diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..e30e86ee --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,16 @@ +version: 2 +updates: + - package-ecosystem: "pip" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + open-pull-requests-limit: 10 + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 288892ed..ca6123f1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -1,46 +1,39 @@ -name: CodeQL +name: "CodeQL SAST" on: push: - branches: - - main - - develop + branches: [ "coreason-develop", "main" ] pull_request: - branches: - - main - - develop + branches: [ "coreason-develop", "main" ] schedule: - - cron: "0 12 * * 1" - -permissions: - security-events: write - actions: read - contents: read - -env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + - cron: '30 2 * * 1' jobs: analyze: name: Analyze runs-on: ubuntu-latest - steps: - - name: Harden Runner - uses: step-security/harden-runner@v2 - with: - egress-policy: audit + permissions: + actions: read + contents: read + security-events: write - - uses: actions/checkout@v4 + strategy: + fail-fast: false + matrix: + language: [ 'python' ] - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: python - - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 - with: - category: "/language:python" + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + queries: security-extended,security-and-quality + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + continue-on-error: true + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml new file mode 100644 index 00000000..a63ded26 --- /dev/null +++ b/.github/workflows/container-scan.yml @@ -0,0 +1,35 @@ +name: Container Vulnerability Scan + +on: + push: + branches: [ "coreason-develop", "main" ] + pull_request: + branches: [ "coreason-develop", "main" ] + +jobs: + trivy: + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + actions: read + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in fs mode + if: hashFiles('Dockerfile') != '' + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + if: hashFiles('Dockerfile') != '' + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' + continue-on-error: true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 6f378d6e..e4d0261f 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -1,40 +1,86 @@ - name: Security Audit on: + push: + branches: [ coreason-develop, main ] + pull_request: + branches: [ coreason-develop, main ] schedule: - cron: '0 0 * * *' workflow_dispatch: permissions: contents: read - -env: - FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" + security-events: write + actions: read jobs: - audit-dependencies: + secret-scan: + name: Secret Scanning + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Trufflehog Secret Scan + uses: trufflesecurity/trufflehog@main + with: + base: ${{ github.event.repository.default_branch }} + head: HEAD + extra_args: --only-verified + continue-on-error: true + + sca-audit: + name: Software Composition Analysis runs-on: ubuntu-latest steps: - - uses: actions/checkout@ff7abcd0c3c05ccf6adc123a8cd1fd4fb30fb493 + - name: Harden Runner + uses: step-security/harden-runner@v2 + with: + egress-policy: audit + + - uses: actions/checkout@v4 - name: Install uv uses: astral-sh/setup-uv@v5 with: - enable-cache: false - cache-dependency-glob: "uv.lock" + enable-cache: true + python-version: '3.14' - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version-file: "pyproject.toml" - allow-prereleases: true + - name: Python SCA Audit (pip-audit) + run: | + if [ -f "pyproject.toml" ]; then + uv export --format requirements-txt > requirements.txt + uv tool run pip-audit -r requirements.txt -f sarif -o pip-audit.sarif || echo "Vulnerabilities found!" + uv tool run pip-audit -r requirements.txt -f html -o pip-audit-report.html || true + fi + shell: bash - - name: Export requirements for pip-audit - run: uv export --format requirements-txt > requirements.txt + - name: Node.js SCA Audit (npm audit) + run: | + if [ -f "package.json" ]; then + npm install --package-lock-only + npm audit --json > npm-audit.json || true + npx @microsoft/npm-audit-sarif -i npm-audit.json -o npm-audit.sarif || true + fi shell: bash - - name: Run pip-audit - uses: pypa/gh-action-pip-audit@v1.1.0 + - name: Black Duck Compliance Check + run: | + echo "INFO: Ready for Black Duck integration." + shell: bash + + - name: Upload SARIF Reports to GitHub Advanced Security + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: . + continue-on-error: true + + - name: Upload Compliance Reports as Artifacts + uses: actions/upload-artifact@v4 with: - inputs: requirements.txt + name: security-audit-reports + path: | + pip-audit-report.html + npm-audit.json + retention-days: 14