --health-interval=10s --health-timeout=5s --health-retries=10
steps:
- uses: actions/checkout@v1
with:
submodules: recursive
- name: 'launch magento2 build'
if: ${{true}}
uses: MAD-I-T/magento-actions@v3.10
env:
COMPOSER_AUTH: ${{secrets.COMPOSER_AUTH}}
with:
process: 'build'
elasticsearch: 1
- name: 'launch security scanner files'
if: always()
uses: MAD-I-T/magento-actions@v3.10
env:
COMPOSER_AUTH: ${{secrets.COMPOSER_AUTH}}
with:
process: 'security-scan-files'
elasticsearch: 1