Skip to content

Fix cors

Fix cors #4

Workflow file for this run

name: Security
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
# Run every Monday at 00:00 UTC
- cron: '0 0 * * 1'
permissions:
contents: read
security-events: write
actions: read
jobs:
# ============================================
# CodeQL Analysis - GitHub's native SAST
# ============================================
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: javascript-typescript
queries: security-and-quality
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run build
env:
NEXT_PUBLIC_API_URL: http://localhost:8080
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: '/language:javascript-typescript'
# ============================================
# npm audit - Dependency Vulnerability Check
# ============================================
npm-audit:
name: NPM Audit
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: npm audit --audit-level=high
continue-on-error: true
- name: Run npm audit (JSON output)
run: npm audit --json > npm-audit-results.json || true
- name: Upload audit results
uses: actions/upload-artifact@v6
with:
name: npm-audit-results
path: npm-audit-results.json
retention-days: 30
# ============================================
# Trivy - Dependency Scanning
# ============================================
trivy:
name: Trivy Vulnerability Scanner
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,MEDIUM'
scanners: 'vuln,secret,misconfig'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
# ============================================
# ESLint Security Rules
# ============================================
eslint-security:
name: ESLint Security
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Install SARIF formatter
run: npm install @microsoft/eslint-formatter-sarif
- name: Run ESLint
run: npx eslint . --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif
continue-on-error: true
- name: Upload ESLint results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: eslint-results.sarif
continue-on-error: true
# ============================================
# Secret Scanning with Gitleaks (Optional)
# ============================================
# Requires GITLEAKS_LICENSE secret for organizations
# Enable by setting repository variable ENABLE_GITLEAKS=true
# Note: Trivy also scans for secrets as a backup
gitleaks:
name: Secret Scanning
runs-on: ubuntu-latest
if: ${{ vars.ENABLE_GITLEAKS == 'true' }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}
# ============================================
# Snyk Security Scan (Optional - requires SNYK_TOKEN)
# ============================================
snyk:
name: Snyk Security Scan
runs-on: ubuntu-latest
if: ${{ vars.ENABLE_SNYK == 'true' }}
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run Snyk to check for vulnerabilities
uses: snyk/actions/node@master
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --severity-threshold=high
# ============================================
# Docker Image Scan (on main branch)
# ============================================
docker-scan:
name: Docker Image Scan
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v6
with:
context: .
push: false
load: true
tags: admin-ui:scan
build-args: |
NEXT_PUBLIC_API_URL=http://localhost:8080
- name: Run Trivy vulnerability scanner on Docker image
uses: aquasecurity/trivy-action@master
with:
image-ref: 'admin-ui:scan'
format: 'sarif'
output: 'trivy-docker-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy Docker scan results
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-docker-results.sarif'