diff --git a/.azuredevops/pipelines/a11y-scan-advancedsecurity.yml b/.azuredevops/pipelines/a11y-scan-advancedsecurity.yml new file mode 100644 index 0000000..37d727a --- /dev/null +++ b/.azuredevops/pipelines/a11y-scan-advancedsecurity.yml @@ -0,0 +1,66 @@ +trigger: none + +schedules: + - cron: '0 6 * * 1' # Every Monday at 06:00 UTC + displayName: 'Weekly accessibility scan' + branches: + include: + - main + always: true + +pool: + vmImage: 'ubuntu-latest' + +variables: + SCANNER_BASE_URL: 'https://a11y-scan-demo-app.azurewebsites.net' + +strategy: + matrix: + codepen-sample: + siteName: 'codepen-sample' + siteUrl: 'https://codepen.io/leezee/pen/eYbXzpJ' + a11y-scan-demo-app: + siteName: 'a11y-scan-demo-app' + siteUrl: 'https://a11y-scan-demo-app.azurewebsites.net/' + ontario-gov: + siteName: 'ontario-gov' + siteUrl: 'https://www.ontario.ca/page/government-ontario' + maxParallel: 3 + +steps: + - checkout: self + displayName: 'Checkout repository' + + - script: | + mkdir -p results + HTTP_STATUS=$(curl -s -o results/$(siteName).sarif -w "%{http_code}" \ + -X POST "$(SCANNER_BASE_URL)/api/ci/scan" \ + -H "Content-Type: application/json" \ + -d '{"url": "$(siteUrl)", "format": "sarif"}' \ + --max-time 120) + + echo "HTTP status: $HTTP_STATUS" + + if [ "$HTTP_STATUS" -ne 200 ]; then + echo "##vso[task.logissue type=error]Scan failed for $(siteUrl) (HTTP $HTTP_STATUS)" + cat results/$(siteName).sarif + exit 1 + fi + + echo "SARIF file written: results/$(siteName).sarif" + echo "File size: $(wc -c < results/$(siteName).sarif) bytes" + displayName: 'Run accessibility scan - $(siteName)' + timeoutInMinutes: 5 + + - task: PublishBuildArtifacts@1 + condition: always() + inputs: + pathToPublish: 'results' + artifactName: 'a11y-sarif-$(siteName)' + displayName: 'Publish SARIF artifact - $(siteName)' + + - task: AdvancedSecurity-Publish@1 + condition: always() + inputs: + SarifsInputDirectory: '$(Build.SourcesDirectory)/results' + displayName: 'Publish SARIF to Advanced Security - $(siteName)' diff --git a/.azuredevops/pipelines/adv-sec-scan.yml b/.azuredevops/pipelines/adv-sec-scan.yml new file mode 100644 index 0000000..6856dea --- /dev/null +++ b/.azuredevops/pipelines/adv-sec-scan.yml @@ -0,0 +1,52 @@ +trigger: + - main + +pool: + vmImage: ubuntu-latest + +variables: + SCANNER_BASE_URL: 'https://a11y-scan-demo-app.azurewebsites.net' + +steps: + - task: AdvancedSecurity-Codeql-Init@1 + inputs: + languages: 'javascript, python' + displayName: 'Initialize CodeQL' + + - task: AdvancedSecurity-Dependency-Scanning@1 + displayName: 'Dependency scanning' + + - task: AdvancedSecurity-Codeql-Analyze@1 + displayName: 'CodeQL analysis' + + - script: | + mkdir -p results + HTTP_STATUS=$(curl -s -o results/a11y-scan.sarif -w "%{http_code}" \ + -X POST "$(SCANNER_BASE_URL)/api/ci/scan" \ + -H "Content-Type: application/json" \ + -d '{"url": "$(SCANNER_BASE_URL)", "format": "sarif"}' \ + --max-time 120) + + echo "HTTP status: $HTTP_STATUS" + + if [ "$HTTP_STATUS" -ne 200 ]; then + echo "##vso[task.logissue type=warning]Accessibility scan failed (HTTP $HTTP_STATUS)" + cat results/a11y-scan.sarif + else + echo "SARIF file written: results/a11y-scan.sarif" + echo "File size: $(wc -c < results/a11y-scan.sarif) bytes" + fi + displayName: 'Run accessibility scan' + timeoutInMinutes: 5 + + - script: | + ADVSEC_DIR="$(Agent.TempDirectory)/.advsec" + mkdir -p "$ADVSEC_DIR" + cp results/*.sarif "$ADVSEC_DIR/" 2>/dev/null || true + echo "Staged SARIF files for Advanced Security:" + ls -la "$ADVSEC_DIR/" + condition: always() + displayName: 'Stage SARIF for Advanced Security' + + - task: AdvancedSecurity-Publish@1 + displayName: 'Publish results to Advanced Security' \ No newline at end of file