Add public-samples/trail-project-1-n75ia4/infrastructure/kubernetes/s… #31
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Scan Workflow v1.0.0 | |
| # Comprehensive security scanning for Task Management System | |
| # Includes SAST, dependency scanning, and secret detection | |
| name: Security Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - develop | |
| pull_request: | |
| branches: | |
| - main | |
| - develop | |
| schedule: | |
| - cron: '0 0 * * 0' # Weekly scan on Sundays at midnight | |
| env: | |
| NODE_VERSION: '20.x' | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| SECURITY_ALERTS_EMAIL: ${{ secrets.SECURITY_ALERTS_EMAIL }} | |
| jobs: | |
| dependency-scan: | |
| name: Dependency Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 # v4.1.1 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 # v4.0.0 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: | | |
| cd src/backend && npm ci | |
| cd ../web && npm ci | |
| - name: Run backend dependency audit | |
| run: | | |
| cd src/backend | |
| npm audit --audit-level=high --json > backend-audit.json || true | |
| - name: Run frontend dependency audit | |
| run: | | |
| cd src/web | |
| npm audit --audit-level=high --json > frontend-audit.json || true | |
| - name: Analyze audit results | |
| run: | | |
| if grep -q '"critical":' */audit.json; then | |
| echo "Critical vulnerabilities found!" | |
| exit 1 | |
| fi | |
| - name: Upload audit results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: dependency-audit-reports | |
| path: | | |
| src/backend/backend-audit.json | |
| src/web/frontend-audit.json | |
| sast-analysis: | |
| name: Static Application Security Testing | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write | |
| actions: read | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 # v2.22.5 | |
| with: | |
| languages: javascript, typescript | |
| queries: security-extended | |
| - name: Run CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:javascript,typescript" | |
| upload: true | |
| output: sarif-results | |
| - name: Upload SAST results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: codeql-sarif-results | |
| path: sarif-results | |
| secret-detection: | |
| name: Secret and Sensitive Data Detection | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run secret scanning | |
| uses: gitleaks/gitleaks-action@v2 # v2.3.2 | |
| env: | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| GITLEAKS_CONFIG: .gitleaks.toml | |
| with: | |
| config-path: .gitleaks.toml | |
| verbose: true | |
| - name: Check for sensitive data patterns | |
| run: | | |
| ! find . -type f -not -path "./.git/*" -exec grep -l -E "(api[_-]?key|secret|password|token)['\"]?\s*[:=]\s*['\"]\S+['\"]" {} \; | |
| - name: Upload secret scan results | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: secret-scan-results | |
| path: results.sarif | |
| if: always() | |
| security-report: | |
| name: Generate Security Report | |
| needs: [dependency-scan, sast-analysis, secret-detection] | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Download all scan results | |
| uses: actions/download-artifact@v3 | |
| with: | |
| path: scan-results | |
| - name: Generate consolidated report | |
| run: | | |
| echo "Security Scan Summary - $(date)" > security-report.md | |
| echo "===================================" >> security-report.md | |
| echo "## Dependency Scan Results" >> security-report.md | |
| cat scan-results/dependency-audit-reports/*.json >> security-report.md | |
| echo "## SAST Analysis Results" >> security-report.md | |
| cat scan-results/codeql-sarif-results/*.sarif >> security-report.md | |
| echo "## Secret Detection Results" >> security-report.md | |
| cat scan-results/secret-scan-results/*.sarif >> security-report.md | |
| - name: Upload consolidated report | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: consolidated-security-report | |
| path: security-report.md | |
| - name: Send email notification | |
| if: failure() | |
| uses: dawidd6/action-send-mail@v3 | |
| with: | |
| server_address: smtp.gmail.com | |
| server_port: 465 | |
| username: ${{ secrets.MAIL_USERNAME }} | |
| password: ${{ secrets.MAIL_PASSWORD }} | |
| subject: Security Scan Alert - ${{ github.repository }} | |
| to: ${{ env.SECURITY_ALERTS_EMAIL }} | |
| from: GitHub Actions | |
| body: Security scan has detected potential vulnerabilities. Please check the consolidated report. | |
| attachments: security-report.md |