Skip to content

Commit

Permalink
Add public-samples/startup-metrics-hizlkn/.github/workflows/security-…
Browse files Browse the repository at this point in the history 
…scan.yml
  • Loading branch information
@njdifiore91
njdifiore91 committed Jan 10, 2025
1 parent 2704325 commit 2769f1a
Showing 1 changed file with 166 additions and 0 deletions.
166 changes: 166 additions & 0 deletions .github/workflows/security-scan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
name: Security Scan

on:
schedule:
- cron: '0 0 * * *' # Run daily at midnight
push:
branches: [ main ]
pull_request:
branches: [ main ]

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_ENV: test
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

jobs:
dependency-scan:
name: Dependency Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: '18.x'
cache: 'npm'

- name: Install dependencies
run: |
cd src/backend && npm ci
cd ../web && npm ci
- name: Run backend npm audit
run: |
cd src/backend
npm audit --audit-level=high --json > backend-audit.json || true
- name: Run frontend npm audit
run: |
cd src/web
npm audit --audit-level=high --json > frontend-audit.json || true
- name: Run OWASP Dependency Check
uses: dependency-check/Dependency-Check_Action@main
with:
project: 'startup-metrics'
path: 'src'
format: 'HTML'
args: >
--suppression suppression.xml
--failOnCVSS 7
--enableRetired
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: dependency-scan-results
path: |
src/backend/backend-audit.json
src/web/frontend-audit.json
reports
retention-days: 90

code-analysis:
name: CodeQL Analysis
runs-on: ubuntu-latest
permissions:
security-events: write

steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: javascript, typescript
queries: security-extended,security-and-quality
config-file: ./.github/codeql/codeql-config.yml

- name: Autobuild
uses: github/codeql-action/autobuild@v2

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:javascript"
upload: true

container-scan:
name: Container Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3

- name: Build backend image
run: |
cd src/backend
docker build -t startup-metrics-backend:${{ github.sha }} .
- name: Build frontend image
run: |
cd src/web
docker build -t startup-metrics-frontend:${{ github.sha }} .
- name: Run Trivy vulnerability scanner - Backend
uses: aquasecurity/[email protected]
with:
image-ref: 'startup-metrics-backend:${{ github.sha }}'
format: 'sarif'
output: 'trivy-backend-results.sarif'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true

- name: Run Trivy vulnerability scanner - Frontend
uses: aquasecurity/[email protected]
with:
image-ref: 'startup-metrics-frontend:${{ github.sha }}'
format: 'sarif'
output: 'trivy-frontend-results.sarif'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true

- name: Upload Trivy scan results
uses: actions/upload-artifact@v3
with:
name: container-scan-results
path: |
trivy-backend-results.sarif
trivy-frontend-results.sarif
retention-days: 90

- name: Post scan results to Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif

notify:
name: Notify Security Issues
needs: [dependency-scan, code-analysis, container-scan]
runs-on: ubuntu-latest
if: failure()
steps:
- name: Send Slack notification
uses: 8398a7/action-slack@v3
with:
status: custom
custom_payload: |
{
"text": "Security scan failed in ${{ github.repository }}",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*Security Scan Failed*\nRepository: ${{ github.repository }}\nBranch: ${{ github.ref }}\nCommit: ${{ github.sha }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}

0 comments on commit 2769f1a

Please sign in to comment.