AHMET YILMAZ
b3fff546e9
Some checks failed
System Monitoring / Health Checks (push) Has been cancelled
System Monitoring / Performance Monitoring (push) Has been cancelled
System Monitoring / Database Monitoring (push) Has been cancelled
System Monitoring / Cache Monitoring (push) Has been cancelled
System Monitoring / Log Monitoring (push) Has been cancelled
System Monitoring / Resource Monitoring (push) Has been cancelled
System Monitoring / Uptime Monitoring (push) Has been cancelled
System Monitoring / Backup Monitoring (push) Has been cancelled
System Monitoring / Security Monitoring (push) Has been cancelled
System Monitoring / Monitoring Dashboard (push) Has been cancelled
System Monitoring / Alerting (push) Has been cancelled
Security Scanning / Dependency Scanning (push) Has been cancelled
Security Scanning / Code Security Scanning (push) Has been cancelled
Security Scanning / Secrets Scanning (push) Has been cancelled
Security Scanning / Container Security Scanning (push) Has been cancelled
Security Scanning / Compliance Checking (push) Has been cancelled
Security Scanning / Security Dashboard (push) Has been cancelled
Security Scanning / Security Remediation (push) Has been cancelled
308 lines
9.3 KiB
YAML
308 lines
9.3 KiB
YAML
name: Security Scanning
|
|
|
|
on:
|
|
push:
|
|
branches: [ main, develop ]
|
|
pull_request:
|
|
branches: [ main, develop ]
|
|
schedule:
|
|
- cron: '0 2 * * *' # Daily at 2 AM UTC
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
dependency-scanning:
|
|
name: Dependency Scanning
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run pip-audit
|
|
run: |
|
|
pip install pip-audit
|
|
pip-audit -r requirements.txt --format json --output dependency-report.json
|
|
pip-audit -r requirements-dev.txt --format json --output dev-dependency-report.json
|
|
|
|
- name: Run Safety
|
|
run: |
|
|
pip install safety
|
|
safety check -r requirements.txt --json --output safety-report.json
|
|
safety check -r requirements-dev.txt --json --output dev-safety-report.json
|
|
|
|
- name: Run npm audit
|
|
run: |
|
|
cd frontend
|
|
npm install
|
|
npm audit --json > npm-audit-report.json
|
|
npm audit fix || true
|
|
|
|
- name: Generate Dependency License Report
|
|
run: |
|
|
pip install pip-licenses
|
|
pip-licenses --format=json --output-path=license-report.json
|
|
cd frontend
|
|
npx license-report --output=json --only=prod > ../frontend-license-report.json
|
|
|
|
- name: Upload security reports
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: security-reports
|
|
path: |
|
|
dependency-report.json
|
|
dev-dependency-report.json
|
|
safety-report.json
|
|
dev-safety-report.json
|
|
npm-audit-report.json
|
|
license-report.json
|
|
frontend-license-report.json
|
|
|
|
code-scanning:
|
|
name: Code Security Scanning
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@v2
|
|
with:
|
|
languages: python, javascript
|
|
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@v2
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@v2
|
|
|
|
secrets-scanning:
|
|
name: Secrets Scanning
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0 # Fetch all history for secret scanning
|
|
|
|
- name: Run Gitleaks
|
|
uses: gitleaks/gitleaks-action@v2
|
|
with:
|
|
config-path: .gitleaks.toml
|
|
report-path: gitleaks-report.json
|
|
|
|
- name: Run TruffleHog
|
|
uses: trufflesecurity/trufflehog@v3
|
|
with:
|
|
path: .
|
|
base: main
|
|
head: HEAD
|
|
extra_args: --json --only-verified
|
|
|
|
- name: Run detect-secrets
|
|
run: |
|
|
pip install detect-secrets
|
|
detect-secrets scan . > detect-secrets-report.json
|
|
|
|
- name: Upload secrets reports
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: secrets-reports
|
|
path: |
|
|
gitleaks-report.json
|
|
trufflehog-report.json
|
|
detect-secrets-report.json
|
|
|
|
container-scanning:
|
|
name: Container Security Scanning
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build backend image
|
|
run: |
|
|
cd backend
|
|
docker build -t malaysian-sme-backend:test .
|
|
|
|
- name: Build frontend image
|
|
run: |
|
|
cd frontend
|
|
docker build -t malaysian-sme-frontend:test .
