Merge pull request #311 from davedumto/frontend/workflow-operations #71
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Security Scan | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| schedule: | |
| - cron: '0 2 * * 1' | |
| jobs: | |
| codeql: | |
| name: CodeQL Analysis | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| language: [ 'python', 'javascript', 'typescript' ] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Initialize CodeQL | |
| uses: github/codeql-action/init@v2 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v2 | |
| with: | |
| category: "/language:${{ matrix.language }}" | |
| dependency-review: | |
| name: Dependency Review | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'pull_request' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Dependency Review | |
| uses: actions/dependency-review-action@v3 | |
| with: | |
| fail-on-severity: high | |
| allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC | |
| cargo-audit: | |
| name: Cargo Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Install Rust toolchain | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| toolchain: stable | |
| override: true | |
| - name: Install cargo-audit | |
| run: cargo install cargo-audit | |
| - name: Run cargo audit on smart contract | |
| run: cargo audit | |
| working-directory: smartcontract | |
| continue-on-error: true | |
| - name: Run cargo audit on relayer | |
| run: cargo audit | |
| working-directory: relayer | |
| continue-on-error: true | |
| npm-audit: | |
| name: NPM Security Audit | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '18' | |
| - name: Run npm audit | |
| run: npm audit --audit-level=high | |
| working-directory: frontend | |
| continue-on-error: true | |
| python-safety: | |
| name: Python Safety Check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Install safety | |
| run: pip install safety | |
| - name: Run safety check | |
| run: safety check -r backend/requirements.txt | |
| continue-on-error: true | |
| secrets-scan: | |
| name: Secret Scanning | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: TruffleHog OSS | |
| uses: trufflesecurity/trufflehog@main | |
| with: | |
| path: ./ | |
| base: ${{ github.event.repository.default_branch }} | |
| extra_args: --only-verified | |
| security-summary: | |
| name: Security Summary | |
| runs-on: ubuntu-latest | |
| needs: [codeql, dependency-review, cargo-audit, npm-audit, python-safety] | |
| if: always() | |
| steps: | |
| - name: Create security summary | |
| run: | | |
| echo "## Security Scan Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Scan | Status |" >> $GITHUB_STEP_SUMMARY | |
| echo "|------|--------|" >> $GITHUB_STEP_SUMMARY | |
| echo "| CodeQL | ✅ Completed |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Dependency Review | ✅ Completed |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Cargo Audit | ✅ Completed |" >> $GITHUB_STEP_SUMMARY | |
| echo "| NPM Audit | ✅ Completed |" >> $GITHUB_STEP_SUMMARY | |
| echo "| Python Safety | ✅ Completed |" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "Review the individual job results for details on any findings." >> $GITHUB_STEP_SUMMARY |