security.ymlโข4.13 kB
name: ๐ Security & Quality
on:
pull_request:
branches: [ master, main ]
schedule:
# Run weekly security scans
- cron: '0 6 * * 1'
permissions:
contents: read
security-events: write
actions: read
jobs:
security-scan:
name: ๐ Security Scan
runs-on: ubuntu-latest
steps:
- name: ๐ฅ Checkout
uses: actions/checkout@v4
- name: ๐ Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
- name: ๐ค Upload Trivy scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy-filesystem'
- name: ๐ณ Build Docker image for security scan
if: github.event_name != 'schedule'
run: |
docker build -t security-scan-image .
- name: ๐ Run Trivy on Docker image
if: github.event_name != 'schedule'
uses: aquasecurity/trivy-action@master
with:
image-ref: 'security-scan-image'
format: 'sarif'
output: 'trivy-docker-results.sarif'
- name: ๐ค Upload Docker scan results
uses: github/codeql-action/upload-sarif@v3
if: always() && github.event_name != 'schedule'
with:
sarif_file: 'trivy-docker-results.sarif'
category: 'trivy-docker'
dependency-check:
name: ๐ฆ Dependency Check
runs-on: ubuntu-latest
steps:
- name: ๐ฅ Checkout
uses: actions/checkout@v4
- name: ๐ฆ Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: ๐ฅ Install dependencies
run: npm ci
- name: ๐ Audit dependencies
# Using audit-ci for allowlisting, npm audit for basic check (non-blocking)
run: npm audit --audit-level=moderate || true
- name: ๐ Check for outdated packages
run: npm outdated || true
- name: ๐ Check for known vulnerabilities
# audit-ci respects allowlist in audit-ci.json for false positives
run: npx audit-ci --config audit-ci.json
dockerfile-lint:
name: ๐ณ Dockerfile Lint
runs-on: ubuntu-latest
steps:
- name: ๐ฅ Checkout
uses: actions/checkout@v4
- name: ๐ Lint Dockerfile
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
format: sarif
output-file: hadolint-results.sarif
no-fail: true
- name: ๐ค Upload Dockerfile lint results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: hadolint-results.sarif
category: 'hadolint'
quality-gates:
name: ๐ Quality Gates
runs-on: ubuntu-latest
needs: [security-scan, dependency-check, dockerfile-lint]
if: always()
steps:
- name: ๐ Quality Gate Summary
run: |
echo "## ๐ Security & Quality Report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ needs.security-scan.result }}" == "success" ]; then
echo "โ
**Security Scan:** Passed" >> $GITHUB_STEP_SUMMARY
else
echo "โ **Security Scan:** Failed" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ needs.dependency-check.result }}" == "success" ]; then
echo "โ
**Dependency Check:** Passed" >> $GITHUB_STEP_SUMMARY
else
echo "โ **Dependency Check:** Failed" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ needs.dockerfile-lint.result }}" == "success" ]; then
echo "โ
**Dockerfile Lint:** Passed" >> $GITHUB_STEP_SUMMARY
else
echo "โ **Dockerfile Lint:** Failed" >> $GITHUB_STEP_SUMMARY
fi
echo "" >> $GITHUB_STEP_SUMMARY
echo "๐ **View detailed results in the Security tab**" >> $GITHUB_STEP_SUMMARY