bcgov · pbastia · Feb 2, 2024 · Jan 16, 2024 · Jan 31, 2024 · Feb 2, 2024
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -0,0 +1,66 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [main, develop]
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "python", "typescript"]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+          # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
+
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+      #    and modify them (or add more) to build your code if your project
+      #    uses a compiled language
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/precommit.yaml b/.github/workflows/precommit.yaml
@@ -0,0 +1,36 @@
+name: Precommit tests
+
+on:
+  push:
+    branches:
+      - '*'
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  pre-commit:
+    needs: install-dev-tools
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: dev env setup
+        uses: ./.github/actions/dev-env-setup
+      - name: set pre-commit cache directory
+        run: |
+          echo "PRE_COMMIT_HOME=$GITHUB_WORKSPACE/.pre-commit-cache" >> $GITHUB_ENV
+      - name: set PY
+        run: echo "PY=$(python -VV | sha256sum | cut -d' ' -f1)" >> $GITHUB_ENV
+      - name: create commitlint COMMIT_EDITMSG if not exists
+        run: |
+          if test -f ".git/COMMIT_EDITMSG"; then
+              echo "COMMIT_EDITMSG EXISTS, skipping"
+          else
+              touch .git/COMMIT_EDITMSG
+          fi
+      - uses: actions/cache@v3
+        with:
+          path: |
+            ./.pre-commit-cache
+          key: pre-commit-${{ env.PY }}-${{ hashFiles('.pre-commit-config.yaml') }}-v3
+      - run: pre-commit run --all-files
diff --git a/.github/workflows/scan-code-owasp-zap.yaml b/.github/workflows/scan-code-owasp-zap.yaml
@@ -0,0 +1,72 @@
+name: OWASP ZAP Scan
+
+on:
+  workflow_call:
+    inputs:
+      target-url:
+        required: false
+        default: 'http://localhost:3000'
+        type: string
+      package-manager:
+        required: false
+        default: 'npm'
+        type: string
+
+concurrency:
+  group: callee-owasp-zap-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  owasp-zap-scan:
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Install Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: 20
+
+    - name: Setup package manager and install dependencies
+      id: setup-deps
+      run: |
+        if [ "${{ inputs.package-manager }}" = "npm" ]; then
+          echo "::set-output name=cache-dir::$(npm config get cache)"
+          npm install
+        elif [ "${{ inputs.package-manager }}" = "yarn" ]; then
+          echo "::set-output name=cache-dir::$(yarn cache dir)"
+          npm install -g yarn
+          yarn install
+        elif [ "${{ inputs.package-manager }}" = "pnpm" ]; then
+          echo "::set-output name=cache-dir::$(npx -q pnpm config get store)"
+          npm install -g pnpm
+          pnpm install
+        else
+          echo "Unsupported package manager specified. Supported package managers are npm, yarn, and pnpm."
+          exit 1
+        fi
+
+    - name: Cache dependencies
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.npm
+          ~/.yarn
+          ~/.pnpm-store
+        key: ${{ runner.os }}-${{ inputs.package-manager }}-${{ hashFiles('**/lockfiles') }}  
+        restore-keys: |
+          ${{ runner.os }}-${{ inputs.package-manager }}-
+
+    - name: Build and start server
+      run: |
+        npx ${{ inputs.package-manager }} run build
+        npx ${{ inputs.package-manager }} run start & # This starts the server in the background
+        sleep 5 # This allows the server some time to start up
+      working-directory: ./client
+
+    - name: Run OWASP ZAP Full Scan
+      uses: zaproxy/[email protected]
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        target: ${{ inputs.target-url }}
diff --git a/.github/workflows/scan-code-sonarcloud.yaml b/.github/workflows/scan-code-sonarcloud.yaml
@@ -0,0 +1,26 @@
+name: Sonarcloud Scan Code
+
+on:
+  workflow_call:
+    secrets:
+      github-token:
+        required: true
+      sonar-token:
+        required: true
+
+concurrency:
+  group: callee-sonarcloud-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  sonarcloud: 
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: SonarCloud Scan
+        uses: sonarsource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.github-token }}
+          SONAR_TOKEN: ${{ secrets.sonar-token }}
diff --git a/.github/workflows/scan-code-trivy.yaml b/.github/workflows/scan-code-trivy.yaml
@@ -0,0 +1,41 @@
+name: Trivy Scan Code
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [main, develop]
+
+concurrency:
+  group: callee-trivy-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy-scan-code:
+    runs-on: ubuntu-latest
+    timeout-minutes: 60
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Cache Scan Dependencies
+        uses: actions/cache@v3
+        with:
+          path: ~/.cache/trivy
+          key: callee-trivy-${{ github.workflow }}-${{ github.run_id }}
+          restore-keys: trivy-
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: fs
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: "0"
+          ignore-unfixed: false
+          severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
+          timeout: 10m0s
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: trivy-results
+          path: trivy-results.sarif