diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml new file mode 100644 index 00000000..374eabf7 --- /dev/null +++ b/.github/workflows/codeql.yaml @@ -0,0 +1,66 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [main, develop] + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: ["python", "typescript"] + # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] + # Learn more about CodeQL language support at https://git.io/codeql-language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + # queries: ./path/to/local/query, your-org/your-repo/queries@main + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/precommit.yaml b/.github/workflows/precommit.yaml new file mode 100644 index 00000000..a778f2bf --- /dev/null +++ b/.github/workflows/precommit.yaml @@ -0,0 +1,36 @@ +name: Precommit tests + +on: + push: + branches: + - '*' + pull_request: + branches: + - '*' + +jobs: + pre-commit: + needs: install-dev-tools + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: dev env setup + uses: ./.github/actions/dev-env-setup + - name: set pre-commit cache directory + run: | + echo "PRE_COMMIT_HOME=$GITHUB_WORKSPACE/.pre-commit-cache" >> $GITHUB_ENV + - name: set PY + run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV + - name: create commitlint COMMIT_EDITMSG if not exists + run: | + if test -f ".git/COMMIT_EDITMSG"; then + echo "COMMIT_EDITMSG EXISTS, skipping" + else + touch .git/COMMIT_EDITMSG + fi + - uses: actions/cache@v3 + with: + path: | + ./.pre-commit-cache + key: pre-commit-${{ env.PY }}-${{ hashFiles('.pre-commit-config.yaml') }}-v3 + - run: pre-commit run --all-files diff --git a/.github/workflows/scan-code-owasp-zap.yaml b/.github/workflows/scan-code-owasp-zap.yaml new file mode 100644 index 00000000..9dd1c47f --- /dev/null +++ b/.github/workflows/scan-code-owasp-zap.yaml @@ -0,0 +1,72 @@ +name: OWASP ZAP Scan + +on: + workflow_call: + inputs: + target-url: + required: false + default: 'http://localhost:3000' + type: string + package-manager: + required: false + default: 'npm' + type: string + +concurrency: + group: callee-owasp-zap-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + owasp-zap-scan: + timeout-minutes: 60 + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Install Node.js + uses: actions/setup-node@v3 + with: + node-version: 20 + + - name: Setup package manager and install dependencies + id: setup-deps + run: | + if [ "${{ inputs.package-manager }}" = "npm" ]; then + echo "::set-output name=cache-dir::$(npm config get cache)" + npm install + elif [ "${{ inputs.package-manager }}" = "yarn" ]; then + echo "::set-output name=cache-dir::$(yarn cache dir)" + npm install -g yarn + yarn install + elif [ "${{ inputs.package-manager }}" = "pnpm" ]; then + echo "::set-output name=cache-dir::$(npx -q pnpm config get store)" + npm install -g pnpm + pnpm install + else + echo "Unsupported package manager specified. Supported package managers are npm, yarn, and pnpm." + exit 1 + fi + + - name: Cache dependencies + uses: actions/cache@v3 + with: + path: | + ~/.npm + ~/.yarn + ~/.pnpm-store + key: ${{ runner.os }}-${{ inputs.package-manager }}-${{ hashFiles('**/lockfiles') }} + restore-keys: | + ${{ runner.os }}-${{ inputs.package-manager }}- + + - name: Build and start server + run: | + npx ${{ inputs.package-manager }} run build + npx ${{ inputs.package-manager }} run start & # This starts the server in the background + sleep 5 # This allows the server some time to start up + working-directory: ./client + + - name: Run OWASP ZAP Full Scan + uses: zaproxy/action-full-scan@v0.5.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} + target: ${{ inputs.target-url }} diff --git a/.github/workflows/scan-code-sonarcloud.yaml b/.github/workflows/scan-code-sonarcloud.yaml new file mode 100644 index 00000000..a0cfda35 --- /dev/null +++ b/.github/workflows/scan-code-sonarcloud.yaml @@ -0,0 +1,26 @@ +name: Sonarcloud Scan Code + +on: + workflow_call: + secrets: + github-token: + required: true + sonar-token: + required: true + +concurrency: + group: callee-sonarcloud-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + sonarcloud: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: SonarCloud Scan + uses: sonarsource/sonarcloud-github-action@master + env: + GITHUB_TOKEN: ${{ secrets.github-token }} + SONAR_TOKEN: ${{ secrets.sonar-token }} diff --git a/.github/workflows/scan-code-trivy.yaml b/.github/workflows/scan-code-trivy.yaml new file mode 100644 index 00000000..219cb1b0 --- /dev/null +++ b/.github/workflows/scan-code-trivy.yaml @@ -0,0 +1,41 @@ +name: Trivy Scan Code + +on: + push: + branches: [main, develop] + pull_request: + # The branches below must be a subset of the branches above + branches: [main, develop] + +concurrency: + group: callee-trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + trivy-scan-code: + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Cache Scan Dependencies + uses: actions/cache@v3 + with: + path: ~/.cache/trivy + key: callee-trivy-${{ github.workflow }}-${{ github.run_id }} + restore-keys: trivy- + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + exit-code: "0" + ignore-unfixed: false + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + timeout: 10m0s + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@v2 + with: + name: trivy-results + path: trivy-results.sarif