-
Notifications
You must be signed in to change notification settings - Fork 119
141 lines (121 loc) · 4.74 KB
/
Copy pathdependency-scan.yml
File metadata and controls
141 lines (121 loc) · 4.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: Dependency Vulnerability Scanning
on:
push:
branches: [main, develop]
pull_request:
branches: [main, develop]
schedule:
- cron: '0 2 * * *'
jobs:
scan-rust:
name: Scan Rust Dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install Rust
uses: dtolnay/rust-toolchain@stable
- name: Install cargo-audit
run: cargo install cargo-audit
- name: Audit contracts/predict-iq dependencies
run: cargo audit --deny warnings
working-directory: contracts/predict-iq
continue-on-error: true
- name: Audit contracts/predict-iq (fail on critical)
run: |
output=$(cargo audit --json)
critical=$(echo "$output" | jq '[.vulnerabilities[] | select(.advisory.severity == "critical")] | length')
if [ "$critical" -gt 0 ]; then
echo "❌ Found $critical critical vulnerabilities in contracts/predict-iq"
echo "$output" | jq '.vulnerabilities[] | select(.advisory.severity == "critical")'
exit 1
fi
echo "✅ No critical vulnerabilities found in contracts/predict-iq"
working-directory: contracts/predict-iq
- name: Audit services/api dependencies
run: cargo audit --deny warnings
working-directory: services/api
continue-on-error: true
- name: Audit services/api (fail on critical)
run: |
output=$(cargo audit --json)
critical=$(echo "$output" | jq '[.vulnerabilities[] | select(.advisory.severity == "critical")] | length')
if [ "$critical" -gt 0 ]; then
echo "❌ Found $critical critical vulnerabilities in services/api"
echo "$output" | jq '.vulnerabilities[] | select(.advisory.severity == "critical")'
exit 1
fi
echo "✅ No critical vulnerabilities found in services/api"
working-directory: services/api
scan-npm:
name: Scan NPM Dependencies
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '18'
- name: Install dependencies
run: npm ci
working-directory: frontend
- name: Audit NPM dependencies
run: npm audit --audit-level=moderate
working-directory: frontend
continue-on-error: true
- name: Check for critical vulnerabilities
run: |
output=$(npm audit --json)
critical=$(echo "$output" | jq '.metadata.vulnerabilities.critical // 0')
high=$(echo "$output" | jq '.metadata.vulnerabilities.high // 0')
if [ "$critical" -gt 0 ] || [ "$high" -gt 0 ]; then
echo "❌ Found $critical critical and $high high vulnerabilities"
exit 1
fi
echo "✅ No critical or high vulnerabilities found"
working-directory: frontend
- name: Install TTS dependencies
run: npm ci
working-directory: services/tts
- name: Audit TTS NPM dependencies
run: npm audit --audit-level=high
working-directory: services/tts
scan-trivy:
name: Scan with Trivy
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '1'
- name: Upload Trivy results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'
report-vulnerabilities:
name: Report Vulnerabilities
runs-on: ubuntu-latest
needs: [scan-rust, scan-npm, scan-trivy]
if: always()
steps:
- uses: actions/checkout@v4
- name: Comment on PR with scan results
if: github.event_name == 'pull_request'
uses: actions/github-script@v9
with:
script: |
const scanStatus = '${{ needs.scan-rust.result }}' === 'failure' ||
'${{ needs.scan-npm.result }}' === 'failure' ||
'${{ needs.scan-trivy.result }}' === 'failure' ? '❌' : '✅';
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `${scanStatus} **Dependency Vulnerability Scan**\n\n- Rust audit: ${{ needs.scan-rust.result }}\n- NPM audit: ${{ needs.scan-npm.result }}\n- Trivy scan: ${{ needs.scan-trivy.result }}`
});