Skip to content

Feat : PII fields and JTI #301

Feat : PII fields and JTI

Feat : PII fields and JTI #301

Workflow file for this run

# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

Check failure on line 1 in .github/workflows/security.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/security.yml

Invalid workflow file

(Line: 37, Col: 9): Unrecognized function: 'hashFiles'. Located at position 1 within expression: hashFiles('package.json', 'pnpm-lock.yaml') != '', (Line: 76, Col: 9): Unrecognized function: 'hashFiles'. Located at position 1 within expression: hashFiles('Dockerfile') != ''
name: Security Scanning
on:
push:
branches: [main, develop]
pull_request:
workflow_dispatch:
jobs:
sast:
name: SAST (CodeQL)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: typescript
- name: Autobuild
uses: github/codeql-action/autobuild@v4
- name: Analyze
uses: github/codeql-action/analyze@v4
dependency-scan:
name: Dependency Scan
runs-on: ubuntu-latest
if: hashFiles('package.json', 'pnpm-lock.yaml') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 11
- name: Setup Node
uses: actions/setup-node@v4
with:
node-version: 22
cache: pnpm
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Audit dependencies (fail only on critical)
run: pnpm audit --audit-level=critical
secrets-scan:
name: Secrets Scan (Gitleaks)
runs-on: ubuntu-latest
steps:
- name: Checkout full history
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Run Gitleaks
uses: gitleaks/gitleaks-action@v2
container-scan:
name: Container Scan (Trivy)
runs-on: ubuntu-latest
if: hashFiles('Dockerfile') != ''
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image
run: docker build -t app:${{ github.sha }} .
- name: Run Trivy scan
uses: aquasecurity/trivy-action@v0.20.0
continue-on-error: true # ensures output is handled safely
with:
image-ref: app:${{ github.sha }}
severity: CRITICAL,HIGH
dast-scan:
name: DAST Scan (SQLMap)
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.x'
- name: Install SQLMap
run: pip install sqlmap
- name: Start Application Container
run: |
docker compose -f docker-compose.staging.yml up -d
# Wait for application to be healthy
sleep 15
- name: Run SQLMap Scan
run: |
# Scanning course search endpoint dynamically with SQLMap (non-blocking)
sqlmap -u "http://localhost:3000/search?q=test" --batch --crawl=2 --level=1 --risk=1
continue-on-error: true