name: Security Scanning on: push: branches: [ main, develop ] pull_request: branches: [ main, develop ] schedule: - cron: '0 2 * * *' # Daily at 2 AM UTC workflow_dispatch: jobs: dependency-scanning: name: Dependency Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Run pip-audit run: | pip install pip-audit pip-audit -r requirements.txt --format json --output dependency-report.json pip-audit -r requirements-dev.txt --format json --output dev-dependency-report.json - name: Run Safety run: | pip install safety safety check -r requirements.txt --json --output safety-report.json safety check -r requirements-dev.txt --json --output dev-safety-report.json - name: Run npm audit run: | cd frontend npm install npm audit --json > npm-audit-report.json npm audit fix || true - name: Generate Dependency License Report run: | pip install pip-licenses pip-licenses --format=json --output-path=license-report.json cd frontend npx license-report --output=json --only=prod > ../frontend-license-report.json - name: Upload security reports uses: actions/upload-artifact@v3 with: name: security-reports path: | dependency-report.json dev-dependency-report.json safety-report.json dev-safety-report.json npm-audit-report.json license-report.json frontend-license-report.json code-scanning: name: Code Security Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Initialize CodeQL uses: github/codeql-action/init@v2 with: languages: python, javascript - name: Autobuild uses: github/codeql-action/autobuild@v2 - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v2 secrets-scanning: name: Secrets Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 # Fetch all history for secret scanning - name: Run Gitleaks uses: gitleaks/gitleaks-action@v2 with: config-path: .gitleaks.toml report-path: gitleaks-report.json - name: Run TruffleHog uses: trufflesecurity/trufflehog@v3 with: path: . base: main head: HEAD extra_args: --json --only-verified - name: Run detect-secrets run: | pip install detect-secrets detect-secrets scan . > detect-secrets-report.json - name: Upload secrets reports uses: actions/upload-artifact@v3 with: name: secrets-reports path: | gitleaks-report.json trufflehog-report.json detect-secrets-report.json container-scanning: name: Container Security Scanning runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build backend image run: | cd backend docker build -t malaysian-sme-backend:test . - name: Build frontend image run: | cd frontend docker build -t malaysian-sme-frontend:test . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: image-ref: 'malaysian-sme-backend:test' format: 'json' output: 'trivy-backend-report.json' - name: Run Trivy on frontend uses: aquasecurity/trivy-action@master with: image-ref: 'malaysian-sme-frontend:test' format: 'json' output: 'trivy-frontend-report.json' - name: Run Snyk container scan uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: malaysian-sme-backend:test args: --file=backend/Dockerfile --json-file-output=snyk-backend-report.json - name: Run Snyk on frontend uses: snyk/actions/docker@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: image: malaysian-sme-frontend:test args: --file=frontend/Dockerfile --json-file-output=snyk-frontend-report.json - name: Upload container security reports uses: actions/upload-artifact@v3 with: name: container-security-reports path: | trivy-backend-report.json trivy-frontend-report.json snyk-backend-report.json snyk-frontend-report.json compliance-checking: name: Compliance Checking runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v4 - name: Run Checkov infrastructure scanning uses: bridgecrewio/checkov-action@master with: directory: . framework: dockerfile output: cli soft_fail: true - name: Run GDPR compliance checks run: | pip install gdpr-compliance-checker gdpr-compliance-check --config .gdpr-config.json --output gdpr-report.json - name: Run PDPA compliance checks (Malaysia specific) run: | python scripts/pdpa-compliance-check.py --output pdpa-report.json - name: Upload compliance reports uses: actions/upload-artifact@v3 with: name: compliance-reports path: | gdpr-report.json pdpa-report.json security-dashboard: name: Security Dashboard runs-on: ubuntu-latest needs: [dependency-scanning, code-scanning, secrets-scanning, container-scanning, compliance-checking] if: always() steps: - name: Download all reports uses: actions/download-artifact@v3 - name: Generate security dashboard run: | pip install jinja2 python scripts/generate-security-dashboard.py - name: Upload security dashboard uses: actions/upload-artifact@v3 with: name: security-dashboard path: security-dashboard.html - name: Comment on PR with security results if: github.event_name == 'pull_request' uses: actions/github-script@v6 with: script: | const fs = require('fs'); const path = require('path'); // Read security reports const dependencyReport = JSON.parse(fs.readFileSync('security-reports/dependency-report.json', 'utf8')); const trivyReport = JSON.parse(fs.readFileSync('container-security-reports/trivy-backend-report.json', 'utf8')); // Generate summary const dependencyVulnerabilities = dependencyReport.vulnerabilities || []; const containerVulnerabilities = trivyReport.Results || []; let comment = `## 🔒 Security Scan Results\n\n`; comment += `### Dependency Vulnerabilities: ${dependencyVulnerabilities.length}\n`; comment += `### Container Vulnerabilities: ${containerVulnerabilities.length}\n\n`; if (dependencyVulnerabilities.length > 0 || containerVulnerabilities.length > 0) { comment += `⚠️ **Security issues found. Please review the reports.**\n\n`; comment += `📋 **Detailed Reports:**\n`; comment += `- [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`; comment += `- [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`; } else { comment += `✅ **No security issues found!**\n`; } // Post comment github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, body: comment }); remediation: name: Security Remediation runs-on: ubuntu-latest needs: security-dashboard if: failure() && github.event_name == 'push' steps: - name: Checkout code uses: actions/checkout@v4 - name: Create remediation issue uses: actions/github-script@v6 with: script: | github.rest.issues.create({ owner: context.repo.owner, repo: context.repo.repo, title: `🔒 Security Issues Detected - ${{ github.sha }}`, body: `Security scanning detected vulnerabilities in commit ${{ github.sha }}. **Branch:** ${{ github.ref }} **Commit:** ${{ github.sha }} **Author:** ${{ github.actor }} Please review the security reports and take appropriate action. 📋 **Reports:** - [Security Dashboard](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) - [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) - [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}) 🎯 **Action Items:** 1. Review and assess critical vulnerabilities 2. Update affected dependencies 3. Rebuild and redeploy secure containers 4. Verify fixes with security scans This issue was automatically created by the CI/CD pipeline.`, labels: ['security', 'bug', 'priority-high'] });