denshooter/portfolio
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4bc27273ed626e95deef91c5d2d8c258e6e4076
portfolio/scripts/security-scan.sh
denshooter c4bc27273e
Some checks failed
CI/CD Pipeline / test (push) Successful in 10m59s
Details
Security Scan / security (push) Failing after 5m27s
Details
CI/CD Pipeline / security (push) Successful in 5m57s
Details
CI/CD Pipeline / build (push) Failing after 3m3s
Details
CI/CD Pipeline / deploy (push) Has been skipped
Details
Implement security scanning workflows and scripts 
- Update CI/CD workflow to use specific Trivy version and change output format for vulnerability results.
- Add fallback npm audit step in case Trivy scan fails.
- Create a new security scan workflow that runs on push and pull request events, including scheduled scans.
- Introduce a security scan script to perform npm audit, Trivy scans, and check for potential secrets in the codebase.
- Ensure results are uploaded as artifacts for review and maintain retention policies for scan results.
2025-09-11 10:44:03 +02:00

98 lines
2.8 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Security Scan Script
# This script runs various security checks on the portfolio project
set -e
echo "🔒 Starting security scan..."
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Function to print colored output
print_status() {
echo -e "${GREEN}$1${NC}"
}
print_warning() {
echo -e "${YELLOW}⚠️ $1${NC}"
}
print_error() {
echo -e "${RED}$1${NC}"
}
# Check if we're in the right directory
if [ ! -f "package.json" ]; then
print_error "Please run this script from the project root directory"
exit 1
fi
# 1. NPM Audit
echo "🔍 Running npm audit..."
if npm audit --audit-level=high; then
print_status "NPM audit passed - no high/critical vulnerabilities found"
else
print_warning "NPM audit found vulnerabilities - check the output above"
fi
# 2. Trivy scan (if available)
echo "🔍 Running Trivy vulnerability scan..."
if command -v trivy &> /dev/null; then
if trivy fs --scanners vuln,secret --format table .; then
print_status "Trivy scan completed successfully"
else
print_warning "Trivy scan found issues - check the output above"
fi
else
print_warning "Trivy not installed - skipping Trivy scan"
echo "To install Trivy: brew install trivy"
fi
# 3. Check for secrets
echo "🔍 Checking for potential secrets in code..."
SECRETS_FOUND=false
# Check for common secret patterns
if grep -r -i "password\|secret\|key\|token" --include="*.js" --include="*.ts" --include="*.json" . | grep -v node_modules | grep -v ".git" | grep -v "package-lock.json" | grep -v "test" | grep -v "scripts/security-scan.sh"; then
print_error "Potential secrets found in code!"
SECRETS_FOUND=true
fi
# Check for .env files in git
if git ls-files | grep -E "\.env$|\.env\."; then
print_error ".env files found in git repository!"
SECRETS_FOUND=true
fi
if [ "$SECRETS_FOUND" = false ]; then
print_status "No obvious secrets found in code"
fi
# 4. Check for outdated dependencies
echo "🔍 Checking for outdated dependencies..."
if npm outdated; then
print_status "All dependencies are up to date"
else
print_warning "Some dependencies are outdated - consider updating"
fi
# 5. Check for known vulnerable packages
echo "🔍 Checking for known vulnerable packages..."
if npm audit --audit-level=moderate; then
print_status "No moderate+ vulnerabilities found"
else
print_warning "Some vulnerabilities found - run 'npm audit fix' to attempt fixes"
fi
echo ""
echo "🔒 Security scan completed!"
echo "For more detailed security analysis, consider:"
echo " - Running 'npm audit fix' to fix vulnerabilities"
echo " - Installing Trivy for comprehensive vulnerability scanning"
echo " - Using tools like Snyk or GitHub Dependabot for ongoing monitoring"
Reference in New Issue View Git Blame Copy Permalink