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'malaysian-sme-backend:test'
|
|
format: 'json'
|
|
output: 'trivy-backend-report.json'
|
|
|
|
- name: Run Trivy on frontend
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: 'malaysian-sme-frontend:test'
|
|
format: 'json'
|
|
output: 'trivy-frontend-report.json'
|
|
|
|
- name: Run Snyk container scan
|
|
uses: snyk/actions/docker@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
image: malaysian-sme-backend:test
|
|
args: --file=backend/Dockerfile --json-file-output=snyk-backend-report.json
|
|
|
|
- name: Run Snyk on frontend
|
|
uses: snyk/actions/docker@master
|
|
env:
|
|
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
|
with:
|
|
image: malaysian-sme-frontend:test
|
|
args: --file=frontend/Dockerfile --json-file-output=snyk-frontend-report.json
|
|
|
|
- name: Upload container security reports
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: container-security-reports
|
|
path: |
|
|
trivy-backend-report.json
|
|
trivy-frontend-report.json
|
|
snyk-backend-report.json
|
|
snyk-frontend-report.json
|
|
|
|
compliance-checking:
|
|
name: Compliance Checking
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Run Checkov infrastructure scanning
|
|
uses: bridgecrewio/checkov-action@master
|
|
with:
|
|
directory: .
|
|
framework: dockerfile
|
|
output: cli
|
|
soft_fail: true
|
|
|
|
- name: Run GDPR compliance checks
|
|
run: |
|
|
pip install gdpr-compliance-checker
|
|
gdpr-compliance-check --config .gdpr-config.json --output gdpr-report.json
|
|
|
|
- name: Run PDPA compliance checks (Malaysia specific)
|
|
run: |
|
|
python scripts/pdpa-compliance-check.py --output pdpa-report.json
|
|
|
|
- name: Upload compliance reports
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: compliance-reports
|
|
path: |
|
|
gdpr-report.json
|
|
pdpa-report.json
|
|
|
|
security-dashboard:
|
|
name: Security Dashboard
|
|
runs-on: ubuntu-latest
|
|
needs: [dependency-scanning, code-scanning, secrets-scanning, container-scanning, compliance-checking]
|
|
if: always()
|
|
|
|
steps:
|
|
- name: Download all reports
|
|
uses: actions/download-artifact@v3
|
|
|
|
- name: Generate security dashboard
|
|
run: |
|
|
pip install jinja2
|
|
python scripts/generate-security-dashboard.py
|
|
|
|
- name: Upload security dashboard
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: security-dashboard
|
|
path: security-dashboard.html
|
|
|
|
- name: Comment on PR with security results
|
|
if: github.event_name == 'pull_request'
|
|
uses: actions/github-script@v6
|
|
with:
|
|
script: |
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
// Read security reports
|
|
const dependencyReport = JSON.parse(fs.readFileSync('security-reports/dependency-report.json', 'utf8'));
|
|
const trivyReport = JSON.parse(fs.readFileSync('container-security-reports/trivy-backend-report.json', 'utf8'));
|
|
|
|
// Generate summary
|
|
const dependencyVulnerabilities = dependencyReport.vulnerabilities || [];
|
|
const containerVulnerabilities = trivyReport.Results || [];
|
|
|
|
let comment = `## 🔒 Security Scan Results\n\n`;
|
|
comment += `### Dependency Vulnerabilities: ${dependencyVulnerabilities.length}\n`;
|
|
comment += `### Container Vulnerabilities: ${containerVulnerabilities.length}\n\n`;
|
|
|
|
if (dependencyVulnerabilities.length > 0 || containerVulnerabilities.length > 0) {
|
|
comment += `⚠️ **Security issues found. Please review the reports.**\n\n`;
|
|
comment += `📋 **Detailed Reports:**\n`;
|
|
comment += `- [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`;
|
|
comment += `- [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})\n`;
|
|
} else {
|
|
comment += `✅ **No security issues found!**\n`;
|
|
}
|
|
|
|
// Post comment
|
|
github.rest.issues.createComment({
|
|
issue_number: context.issue.number,
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
body: comment
|
|
});
|
|
|
|
remediation:
|
|
name: Security Remediation
|
|
runs-on: ubuntu-latest
|
|
needs: security-dashboard
|
|
if: failure() && github.event_name == 'push'
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Create remediation issue
|
|
uses: actions/github-script@v6
|
|
with:
|
|
script: |
|
|
github.rest.issues.create({
|
|
owner: context.repo.owner,
|
|
repo: context.repo.repo,
|
|
title: `🔒 Security Issues Detected - ${{ github.sha }}`,
|
|
body: `Security scanning detected vulnerabilities in commit ${{ github.sha }}.
|
|
|
|
**Branch:** ${{ github.ref }}
|
|
**Commit:** ${{ github.sha }}
|
|
**Author:** ${{ github.actor }}
|
|
|
|
Please review the security reports and take appropriate action.
|
|
|
|
📋 **Reports:**
|
|
- [Security Dashboard](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
|
- [Dependency Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
|
- [Container Security Report](https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }})
|
|
|
|
🎯 **Action Items:**
|
|
1. Review and assess critical vulnerabilities
|
|
2. Update affected dependencies
|
|
3. Rebuild and redeploy secure containers
|
|
4. Verify fixes with security scans
|
|
|
|
This issue was automatically created by the CI/CD pipeline.`,
|
|
labels: ['security', 'bug', 'priority-high']
|
|
}); |