medo94my/multitenetsaas
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

project initialization
Some checks failed
System Monitoring / Health Checks (push) Has been cancelled
Details
System Monitoring / Performance Monitoring (push) Has been cancelled
Details
System Monitoring / Database Monitoring (push) Has been cancelled
Details
System Monitoring / Cache Monitoring (push) Has been cancelled
Details
System Monitoring / Log Monitoring (push) Has been cancelled
Details
System Monitoring / Resource Monitoring (push) Has been cancelled
Details
System Monitoring / Uptime Monitoring (push) Has been cancelled
Details
System Monitoring / Backup Monitoring (push) Has been cancelled
Details
System Monitoring / Security Monitoring (push) Has been cancelled
Details
System Monitoring / Monitoring Dashboard (push) Has been cancelled
Details
System Monitoring / Alerting (push) Has been cancelled
Details
Security Scanning / Dependency Scanning (push) Has been cancelled
Details
Security Scanning / Code Security Scanning (push) Has been cancelled
Details
Security Scanning / Secrets Scanning (push) Has been cancelled
Details
Security Scanning / Container Security Scanning (push) Has been cancelled
Details
Security Scanning / Compliance Checking (push) Has been cancelled
Details
Security Scanning / Security Dashboard (push) Has been cancelled
Details
Security Scanning / Security Remediation (push) Has been cancelled
Details

Browse Source
This commit is contained in:
AHMET YILMAZ
2025-10-05 02:37:33 +08:00
parent 2cbb6d5fa1
commit b3fff546e9
226 changed files with 97805 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

308
.github/workflows/security.yml vendored Normal file
View File

@@ -0,0 +1,308 @@
name: Security Scanning
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM UTC
workflow_dispatch:
jobs:
dependency-scanning:
name: Dependency Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run pip-audit
run: |
pip install pip-audit
pip-audit -r requirements.txt --format json --output dependency-report.json
pip-audit -r requirements-dev.txt --format json --output dev-dependency-report.json
- name: Run Safety
run: |
pip install safety
safety check -r requirements.txt --json --output safety-report.json
safety check -r requirements-dev.txt --json --output dev-safety-report.json
- name: Run npm audit
run: |
cd frontend
npm install
npm audit --json > npm-audit-report.json
npm audit fix || true
- name: Generate Dependency License Report
run: |
pip install pip-licenses
pip-licenses --format=json --output-path=license-report.json
cd frontend
npx license-report --output=json --only=prod > ../frontend-license-report.json
- name: Upload security reports
uses: actions/upload-artifact@v3
with:
name: security-reports
path: |
dependency-report.json
dev-dependency-report.json
safety-report.json
dev-safety-report.json
npm-audit-report.json
license-report.json
frontend-license-report.json
code-scanning:
name: Code Security Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: python, javascript
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
secrets-scanning:
name: Secrets Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Fetch all history for secret scanning
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
with:
config-path: .gitleaks.toml
report-path: gitleaks-report.json
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@v3
with:
path: .
base: main
head: HEAD
extra_args: --json --only-verified
- name: Run detect-secrets
run: |
pip install detect-secrets
detect-secrets scan . > detect-secrets-report.json
- name: Upload secrets reports
uses: actions/upload-artifact@v3
with:
name: secrets-reports
path: |
gitleaks-report.json
trufflehog-report.json
detect-secrets-report.json
container-scanning:
name: Container Security Scanning
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build backend image
run: |
cd backend
docker build -t malaysian-sme-backend:test .
- name: Build frontend image
run: |
cd frontend
docker build -t malaysian-sme-frontend:test .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'malaysian-sme-backend:test'
format: 'json'
output: 'trivy-backend-report.json'
- name: Run Trivy on frontend
uses: aquasecurity/trivy-action@master
with:
image-ref: 'malaysian-sme-frontend:test'
format: 'json'
output: 'trivy-frontend-report.json'
- name: Run Snyk container scan
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: malaysian-sme-backend:test
args: --file=backend/Dockerfile --json-file-output=snyk-backend-report.json
- name: Run Snyk on frontend
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: malaysian-sme-frontend:test
args: --file=frontend/Dockerfile --json-file-output=snyk-frontend-report.json
- name: Upload container security reports
uses: actions/upload-artifact@v3
with:
name: container-security-reports
path: |
trivy-backend-report.json
trivy-frontend-report.json
snyk-backend-report.json
snyk-frontend-report.json
compliance-checking:
name: Compliance Checking
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run Checkov infrastructure scanning
uses: bridgecrewio/checkov-action@master
with:
directory: .
framework: dockerfile
output: cli
soft_fail: true
- name: Run GDPR compliance checks
run: |
pip install gdpr-compliance-checker
gdpr-compliance-check --config .gdpr-config.json --output gdpr-report.json
- name: Run PDPA compliance checks (Malaysia specific)
run: |
python scripts/pdpa-compliance-check.py --output pdpa-report.json
- name: Upload compliance reports
uses: actions/upload-artifact@v3
with:
name: compliance-reports
path: |
gdpr-report.json
pdpa-report.json
security-dashboard:
name: Security Dashboard
runs-on: ubuntu-latest
needs: [dependency-scanning, code-scanning, secrets-scanning, container-scanning, compliance-checking]
if: always()
steps:
- name: Download all reports
uses: actions/download-artifact@v3
- name: Generate security dashboard
run: |
pip install jinja2
python scripts/generate-security-dashboard.py
- name: Upload security dashboard
uses: actions/upload-artifact@v3
with:
name: security-dashboard
path: security-dashboard.html
- name: Comment on PR with security results
if: github.event_name == 'pull_request'
uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const path = require('path');
// Read security reports
const dependencyReport = JSON.parse(fs.readFileSync('security-reports/dependency-report.json', 'utf8'));
const trivyReport = JSON.parse(fs.readFileSync('container-security-reports/trivy-backend-report.json', 'utf8'));
// Generate summary
const dependencyVulnerabilities = dependencyReport.vulnerabilities || [];
const containerVulnerabilities = trivyReport.Results || [];
let comment = `## 🔒 Security Scan Results\n\n`;
comment += `### Dependency Vulnerabilities: ${dependencyVulnerabilities.length}\n`;
comment += `### Container Vulnerabilities: ${containerVulnerabilities.length}\n\n`;
if (dependencyVulnerabilities.length > 0 || containerVulnerabilities.length > 0) {
comment += `⚠️ **Security issues found. Please review the reports.**\n\n`;
comment += `📋 **Detailed Reports:**\n`;
comment += `- [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`;
comment += `- [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`;
} else {
comment += `✅ **No security issues found!**\n`;
}
// Post comment
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: comment
});
remediation:
name: Security Remediation
runs-on: ubuntu-latest
needs: security-dashboard
if: failure() && github.event_name == 'push'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Create remediation issue
uses: actions/github-script@v6
with:
script: |
github.rest.issues.create({
owner: context.repo.owner,
repo: context.repo.repo,
title: `🔒 Security Issues Detected - ${{ github.sha }}`,
body: `Security scanning detected vulnerabilities in commit ${{ github.sha }}.
**Branch:** ${{ github.ref }}
**Commit:** ${{ github.sha }}
**Author:** ${{ github.actor }}
Please review the security reports and take appropriate action.
📋 **Reports:**
- [Security Dashboard](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
- [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
- [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
🎯 **Action Items:**
1. Review and assess critical vulnerabilities
2. Update affected dependencies
3. Rebuild and redeploy secure containers
4. Verify fixes with security scans
This issue was automatically created by the CI/CD pipeline.`,
labels: ['security', 'bug', 'priority-high']
});