docs.plus/.github/workflows/security.yml at b5e938f2e9c739d2a2e99b7799534bd8893d7577 · docs-plus/docs.plus · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# ============================================================================
# Security Scanning Workflow
# ============================================================================
#
# Runs security checks on:
#   - All pushes to main
#   - All pull requests
#   - Weekly schedule (Sundays at midnight)
#
# ============================================================================

name: Security

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  schedule:
    # Run weekly on Sunday at midnight UTC
    - cron: '0 0 * * 0'

jobs:
  audit:
    name: 🔒 Dependency Audit
    runs-on: ubuntu-latest

    steps:
      - name: 📦 Checkout Code
        uses: actions/checkout@v4

      - name: 🥟 Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: 📥 Install Dependencies
        run: bun install --frozen-lockfile --ignore-scripts

      - name: 🔍 Run Bun Audit
        run: |
          echo "🔍 Checking for known vulnerabilities..."

          # Run bun pm audit (returns non-zero if vulnerabilities found)
          # Use || true to capture output even on failure
          bun pm audit 2>&1 | tee audit-results.txt || AUDIT_FAILED=true

          # Count vulnerabilities by severity
          CRITICAL=$(grep -c "critical" audit-results.txt 2>/dev/null || echo "0")
          HIGH=$(grep -c "high" audit-results.txt 2>/dev/null || echo "0")
          MODERATE=$(grep -c "moderate" audit-results.txt 2>/dev/null || echo "0")
          LOW=$(grep -c "low" audit-results.txt 2>/dev/null || echo "0")

          echo ""
          echo "📊 Vulnerability Summary:"
          echo "  Critical: $CRITICAL"
          echo "  High: $HIGH"
          echo "  Moderate: $MODERATE"
          echo "  Low: $LOW"

          # Fail on critical or high vulnerabilities
          if [ "$CRITICAL" -gt 0 ] || [ "$HIGH" -gt 0 ]; then
            echo ""
            echo "❌ Critical/High vulnerabilities found!"
            echo "   Please review audit-results.txt and update affected packages."
            exit 1
          fi

          echo ""
          echo "✅ No critical/high vulnerabilities found"

      - name: 📤 Upload Audit Results
        if: always()
        uses: actions/upload-artifact@v4
        with:
          name: audit-results
          path: audit-results.txt
          retention-days: 30

  # Optional: Add Snyk scanning if SNYK_TOKEN is configured
  snyk:
    name: 🐍 Snyk Scan
    runs-on: ubuntu-latest
    if: ${{ vars.ENABLE_SNYK == 'true' }}
    continue-on-error: true # Don't block PRs if Snyk is not configured

    steps:
      - name: 📦 Checkout Code
        uses: actions/checkout@v4

      - name: 🥟 Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest

      - name: 📥 Install Dependencies
        run: bun install --frozen-lockfile --ignore-scripts

      - name: 🐍 Run Snyk
        uses: snyk/actions/node@master
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
        with:
          args: --severity-threshold=high

      - name: 📤 Upload Snyk Results
        if: always()
        uses: github/codeql-action/upload-sarif@v3
        continue-on-error: true
        with:
          sarif_file: snyk.sarif