feat: implemented phase 5 of dashboard plan #5

Workflow file for this run

.github/workflows/security.yml at 99c3e9c

	# =============================================================================
	# Security Scanning Workflow
	# Event Management Portal - Comprehensive security analysis
	# =============================================================================

	name: Security Scan

	on:
	schedule:
	# Run security scans daily at 2 AM UTC
	- cron: '0 2 * * *'
	push:
	branches: [main, migration/typescript-monorepo]
	paths:
	- '*/.js'
	- '*/.ts'
	- '*/.tsx'
	- '*/.json'
	- '*/package.json'
	- '**/pnpm-lock.yaml'
	- 'Dockerfile*'
	- 'docker-compose*.yml'
	pull_request:
	branches: [main, migration/typescript-monorepo]
	workflow_dispatch:
	inputs:
	scan_level:
	description: 'Security scan level'
	required: true
	default: 'standard'
	type: choice
	options:
	- 'quick'
	- 'standard'
	- 'comprehensive'

	# Enhanced permissions for security scanning
	permissions:
	contents: read
	security-events: write
	actions: read
	issues: write
	pull-requests: write

	env:
	NODE_VERSION: '20'
	PNPM_VERSION: '10.18.3'

	jobs:
	# ===========================================================================
	# Dependency Vulnerability Scanning
	# ===========================================================================
	dependency-scan:
	name: Dependency Security Scan
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Setup Node.js and pnpm
	uses: ./.github/actions/setup-node-pnpm
	with:
	node-version: ${{ env.NODE_VERSION }}
	pnpm-version: ${{ env.PNPM_VERSION }}

	# npm audit for basic vulnerability detection
	- name: Run npm audit
	run: \|
	echo "## NPM Security Audit Results" >> $GITHUB_STEP_SUMMARY
	pnpm audit --json > audit-results.json \|\| true

	# Parse and format results
	if [ -s audit-results.json ]; then
	echo "### Vulnerabilities Found:" >> $GITHUB_STEP_SUMMARY
	cat audit-results.json \| jq -r '.vulnerabilities \| to_entries[] \| "- \(.key): \(.value.severity) severity"' >> $GITHUB_STEP_SUMMARY
	else
	echo "✅ No vulnerabilities found" >> $GITHUB_STEP_SUMMARY
	fi

	# Snyk vulnerability scanning
	- name: Run Snyk security scan
	uses: snyk/actions/node@master
	continue-on-error: true
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	args: >
	--severity-threshold=medium
	--file=package.json
	--json-file-output=snyk-results.json
	--sarif-file-output=snyk-results.sarif

	- name: Upload Snyk results to GitHub Security
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: snyk-results.sarif
	category: snyk-security

	# OSSF Scorecard security assessment
	- name: Run OSSF Scorecard
	uses: ossf/[email protected]
	with:
	results_file: scorecard-results.sarif
	results_format: sarif
	repo_token: ${{ secrets.GITHUB_TOKEN }}
	publish_results: true

	- name: Upload OSSF Scorecard results
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: scorecard-results.sarif
	category: ossf-scorecard

	# ===========================================================================
	# Static Code Analysis
	# ===========================================================================
	static-analysis:
	name: Static Code Security Analysis
	runs-on: ubuntu-latest

	strategy:
	matrix:
	language: ['javascript', 'typescript']

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	# Initialize CodeQL for security analysis
	- name: Initialize CodeQL
	uses: github/codeql-action/init@v3
	with:
	languages: ${{ matrix.language }}
	queries: +security-extended,security-and-quality
	config-file: ./.github/codeql/codeql-config.yml

	- name: Setup Node.js and pnpm
	if: matrix.language == 'javascript'
	uses: ./.github/actions/setup-node-pnpm
	with:
	node-version: ${{ env.NODE_VERSION }}
	pnpm-version: ${{ env.PNPM_VERSION }}

	- name: Build application for analysis
	if: matrix.language == 'javascript'
	run: \|
	pnpm build \|\| echo "Build failed, analyzing source code"

	# Perform CodeQL security analysis
	- name: Perform CodeQL Analysis
	uses: github/codeql-action/analyze@v3
	with:
	category: "/language:${{ matrix.language }}"
	output: codeql-results-${{ matrix.language }}.sarif

