-
Notifications
You must be signed in to change notification settings - Fork 0
220 lines (179 loc) · 5.72 KB
/
security.yml
File metadata and controls
220 lines (179 loc) · 5.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
name: Security Scans
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "0 8 * * 1"
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
security-events: write
actions: read
jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
queries: security-and-quality
- name: Set up pnpm
uses: pnpm/action-setup@v5
with:
version: 10
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: "24"
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Generate Prisma client
run: pnpm --filter backend db:generate
- name: Build project for analysis
run: pnpm run build
env:
VITE_API_URL: ""
- name: Perform CodeQL analysis
uses: github/codeql-action/analyze@v4
with:
category: /language:javascript-typescript
trivy-fs:
name: Trivy Filesystem Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Run Trivy on filesystem
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-fs-results.sarif
severity: CRITICAL,HIGH
exit-code: "1"
scanners: vuln
ignore-unfixed: false
- name: Upload Trivy filesystem scan results
if: success()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-fs-results.sarif
category: trivy-filesystem
trivy-backend-image:
name: Trivy Backend Docker Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Build backend Docker image
run: docker build -f docker/Dockerfile.backend -t krabbx-backend:ci .
- name: Run Trivy on backend image
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: krabbx-backend:ci
format: sarif
output: trivy-backend-image.sarif
severity: CRITICAL,HIGH
exit-code: "1"
scanners: vuln
ignore-unfixed: false
- name: Upload Trivy backend image scan results
if: success()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-backend-image.sarif
category: trivy-backend-image
trivy-frontend-image:
name: Trivy Frontend Docker Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Build frontend Docker image
run: docker build -f docker/Dockerfile.frontend -t krabbx-frontend:ci .
- name: Run Trivy on frontend image
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0
with:
image-ref: krabbx-frontend:ci
format: sarif
output: trivy-frontend-image.sarif
severity: CRITICAL,HIGH
exit-code: "1"
scanners: vuln
ignore-unfixed: false
- name: Upload Trivy frontend image scan results
if: success()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-frontend-image.sarif
category: trivy-frontend-image
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
if: github.event_name == 'pull_request'
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Dependency Review
uses: actions/dependency-review-action@v4
with:
fail-on-severity: high
npm-audit:
name: npm Audit
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
- name: Set up pnpm
uses: pnpm/action-setup@v5
with:
version: 10
- name: Set up Node.js
uses: actions/setup-node@v6
with:
node-version: "24"
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Run pnpm audit
run: pnpm audit --audit-level=high
gitleaks:
name: Secret scan (gitleaks)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Run gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
helm-validate:
name: Helm lint + schema (kubeconform)
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Set up Helm
uses: azure/setup-helm@v5
- name: Helm lint
run: helm lint helm/renovate-dashboard -f helm/renovate-dashboard/values-dev.yaml
- name: Helm dry-run (full install simulation)
run: |
helm install --dry-run renovate-ci helm/renovate-dashboard \
-f helm/renovate-dashboard/values-dev.yaml \
--set backend.github.token=ci-placeholder-not-a-real-secret \
--set backend.github.org=example-org \
--set backend.session.secret=dev-session-secret-change-me-32chars-xx \
--set networkPolicy.enabled=true