denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4bc27273ed626e95deef91c5d2d8c258e6e4076
portfolio/.gitea/workflows/security-scan.yml
denshooter c4bc27273e
Some checks failed
CI/CD Pipeline / test (push) Successful in 10m59s
Details
Security Scan / security (push) Failing after 5m27s
Details
CI/CD Pipeline / security (push) Successful in 5m57s
Details
CI/CD Pipeline / build (push) Failing after 3m3s
Details
CI/CD Pipeline / deploy (push) Has been skipped
Details
Implement security scanning workflows and scripts 
- Update CI/CD workflow to use specific Trivy version and change output format for vulnerability results.
- Add fallback npm audit step in case Trivy scan fails.
- Create a new security scan workflow that runs on push and pull request events, including scheduled scans.
- Introduce a security scan script to perform npm audit, Trivy scans, and check for potential secrets in the codebase.
- Ensure results are uploaded as artifacts for review and maintain retention policies for scan results.
2025-09-11 10:44:03 +02:00

79 lines
2.7 KiB
YAML
Raw Blame History

name: Security Scan
on:
push:
branches: [ main, production ]
pull_request:
branches: [ main, production ]
schedule:
- cron: '0 2 * * 1' # Weekly on Monday at 2 AM
jobs:
security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Run npm audit
run: |
echo "🔍 Running npm audit for dependency vulnerabilities..."
npm audit --audit-level=high --json > npm-audit-results.json || true
npm audit --audit-level=high || echo "⚠️ Some vulnerabilities found, but continuing..."
- name: Run Trivy (with fallback)
run: |
echo "🔍 Attempting Trivy scan..."
# Try to install and run Trivy directly
wget -qO- https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy fs --scanners vuln,secret --format table . > trivy-results.txt 2>&1 || {
echo "⚠️ Trivy scan failed, but continuing with other checks..."
echo "Trivy scan failed due to network issues" > trivy-results.txt
}
- name: Check for secrets
run: |
echo "🔍 Checking for potential secrets..."
# Check for common secret patterns
if grep -r -i "password\|secret\|key\|token" --include="*.js" --include="*.ts" --include="*.json" . | grep -v node_modules | grep -v ".git" | grep -v "package-lock.json" | grep -v "test"; then
echo "⚠️ Potential secrets found in code"
exit 1
else
echo "✅ No obvious secrets found"
fi
- name: Upload security scan results
uses: actions/upload-artifact@v4
if: always()
with:
name: security-scan-results
path: |
npm-audit-results.json
trivy-results.txt
retention-days: 30
- name: Security scan summary
run: |
echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY
echo "### NPM Audit Results" >> $GITHUB_STEP_SUMMARY
if [ -f npm-audit-results.json ]; then
echo "✅ NPM audit completed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ NPM audit failed" >> $GITHUB_STEP_SUMMARY
fi
echo "### Trivy Results" >> $GITHUB_STEP_SUMMARY
if [ -f trivy-results.txt ]; then
echo "✅ Trivy scan completed" >> $GITHUB_STEP_SUMMARY
else
echo "❌ Trivy scan failed" >> $GITHUB_STEP_SUMMARY
fi
Reference in New Issue View Git Blame Copy Permalink