	# ESLint security rules
	- name: Run ESLint security analysis
	if: matrix.language == 'javascript'
	run: \|
	pnpm eslint . --ext .js,.jsx,.ts,.tsx --format @microsoft/eslint-formatter-sarif --output-file eslint-results.sarif \|\| true

	- name: Upload ESLint results
	if: matrix.language == 'javascript'
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: eslint-results.sarif
	category: eslint-security

	# ===========================================================================
	# Secret Detection
	# ===========================================================================
	secret-detection:
	name: Secret and Credential Detection
	runs-on: ubuntu-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	# TruffleHog for secret detection
	- name: Run TruffleHog secret scan
	uses: trufflesecurity/trufflehog@main
	with:
	path: ./
	base: main
	head: HEAD
	extra_args: --debug --only-verified

	# GitLeaks for additional secret detection
	- name: Run GitLeaks secret scan
	uses: gitleaks/gitleaks-action@v2
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	config-path: .gitleaks.toml

	# Custom secret detection patterns
	- name: Custom secret pattern detection
	run: \|
	echo "## Custom Secret Detection Results" >> $GITHUB_STEP_SUMMARY

	# Check for common secret patterns
	SECRETS_FOUND=false

	# API keys pattern
	if grep -r "api[_-]key\s=\s['\"][^'\"]['\"]" --include=".js" --include=".ts" --include=".json" --exclude-dir=node_modules .; then
	echo "⚠️ Potential API keys found" >> $GITHUB_STEP_SUMMARY
	SECRETS_FOUND=true
	fi

	# Database URLs with credentials
	if grep -r "mongodb://.:.@" --include=".js" --include=".ts" --include="*.json" --exclude-dir=node_modules .; then
	echo "⚠️ Potential database credentials found" >> $GITHUB_STEP_SUMMARY
	SECRETS_FOUND=true
	fi

	# JWT secrets
	if grep -r "jwt[_-]secret\s=\s['\"][^'\"]['\"]" --include=".js" --include=".ts" --include=".json" --exclude-dir=node_modules .; then
	echo "⚠️ Potential JWT secrets found" >> $GITHUB_STEP_SUMMARY
	SECRETS_FOUND=true
	fi

	if [ "$SECRETS_FOUND" = false ]; then
	echo "✅ No secrets detected" >> $GITHUB_STEP_SUMMARY
	fi

	# ===========================================================================
	# Container Security Scanning
	# ===========================================================================
	container-security:
	name: Container Security Analysis
	runs-on: ubuntu-latest
	if: github.event_name == 'push' \|\| github.event.inputs.scan_level == 'comprehensive'

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Build Docker images for scanning
	run: \|
	docker build -t event-mgmt-backend:latest -f Dockerfile --target backend-production .
	docker build -t event-mgmt-frontend:latest -f Dockerfile --target frontend-production .

	# Trivy vulnerability scanner
	- name: Run Trivy vulnerability scanner - Backend
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'event-mgmt-backend:latest'
	format: 'sarif'
	output: 'trivy-backend-results.sarif'

	- name: Run Trivy vulnerability scanner - Frontend
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: 'event-mgmt-frontend:latest'
	format: 'sarif'
	output: 'trivy-frontend-results.sarif'

	- name: Upload Trivy scan results - Backend
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-backend-results.sarif'
	category: 'trivy-backend'

	- name: Upload Trivy scan results - Frontend
	uses: github/codeql-action/upload-sarif@v3
	if: always()
	with:
	sarif_file: 'trivy-frontend-results.sarif'
	category: 'trivy-frontend'

	# Docker security benchmarks
	- name: Run Docker security benchmark
	run: \|
	# Install Docker Bench Security
	git clone https://github.com/docker/docker-bench-security.git
	cd docker-bench-security
	sudo sh docker-bench-security.sh \| tee ../docker-bench-results.txt

	# Parse results for summary
	echo "## Docker Security Benchmark Results" >> $GITHUB_STEP_SUMMARY
	grep -E "(WARN\|INFO\|NOTE)" ../docker-bench-results.txt \| head -20 >> $GITHUB_STEP_SUMMARY

	# ===========================================================================
	# Infrastructure Security
	# ===========================================================================
	infrastructure-security:
	name: Infrastructure Security Scan
	runs-on: ubuntu-latest
	if: github.event.inputs.scan_level == 'comprehensive'

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	# Terraform security scanning (if applicable)
	- name: Run tfsec for Terraform security
	if: github.event.inputs.scan_level == 'comprehensive'
	uses: aquasecurity/[email protected]
	with:
	sarif_file: tfsec-results.sarif

