Fix cors #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| schedule: | |
| # Run every Monday at 00:00 UTC | |
| - cron: '0 0 * * 1' | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| # ============================================ | |
| # CodeQL Analysis - GitHub's native SAST | |
| # ============================================ | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v4 | |
| with: | |
| languages: javascript-typescript | |
| queries: security-and-quality | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Build | |
| run: npm run build | |
| env: | |
| NEXT_PUBLIC_API_URL: http://localhost:8080 | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v4 | |
| with: | |
| category: '/language:javascript-typescript' | |
| # ============================================ | |
| # npm audit - Dependency Vulnerability Check | |
| # ============================================ | |
| npm-audit: | |
| name: NPM Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run npm audit | |
| run: npm audit --audit-level=high | |
| continue-on-error: true | |
| - name: Run npm audit (JSON output) | |
| run: npm audit --json > npm-audit-results.json || true | |
| - name: Upload audit results | |
| uses: actions/upload-artifact@v6 | |
| with: | |
| name: npm-audit-results | |
| path: npm-audit-results.json | |
| retention-days: 30 | |
| # ============================================ | |
| # Trivy - Dependency Scanning | |
| # ============================================ | |
| trivy: | |
| name: Trivy Vulnerability Scanner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| scanners: 'vuln,secret,misconfig' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| # ============================================ | |
| # ESLint Security Rules | |
| # ============================================ | |
| eslint-security: | |
| name: ESLint Security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Install SARIF formatter | |
| run: npm install @microsoft/eslint-formatter-sarif | |
| - name: Run ESLint | |
| run: npx eslint . --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif | |
| continue-on-error: true | |
| - name: Upload ESLint results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: eslint-results.sarif | |
| continue-on-error: true | |
| # ============================================ | |
| # Secret Scanning with Gitleaks (Optional) | |
| # ============================================ | |
| # Requires GITLEAKS_LICENSE secret for organizations | |
| # Enable by setting repository variable ENABLE_GITLEAKS=true | |
| # Note: Trivy also scans for secrets as a backup | |
| gitleaks: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| if: ${{ vars.ENABLE_GITLEAKS == 'true' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} | |
| # ============================================ | |
| # Snyk Security Scan (Optional - requires SNYK_TOKEN) | |
| # ============================================ | |
| snyk: | |
| name: Snyk Security Scan | |
| runs-on: ubuntu-latest | |
| if: ${{ vars.ENABLE_SNYK == 'true' }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| cache: 'npm' | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run Snyk to check for vulnerabilities | |
| uses: snyk/actions/node@master | |
| continue-on-error: true | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| args: --severity-threshold=high | |
| # ============================================ | |
| # Docker Image Scan (on main branch) | |
| # ============================================ | |
| docker-scan: | |
| name: Docker Image Scan | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: admin-ui:scan | |
| build-args: | | |
| NEXT_PUBLIC_API_URL=http://localhost:8080 | |
| - name: Run Trivy vulnerability scanner on Docker image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'admin-ui:scan' | |
| format: 'sarif' | |
| output: 'trivy-docker-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy Docker scan results | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: 'trivy-docker-results.sarif' |