Skip to content
Security Scan

Initial Backend Fixes #844

Sign in to view logs

Initial Backend Fixes

Initial Backend Fixes #844

Workflow file for this run

.github/workflows/security-scan.yml at e168157
name: Security Scan
on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_ENV: test
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
jobs:
dependency-scan:
name: Dependency Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18.x'
cache: 'npm'
- name: Install dependencies
run: |
cd src/backend && npm ci
cd ../web && npm ci
- name: Run backend npm audit
run: |
cd src/backend
npm audit --audit-level=high --json > backend-audit.json || true
- name: Run frontend npm audit
run: |
cd src/web
npm audit --audit-level=high --json > frontend-audit.json || true
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'startup-metrics'
path: 'src'
format: 'HTML'
args: >
--suppression suppression.xml
--failOnCVSS 7
--enableRetired
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: dependency-scan-results
path: |
src/backend/backend-audit.json
src/web/frontend-audit.json
reports
retention-days: 90
code-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript, typescript
queries: security-extended,security-and-quality
config-file: ./.github/codeql/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:javascript"
upload: true
container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build backend image
run: |
cd src/backend
docker build -t startup-metrics-backend:${{ github.sha }} .
- name: Build frontend image
run: |
cd src/web
docker build -t startup-metrics-frontend:${{ github.sha }} .
- name: Run Trivy vulnerability scanner - Backend
uses: aquasecurity/[email protected]
with:
image-ref: 'startup-metrics-backend:${{ github.sha }}'
format: 'sarif'
output: 'trivy-backend-results.sarif'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
- name: Run Trivy vulnerability scanner - Frontend
uses: aquasecurity/[email protected]
with:
image-ref: 'startup-metrics-frontend:${{ github.sha }}'
format: 'sarif'
output: 'trivy-frontend-results.sarif'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
- name: Upload Trivy scan results
uses: actions/upload-artifact@v3
with:
name: container-scan-results
path: |
trivy-backend-results.sarif
trivy-frontend-results.sarif
retention-days: 90
- name: Post scan results to Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
notify:
name: Notify Security Issues
needs: [dependency-scan, code-analysis, container-scan]
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification
uses: 8398a7/action-slack@v3
with:
status: custom
custom_payload: |
{
"text": "Security scan failed in ${{ github.repository }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Security Scan Failed*\nRepository: ${{ github.repository }}\nBranch: ${{ github.ref }}\nCommit: ${{ github.sha }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}