	# KICS security scanning for infrastructure
	- name: Run KICS security scan
	uses: checkmarx/[email protected]
	with:
	path: '.'
	output_formats: 'sarif'
	output_path: kics-results.sarif
	exclude_paths: 'node_modules,dist,.git'
	exclude_queries: 'e8a35065-bb2f-4c0a-9c7c-4c8d8c5c7c7c'

	- name: Upload KICS results
	if: always()
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: kics-results.sarif
	category: kics-infrastructure

	# ===========================================================================
	# Security Report Generation
	# ===========================================================================
	security-report:
	name: Generate Security Report
	runs-on: ubuntu-latest
	needs: [dependency-scan, static-analysis, secret-detection]
	if: always()

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Generate security summary
	run: \|
	cat << 'EOF' > security-report.md
	# Security Scan Report

	Generated: $(date -u)
	Repository: ${{ github.repository }}
	Branch: ${{ github.ref_name }}
	Commit: ${{ github.sha }}

	## Scan Results

	\| Scan Type \| Status \| Details \|
	\|-----------\|--------\|---------\|
	\| Dependency Scan \| ${{ needs.dependency-scan.result }} \| Checked for vulnerable dependencies \|
	\| Static Analysis \| ${{ needs.static-analysis.result }} \| CodeQL and ESLint security analysis \|
	\| Secret Detection \| ${{ needs.secret-detection.result }} \| Scanned for exposed secrets \|

	## Recommendations

	1. Review all security alerts in the Security tab
	2. Update vulnerable dependencies immediately
	3. Implement security best practices in code
	4. Regular security scans and monitoring
	5. Security training for development team

	## Next Steps

	- [ ] Address any critical or high severity vulnerabilities
	- [ ] Review and fix medium severity issues
	- [ ] Update security policies and procedures
	- [ ] Schedule regular security assessments

	EOF

	- name: Upload security report
	uses: actions/upload-artifact@v4
	with:
	name: security-report
	path: security-report.md
	retention-days: 30

	# Create issue for security findings (if any failures)
	- name: Create security issue
	if: >
	needs.dependency-scan.result == 'failure' \|\|
	needs.static-analysis.result == 'failure' \|\|
	needs.secret-detection.result == 'failure'
	uses: actions/github-script@v7
	with:
	script: \|
	const title = '🔒 Security Scan Findings - ' + new Date().toISOString().split('T')[0];
	const body = `
	## Security Scan Results

	A security scan has detected potential issues that require attention.

	Scan Results:
	- Dependency Scan: ${{ needs.dependency-scan.result }}
	- Static Analysis: ${{ needs.static-analysis.result }}
	- Secret Detection: ${{ needs.secret-detection.result }}

	Action Items:
	1. Review the Security tab for detailed findings
	2. Address critical and high severity vulnerabilities
	3. Update dependencies with known vulnerabilities
	4. Review code for security best practices

	Workflow Run: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}

	/cc @security-team
	`;

	github.rest.issues.create({
	owner: context.repo.owner,
	repo: context.repo.repo,
	title: title,
	body: body,
	labels: ['security', 'needs-triage']
	});

	# ===========================================================================
	# Notification
	# ===========================================================================
	notify:
	name: Security Scan Notification
	runs-on: ubuntu-latest
	needs: [dependency-scan, static-analysis, secret-detection]
	if: always()

	steps:
	- name: Notify security team
	uses: 8398a7/action-slack@v3
	if: >
	needs.dependency-scan.result == 'failure' \|\|
	needs.static-analysis.result == 'failure' \|\|
	needs.secret-detection.result == 'failure'
	with:
	status: 'warning'
	channel: '#security-alerts'
	title: '🔒 Security Scan Alert'
	message: \|
	Security scan detected potential issues in ${{ github.repository }}

	Branch: ${{ github.ref_name }}
	Commit: ${{ github.sha }}

	Scan Results:
	- Dependency Scan: ${{ needs.dependency-scan.result }}
	- Static Analysis: ${{ needs.static-analysis.result }}
	- Secret Detection: ${{ needs.secret-detection.result }}
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.SLACK_SECURITY_WEBHOOK }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: implemented phase 5 of dashboard plan #5

Workflow file

feat: implemented phase 5 of dashboard plan #5

Uh oh!

Workflow file for this run