mcp-rubber-duck

name: 🔒 Security & Quality on: push: branches: [ master, main ] pull_request: branches: [ master, main ] schedule: # Run weekly security scans - cron: '0 6 * * 1' permissions: contents: read security-events: write actions: read jobs: security-scan: name: 🔍 Security Scan runs-on: ubuntu-latest steps: - name: 📥 Checkout uses: actions/checkout@v4 - name: 🔒 Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' trivyignores: '.trivyignore' - name: 📤 Upload Trivy scan results to GitHub Security uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' category: 'trivy-filesystem' - name: 🐳 Build Docker image for security scan if: github.event_name != 'schedule' run: | docker build -t security-scan-image . - name: 🔒 Run Trivy on Docker image if: github.event_name != 'schedule' uses: aquasecurity/trivy-action@master with: image-ref: 'security-scan-image' format: 'sarif' output: 'trivy-docker-results.sarif' trivyignores: '.trivyignore' - name: 📤 Upload Docker scan results uses: github/codeql-action/upload-sarif@v3 if: always() && github.event_name != 'schedule' with: sarif_file: 'trivy-docker-results.sarif' category: 'trivy-docker' dependency-check: name: 📦 Dependency Check runs-on: ubuntu-latest steps: - name: 📥 Checkout uses: actions/checkout@v4 - name: 📦 Setup Node.js uses: actions/setup-node@v4 with: node-version: '20' cache: 'npm' - name: 📥 Install dependencies run: npm ci - name: 🔍 Audit dependencies # Using audit-ci for allowlisting, npm audit for basic check (non-blocking) run: npm audit --audit-level=moderate || true - name: 📊 Check for outdated packages run: npm outdated || true - name: 🔒 Check for known vulnerabilities # audit-ci respects allowlist in audit-ci.json for false positives run: npx audit-ci --config audit-ci.json dockerfile-lint: name: 🐳 Dockerfile Lint runs-on: ubuntu-latest steps: - name: 📥 Checkout uses: actions/checkout@v4 - name: 🔍 Lint Dockerfile uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Dockerfile format: sarif output-file: hadolint-results.sarif no-fail: true - name: 📤 Upload Dockerfile lint results uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: hadolint-results.sarif category: 'hadolint' quality-gates: name: 🚀 Quality Gates runs-on: ubuntu-latest needs: [security-scan, dependency-check, dockerfile-lint] if: always() steps: - name: 📊 Quality Gate Summary run: | echo "## 🔒 Security & Quality Report" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY if [ "${{ needs.security-scan.result }}" == "success" ]; then echo "✅ **Security Scan:** Passed" >> $GITHUB_STEP_SUMMARY else echo "❌ **Security Scan:** Failed" >> $GITHUB_STEP_SUMMARY fi if [ "${{ needs.dependency-check.result }}" == "success" ]; then echo "✅ **Dependency Check:** Passed" >> $GITHUB_STEP_SUMMARY else echo "❌ **Dependency Check:** Failed" >> $GITHUB_STEP_SUMMARY fi if [ "${{ needs.dockerfile-lint.result }}" == "success" ]; then echo "✅ **Dockerfile Lint:** Passed" >> $GITHUB_STEP_SUMMARY else echo "❌ **Dockerfile Lint:** Failed" >> $GITHUB_STEP_SUMMARY fi echo "" >> $GITHUB_STEP_SUMMARY echo "📋 **View detailed results in the Security tab**" >> $GITHUB_STEP_SUMMARY